Hello.

OpenSSL 0.9.8y does not properly handle warning level
alerts in SSLv23 client method unlike OpensSSL 1.0.0+.

For example, when OpenSSL 0.9.8 initiates a connection
using TLS-SNI extensions in "SSLv23 mode" and the server
replies to client hello with an unrecognized_name warning
alert, the handshake terminates client-side.

This issue has been reported by many clients linked against
OpenSSL 0.9.8 (see footer links).

When connecting to a server that sends warning-level alerts
on hostname mismatch in TLS-SNI, eg.:

  $ openssl s_client -CApath /etc/ssl -connect \
    $CorrectHostname:443 -servername $InvalidHostname \
    -state < /dev/null 2>&1 | grep -E 'alert|error'

Current 0.9.8y behavior (output):
  SSL3 alert read:warning:unknown
  SSL_connect:error in SSLv2/v3 read server hello A
  7632:error:14077458:SSL
routines:SSL23_GET_SERVER_HELLO:reason(1112):s23_clnt.c:602:

Desired behavior (output) [consistent with OpenSSL 1.0.1e]:
  SSL3 alert read:warning:unrecognized name
  SSL3 alert write:warning:close notify

Patch applies cleanly to OpenSSL_0_9_8-stable (HEAD@a44c9b9c)
and makes behavior consistent with OpenSSL 1.0.1e. Also, it
adds support for new alerts (RFC 6066 and RFC 4279).

Please consider its inclusion after appropriate code review.

--mancha

Note: A higher-level discussion is whether non-fatal
unrecognized_name alerts should be sent at all. Per RFC 6066,
"If a server name is provided but not recognized, the server
should either continue the handshake without an error or send
a fatal error. Sending a warning-level message is not
recommended because client behavior will be unpredictable."

=====

[1] http://marc.info/?l=openssl-users&m=131736995412529&w=2
[2] http://sourceforge.net/p/curl/bugs/1037/
[3] https://bugs.php.net/bug.php?id=61276
[4] https://github.com/joyent/node/issues/3033

Attachment: 0001-Fix-handling-of-warning-level-alerts-in-SSL23-client.patch
Description: Binary data

Reply via email to