[openssl.org #3437] Bug in TLS Client Hello CipherSuite List

Sun, 06 Jul 2014 01:19:23 -0700 

Hi,

I've found a bug in the Client Hello cipher suites list corresponding to RFC 
2246. Always the last cipher suite in the list contains an additional byte 
0xFF, so the rest of the record cannot be read correctly and connections, which 
use the following Client Hello Extensions, fail.
I'm note sure, in which version(s) and since this bug is in. I only see, that 
connections will not work, as soon as the request goes through an web proxy 
with https inspection which use openssl. I tested with different comercial 
products, request which goes through a web proxy which do not use openssl (e.g 
Microsoft TMG) works fine. So I guess, this additional byte is the reason for 
broken connections.
All of the tested web proxy products are patched because of the heart bleeding 
bug.

Example: This is a TLS Rec Layer-1 which contains the additional byte 0xFF on 
position 007D:
0000 16 03 01 00 E4 01 00 00 E0 03 01 83 1E 08 12 F6
0010 02 39 AC 34 43 6F 43 E3 FC 67 6F F8 38 6D E3 19
0020 FC 80 E1 8D 5C CF EE FE 61 3F AF 00 00 50 C0 14
0030 C0 0A C0 22 C0 21 00 39 00 38 00 88 00 87 C0 0F
0040 C0 05 00 35 00 84 C0 12 C0 08 C0 1C C0 1B 00 16
0050 00 13 C0 0D C0 03 00 0A C0 13 C0 09 C0 1F C0 1E
0060 00 33 00 32 00 45 00 44 C0 0E C0 04 00 2F 00 41
0070 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 >FF< 02 01
0080 00 00 66 00 00 00 19 00 17 00 00 14 77 65 62 63
0090 6F 6E 66 2E 63 6F 6E 6E 65 63 74 69 73 2E 63 68
00A0 00 0B 00 04 03 00 01 02 00 0A 00 34 00 32 00 0E
00B0 00 0D 00 19 00 0B 00 0C 00 18 00 09 00 0A 00 16
00C0 00 17 00 08 00 06 00 07 00 14 00 15 00 04 00 05
00D0 00 12 00 13 00 01 00 02 00 03 00 0F 00 10 00 11
00C0 00 23 00 00 00 0F 00 01 01

The 0xFF on position 007D should not be there, only then, the rest of the 
record can interpreted correctly.

Here you find the whole tree of the wrong ClientHello (with 0xFF): Have a look 
at the last TLSCipherSuites and the following bytes:

