Modify client hello version when renegotiating to enhance interop with

some servers.

diff --git a/CHANGES b/CHANGES
index 86b2f92583556308e43d79a5ad39be5186e40edb..37124447a911528f6d925756d4af762ec296c4bf 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -267,6 +267,13 @@
   
  Changes between 1.0.0f and 1.0.1  [xx XXX xxxx]
 
+  *) Some servers which support TLS 1.0 can choke if we initially indicate
+     support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA
+     encrypted premaster secret. As a workaround use the maximum pemitted
+     client version in client hello, this should keep such servers happy
+     and still work with previous versions of OpenSSL.
+     [Steve Henson]
+
   *) Add support for TLS/DTLS heartbeats.
      [Robin Seggelmann <seggelmann@fh-muenster.de>]
 

diff --git a/apps/s_client.c b/apps/s_client.c
index dbc0700ded2fc9da4d4210a2fe06f0de4dc84752..d7249814ac329b186ae03ac76cb5b5520cf126c3 100644 (file)
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -2056,7 +2056,7 @@ static void print_stuff(BIO *bio, SSL *s, int full)
        }
 #endif
 
-#ifdef SSL_DEBUG
+#ifndef SSL_DEBUG
        {
        /* Print out local port of connection: useful for debugging */
        int sock;

diff --git a/demos/certs/mkcerts.sh b/demos/certs/mkcerts.sh
index 0d55e8f846e6e6ad587179dc97ba8b247722aa4a..2cf39482c78b479b458a96b4a2361163cadc0d33 100644 (file)
--- a/demos/certs/mkcerts.sh
+++ b/demos/certs/mkcerts.sh
@@ -30,7 +30,10 @@ $OPENSSL x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
 
 # First DH parameters
 
-[ -f dhp.pem ] || $OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem
+$OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem
+
+# Uncomment out this line for X9.42 DH parameters instead
+$OPENSSL genpkey -genparam -algorithm DH -out dhp.pem -pkeyopt dh_rfc5114:2
 
 # Now a DH private key
 $OPENSSL genpkey -paramfile dhp.pem -out dhskey.pem

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index e7b477a5e723e9d1bf5776550fd40c374710920e..323a73277515be80f00f051aff8e97c998690ed5 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -689,9 +689,43 @@ int ssl3_client_hello(SSL *s)
                /* Do the message type and length last */
                d=p= &(buf[4]);
 
+               /* version indicates the negotiated version: for example from
+                * an SSLv2/v3 compatible client hello). The client_version
+                * field is the maximum version we permit and it is also
+                * used in RSA encrypted premaster secrets. Some servers can
+                * choke if we initially report a higher version then
+                * renegotiate to a lower one in the premaster secret. This
+                * didn't happen with TLS 1.0 as most servers supported it
+                * but it can with TLS 1.1 or later if the server only supports
+                * 1.0.
+                *
+                * Possible scenario with previous logic:
+                *      1. Client hello indicates TLS 1.2
+                *      2. Server hello says TLS 1.0
+                *      3. RSA encrypted premaster secret uses 1.2.
+                *      4. Handhaked proceeds using TLS 1.0.
+                *      5. Server sends hello request to renegotiate.
+                *      6. Client hello indicates TLS v1.0 as we now
+                *         know that is maximum server supports.
+                *      7. Server chokes on RSA encrypted premaster secret
+                *         containing version 1.0.
+                *
+                * For interoperability it should be OK to always use the
+                * maximum version we support in client hello and then rely
+                * on the checking of version to ensure the servers isn't
+                * being inconsistent: for example initially negotiating with
+                * TLS 1.0 and renegotiating with TLS 1.2. We do this by using
+                * client_version in client hello and not resetting it to
+                * the negotiated version.
+                */
+#if 0
                *(p++)=s->version>>8;
                *(p++)=s->version&0xff;
                s->client_version=s->version;
+#else
+               *(p++)=s->client_version>>8;
+               *(p++)=s->client_version&0xff;
+#endif
 
                /* Random stuff */
                memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);

diff --git a/ssl/ssl3.h b/ssl/ssl3.h
index 91089f3e8e44922a015d6612a7965e1fbb78d1da..7e01d8d27fd56ac472a2a6df528f776a9bc4e225 100644 (file)
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@@ -1,4 +1,4 @@
-/* ssl/ssl3.h */
+
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -388,6 +388,7 @@ typedef struct ssl3_buffer_st
 #define TLS1_FLAGS_TLS_PADDING_BUG             0x0008
 #define TLS1_FLAGS_SKIP_CERT_VERIFY            0x0010
 #define TLS1_FLAGS_KEEP_HANDSHAKE              0x0020
+#define SSL3_FLAGS_CLEAR_CLIENT_CERT           0x0040
  
 /* SSL3_FLAGS_SGC_RESTART_DONE is set when we
  * restart a handshake because of MS SGC and so prevents us