Hi ALL, I did some studies on this patch. Gone through the OpenSSL CVS and find that http://cvs.openssl.org/chngview?cn=18791 http://cvs.openssl.org/chngview?cn=18794 patch went into OpenSSL 0.9.8l release and this patch is making renegotiation state to be in hang state.
Where as http://cvs.openssl.org/chngview?cn=18790 atleast disconnect the connection if renegotiation and which was suppose to be done to deal with this problem. Please correct me if i am wrong? and also please guide me which patch need to be used . Thanks in Advance Samuel Samuel123smith wrote: > > Hi ALL, > > I am newbie to openssl and i have recently joined in openssl activities.As > we all know , we have come across the security vulnerability issue > CVE-2009-3555 and i need to patch the OpenSSL 0.9.8k version. I was going > from some of query already in this forum . > > From this link > http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2009-11/msg00000.html, > I came to know the patch for this problem . > Obtained-From: http://cvs.openssl.org/chngview?cn=18791 > Obtained-From: http://cvs.openssl.org/chngview?cn=18794 > > which i applied to openssl 0.9.8k > but when i ran the openssl s_server and s_client . > > I can see the output as > At the client side , I can see > > openssl s_client > > R > RENEGOTIATING > > It stays in this stage and when ever i type any thing in the server or > client , the data is passed to the other side > > Server Side: > The server is sending the data to client > > Client Side: > R > RENEGOTIATING > The server is sending the data to client.(----> Data from sever) > > I was thinking the connection should be dropped if the client tries for > renegotiation . > > But if i have this patch http://cvs.openssl.org/chngview?cn=18790 . > The server drops the connection > > Server Side: > SSL3 alert write:fatal:handshake failure > SSL_accept:error in SSLv3 read client hello A > ERROR > 487572:error:1408A13F:SSL routines:SSL3_GET_CLIENT_HELLO:no > renegotiation:s3_srvr.c:725: > shutting down SSL > CONNECTION CLOSED > ACCEPT > > Client Side: > R > RENEGOTIATING > SSL_connect:SSL renegotiate ciphers >>>> TLS 1.0 Handshake [length 0057], ClientHello > 01 00 00 53 03 01 4b 06 60 60 24 71 1f db 0d fe > c8 39 83 1f c4 b1 fb af 64 5e 66 f4 5a 24 cb 7a > 73 98 32 f9 1d cf 00 00 26 00 39 00 38 00 35 00 > 16 00 13 00 0a 00 33 00 32 00 2f 00 05 00 04 00 > 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 01 > 00 00 04 00 23 00 00 > SSL_connect:SSLv3 write client hello A > <<< TLS 1.0 Alert [length 0002], fatal handshake_failure > 02 28 > SSL3 alert read:fatal:handshake failure > SSL_connect:failed in SSLv3 read server hello A > 499818:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake > failure:s3_pkt.c:1060:SSL alert number 40 > 499818:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake > failure:s3_pkt.c:530: > > Client Session is terminated . > > Can any one please tell me which is the intended behaviour? > > Which patch should i have to apply to OpenSSL 0.9.8k. Please Guide me . > As i can not move to OpenSSL 0.9.8l now , I have to apply the patch for > this problem in OpenSSL 0.9.8k.. Please direct me to the correct patch > which i need to apply to OpenSSL 0.9.8k . > > Thanks In Advance > > Samuel > > > > -- View this message in context: http://old.nabble.com/New-Babie---Query-on-CVE-2009-3555..-tp26435399p26441574.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
