On Thu, Nov 19, 2009, Dr. Stephen Henson wrote:
> On Thu, Nov 19, 2009, Jean-Marc Desperrier wrote:
>
> > Thor Lancelot Simon wrote:
> >> I think it's a mistake to send a fatal alert. In the past week as I've
> >> been experimenting with this, I've encountered a number of embedded
> >> client devices (cellphones -- I suspect I know which stack they're using
> >> but I'm not certain, so I won't identify the vendor here) which do
> >> periodic
> >> renegotiations and can't be configured not to. I hacked up
> >> no-renegotiation
> >> alert for a somewhat simpler TLS implementation since I kept tripping over
> >> myself trying to do it with OpenSSL. The result was that these clients
> >> could maintain connections -- they ignore the failed renegotiation.
> >>
> >> With OpenSSL, these clients simply lose their connection and don't
> >> display pages. I think this is wrong.
> >
> > I support wholly this description of the situation.
>
> I'm currently reviewing the code along with the continuing discussions about
> strategy in the TLS mailing list. The current code is obviously buggy (I had
> to fix a few things yesterday) and I'll look into fixing it.
>
OK, we are currently doing the wrong thing according to the specs. For TLS a
no renegotiation alert can be sent but no such thing exists for SSLv3. However
OpenSSL currently doesn't handle this alert properly client side, it just
ignores it and carries on waiting for a server hello which it will never get.
The attached patch should send a non renegotiation alert from the server.
Please test it and let me know if renegotiating clients (but not OpenSSL ones)
are now happier.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
Index: s3_pkt.c
===================================================================
RCS file: /v/openssl/cvs/openssl/ssl/s3_pkt.c,v
retrieving revision 1.57.2.6
diff -c -r1.57.2.6 s3_pkt.c
*** s3_pkt.c 13 Jul 2009 22:37:45 -0000 1.57.2.6
--- s3_pkt.c 20 Nov 2009 16:35:41 -0000
***************
*** 1029,1034 ****
--- 1029,1053 ----
* now try again to obtain the (application) data we were asked
for */
goto start;
}
+ /* If we are a server and get a client hello when renegotiation isn't
+ * allowed send back a no renegotiation alert and carry on.
+ * WARNING: experimental code, needs reviewing (steve)
+ */
+ if (s->server &&
+ SSL_is_init_finished(s) &&
+ !s->s3->send_connection_binding &&
+ (s->version > SSL3_VERSION) &&
+ (s->s3->handshake_fragment_len >= 4) &&
+ (s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) &&
+ (s->session != NULL) && (s->session->cipher != NULL) &&
+ !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+
+ {
+ rr->length = 0;
+ ssl3_send_alert(s,SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
+ goto start;
+ }
+
if (s->s3->alert_fragment_len >= 2)
{
