> On Aug 31, 2018, at 9:14 PM, Jordan Brown <open...@jordan.maileater.net> 
> wrote:
> 
> We're trying to nail down error reporting for TLS version mismatches, and 
> we're seeing a couple of puzzling behaviors.
> 
> First, and most puzzling... assume these two command lines:
> 
> $ openssl s_server -cert 2018.08.31.a.pem -key 2018.08.31.a.key -no_tls1

This disables TLS 1.0 on the server, and if SSL 3.0 is supported at compile 
time,
leaves the server willing to do SSL 3.0 or TLS 1.1 and up.

> $ openssl s_client -connect zel.us.oracle.com:4433 -tls1

This configures the client to do TLS 1.0 only via the version-specific
TLS1_client_method(), which DOES NOT support version negotiation.  It
is NOT equivalent in some subtle ways to:

  $ openssl s_client -connect zel.us.oracle.com:4433 -no_ssl3 -no_tls1_1 
-no_tls1_2

That said, in either case the client sends "TLS 1.0" is its "maximum" protocol
version in its TLS client HELLO (the TLS 1.0 protocol does not support sending
a supported version list).

> That is, I have a server that won't accept TLSv1.0, and a client that will 
> only accept TLSv1.0.

No, more precisely, you have a version-flexible server, that does not accept 1.0
and a *fixed-version* client that only supports 1.0.

What happens at that point depends on whether SSL 3.0 has been disabled on the 
server,
or not.  If SSL 3.0 is not disabled on the server (at compile time or by other 
means),
then seeing TLS 1.0 as the client's max version, the server will respond with 
SSL 3.0.
The client however, is not in a negotiating mood, and it will send a handshake 
failure
alert:

  SSL_connect:SSLv3 write client hello A
  SSL3 alert write:fatal:handshake failure
  SSL_connect:error in SSLv3 read server hello A
  140735512441800:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version 
number:s3_pkt.c:365:

and on the server side you'll see:

  SSL_accept:before/accept initialization
  SSL_accept:SSLv3 read client hello A
  SSL_accept:SSLv3 write server hello A
  SSL_accept:SSLv3 write key exchange A
  SSL_accept:SSLv3 write server done A
  SSL_accept:SSLv3 flush data
  SSL_accept:SSLv3 read client certificate A
  SSL3 alert read:fatal:handshake failure
  SSL_accept:failed in SSLv3 read client key exchange A
  ERROR
  140735512441800:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert 
handshake failure:s3_pkt.c:1498:SSL alert number 40

If, on the other hand, you *also* disable SSL 3.0 on the server, then seeing
a maxim version or TLS 1.0 from the client, but with TLS 1.0 disabled the
server wants SSL 3.0, but that's also unavailable.  For better or worse,
OpenSSL is unable with respond with a TLS 1.0 alert (TLS 1.0 is off), nor
SSL 3.0, so it simply fails:

  SSL_accept:before/accept initialization
  SSL_accept:error in SSLv2/v3 read client hello A
  ERROR
  140735512441800:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown 
protocol:s23_srvr.c:643:
  shutting down SSL

The client's view of this is:

  SSL_connect:before/connect initialization
  SSL_connect:SSLv3 write client hello A
  SSL_connect:failed in SSLv3 read server hello A
  140735512441800:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake 
failure:s3_pkt.c:659:

You might argue that would should be able to send a TLS 1.0 fatal alert even
with TLS 1.0 disabled, but that's not how the OpenSSL 1.0.x code works.  It
does not select explicitly disabled protocols for sending alerts, nor does
it select protocol versions higher than the client's limit.

In OpenSSL 1.1.x, with its more modern rewritten state machine, the behaviour 
is closer to
what you expected.  Server reports:

  SSL_accept:before SSL initialization
  SSL_accept:before SSL initialization
  SSL3 alert write:fatal:protocol version
  SSL_accept:error in error
  ERROR
  140735512441728:error:14209102:SSL 
routines:tls_early_post_process_client_hello:unsupported 
protocol:../openssl/ssl/statem/statem_srvr.c:1655:

and client sees:

  SSL_connect:before SSL initialization
  SSL_connect:SSLv3/TLS write client hello
  SSL3 alert read:fatal:protocol version
  SSL_connect:error in error
  140735512441728:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert 
protocol version:../openssl/ssl/record/rec_layer_s3.c:1528:SSL alert number 70

-- 
        Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to