From: Dr. Stephen Henson Date: Thu, 9 Feb 2012 15:42:10 +0000 (+0000) Subject: Modify client hello version when renegotiating to enhance interop with X-Git-Tag: master-post-reformat~1960 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=f4e1169341ad1217e670387db5b0c12d680f95f4;p=oweals%2Fopenssl.git Modify client hello version when renegotiating to enhance interop with some servers. --- diff --git a/CHANGES b/CHANGES index 86b2f92583..37124447a9 100644 --- a/CHANGES +++ b/CHANGES @@ -267,6 +267,13 @@ Changes between 1.0.0f and 1.0.1 [xx XXX xxxx] + *) Some servers which support TLS 1.0 can choke if we initially indicate + support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA + encrypted premaster secret. As a workaround use the maximum pemitted + client version in client hello, this should keep such servers happy + and still work with previous versions of OpenSSL. + [Steve Henson] + *) Add support for TLS/DTLS heartbeats. [Robin Seggelmann ] diff --git a/apps/s_client.c b/apps/s_client.c index dbc0700ded..d7249814ac 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -2056,7 +2056,7 @@ static void print_stuff(BIO *bio, SSL *s, int full) } #endif -#ifdef SSL_DEBUG +#ifndef SSL_DEBUG { /* Print out local port of connection: useful for debugging */ int sock; diff --git a/demos/certs/mkcerts.sh b/demos/certs/mkcerts.sh index 0d55e8f846..2cf39482c7 100644 --- a/demos/certs/mkcerts.sh +++ b/demos/certs/mkcerts.sh @@ -30,7 +30,10 @@ $OPENSSL x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ # First DH parameters -[ -f dhp.pem ] || $OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem +$OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem + +# Uncomment out this line for X9.42 DH parameters instead +$OPENSSL genpkey -genparam -algorithm DH -out dhp.pem -pkeyopt dh_rfc5114:2 # Now a DH private key $OPENSSL genpkey -paramfile dhp.pem -out dhskey.pem diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index e7b477a5e7..323a732775 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -689,9 +689,43 @@ int ssl3_client_hello(SSL *s) /* Do the message type and length last */ d=p= &(buf[4]); + /* version indicates the negotiated version: for example from + * an SSLv2/v3 compatible client hello). The client_version + * field is the maximum version we permit and it is also + * used in RSA encrypted premaster secrets. Some servers can + * choke if we initially report a higher version then + * renegotiate to a lower one in the premaster secret. This + * didn't happen with TLS 1.0 as most servers supported it + * but it can with TLS 1.1 or later if the server only supports + * 1.0. + * + * Possible scenario with previous logic: + * 1. Client hello indicates TLS 1.2 + * 2. Server hello says TLS 1.0 + * 3. RSA encrypted premaster secret uses 1.2. + * 4. Handhaked proceeds using TLS 1.0. + * 5. Server sends hello request to renegotiate. + * 6. Client hello indicates TLS v1.0 as we now + * know that is maximum server supports. + * 7. Server chokes on RSA encrypted premaster secret + * containing version 1.0. + * + * For interoperability it should be OK to always use the + * maximum version we support in client hello and then rely + * on the checking of version to ensure the servers isn't + * being inconsistent: for example initially negotiating with + * TLS 1.0 and renegotiating with TLS 1.2. We do this by using + * client_version in client hello and not resetting it to + * the negotiated version. + */ +#if 0 *(p++)=s->version>>8; *(p++)=s->version&0xff; s->client_version=s->version; +#else + *(p++)=s->client_version>>8; + *(p++)=s->client_version&0xff; +#endif /* Random stuff */ memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); diff --git a/ssl/ssl3.h b/ssl/ssl3.h index 91089f3e8e..7e01d8d27f 100644 --- a/ssl/ssl3.h +++ b/ssl/ssl3.h @@ -1,4 +1,4 @@ -/* ssl/ssl3.h */ + /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -388,6 +388,7 @@ typedef struct ssl3_buffer_st #define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 #define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 #define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020 +#define SSL3_FLAGS_CLEAR_CLIENT_CERT 0x0040 /* SSL3_FLAGS_SGC_RESTART_DONE is set when we * restart a handshake because of MS SGC and so prevents us