  Frame: Number = 5, Captured Frame Length = 299, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP 
(IPv4),DestinationAddress:[00-0C-29-AA-3E-0C],SourceAddress:[00-22-55-7E-D2-E7]
+ Ipv4: Src = 193.134.161.73, Dest = 91.209.53.40, Next Protocol = TCP, Packet 
ID = 49379, Total IP Length = 285
+ Tcp: Flags=...AP..., SrcPort=37948, DstPort=HTTPS(443), PayloadLen=233, 
Seq=1755423924 - 1755424157, Ack=4227022623, Win=29 (scale factor 0x9) = 14848
  TLSSSLData: Transport Layer Security (TLS) Payload Data
- TLS: TLS Rec Layer-1 HandShake: Client Hello. Encrypted Handshake Message.
  - TlsRecordLayer: TLS Rec Layer-1 HandShake:
     ContentType: HandShake:
   - Version: TLS 1.0
      Major: 3 (0x3)
      Minor: 1 (0x1)
     Length: 228 (0xE4)
   - SSLHandshake: SSL HandShake Encrypted Handshake Message
      HandShakeType: ClientHello(0x01)
      Length: 224 (0xE0)
    - ClientHello: TLS 1.0
     + Version: TLS 1.0
     + RandomBytes:
       SessionIDLength: 0 (0x0)
       CipherSuitesLength: 80
     + TLSCipherSuites: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      { 0xC0,0x14 }
     + TLSCipherSuites: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    { 0xC0,0x0A }
     + TLSCipherSuites: TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA    { 0xC0,0x22 }
     + TLSCipherSuites: TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA  { 0xC0,0x21 }
     + TLSCipherSuites: TLS_DHE_RSA_WITH_AES_256_CBC_SHA        { 0x00, 0x39 }
     + TLSCipherSuites: TLS_DHE_DSS_WITH_AES_256_CBC_SHA        { 0x00, 0x38 }
     + TLSCipherSuites: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA   { 0x00, 0x88 }
     + TLSCipherSuites: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA   { 0x00, 0x87 }
     + TLSCipherSuites: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA       { 0xC0,0x0F }
     + TLSCipherSuites: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA     { 0xC0,0x05 }
     + TLSCipherSuites: TLS_RSA_WITH_AES_256_CBC_SHA            { 0x00, 0x35 }
     + TLSCipherSuites: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA       { 0x00, 0x84 }
     + TLSCipherSuites: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA     { 0xC0,0x12 }
     + TLSCipherSuites: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA   { 0xC0,0x08 }
     + TLSCipherSuites: TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA   { 0xC0,0x1C }
     + TLSCipherSuites: TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA   { 0xC0,0x1B }
     + TLSCipherSuites: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA        { 0x00,0x16}
     + TLSCipherSuites: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA        { 0x00,0x13 }
     + TLSCipherSuites: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA      { 0xC0,0x0D }
     + TLSCipherSuites: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA    { 0xC0,0x03 }
     + TLSCipherSuites: TLS_RSA_WITH_3DES_EDE_CBC_SHA           { 0x00,0x0A }
     + TLSCipherSuites: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      { 0xC0,0x13 }
     + TLSCipherSuites: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    { 0xC0,0x09 }
     + TLSCipherSuites: TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA    { 0xC0,0x1F }
     + TLSCipherSuites: TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA    { 0xC0,0x1E }
     + TLSCipherSuites: TLS_DHE_RSA_WITH_AES_128_CBC_SHA        { 0x00, 0x33 }
     + TLSCipherSuites: TLS_DHE_DSS_WITH_AES_128_CBC_SHA        { 0x00, 0x32 }
     + TLSCipherSuites: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA   { 0x00, 0x45 }
     + TLSCipherSuites: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA   { 0x00, 0x44 }
     + TLSCipherSuites: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA       { 0xC0,0x0E }
     + TLSCipherSuites: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA     { 0xC0,0x04 }
     + TLSCipherSuites: TLS_RSA_WITH_AES_128_CBC_SHA            { 0x00, 0x2F }
     + TLSCipherSuites: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA       { 0x00, 0x41 }
     + TLSCipherSuites: TLS_ECDHE_RSA_WITH_RC4_128_SHA          { 0xC0,0x11 }
     + TLSCipherSuites: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA        { 0xC0,0x07 }
     + TLSCipherSuites: TLS_ECDH_RSA_WITH_RC4_128_SHA           { 0xC0,0x0C }
     + TLSCipherSuites: TLS_ECDH_ECDSA_WITH_RC4_128_SHA         { 0xC0,0x02 }
     + TLSCipherSuites: TLS_RSA_WITH_RC4_128_SHA                { 0x00,0x05 }
     + TLSCipherSuites: TLS_RSA_WITH_RC4_128_MD5                { 0x00,0x04 }
     - TLSCipherSuites: Unknown Cipher                          { 0x00,0xFF }
        Cipher: 255 (0xFF)
       CompressionMethodsLength: 2 (0x2)
       CompressionMethods: 1 (0x1)
       ExtensionsLength: 0 (0x0)
      HandShakeType: Encrypted Handshake Message
      EncryptedHandshakeMessage: Binary Large Object (102 Bytes)

Here you find to fixed record (manual fixed by deleting the 0xFF and changed 
the correspondending lengths):

  Frame: Number = 5, Captured Frame Length = 299, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP 
(IPv4),DestinationAddress:[00-0C-29-AA-3E-0C],SourceAddress:[00-22-55-7E-D2-E7]
+ Ipv4: Src = 193.134.161.73, Dest = 91.209.53.40, Next Protocol = TCP, Packet 
ID = 49379, Total IP Length = 285
+ Tcp:  [Bad CheckSum]Flags=...AP..., SrcPort=37948, DstPort=HTTPS(443), 
PayloadLen=232, Seq=1755423924 - 1755424157, Ack=4227022623, Win=29 (scale 
factor 0x9) = 14848
  TLSSSLData: Transport Layer Security (TLS) Payload Data
- TLS: TLS Rec Layer-1 HandShake: Client Hello.
  - TlsRecordLayer: TLS Rec Layer-1 HandShake:
     ContentType: HandShake:
   + Version: TLS 1.0
     Length: 227 (0xE3)
   - SSLHandshake: SSL HandShake Hello Request(0x00)
      HandShakeType: ClientHello(0x01)
      Length: 223 (0xDF)
    - ClientHello: TLS 1.0
     + Version: TLS 1.0
     + RandomBytes:
       SessionIDLength: 0 (0x0)
       CipherSuitesLength: 80
     + TLSCipherSuites: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      { 0xC0,0x14 }
     + TLSCipherSuites: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    { 0xC0,0x0A }
     + TLSCipherSuites: TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA    { 0xC0,0x22 }
     + TLSCipherSuites: TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA  { 0xC0,0x21 }
     + TLSCipherSuites: TLS_DHE_RSA_WITH_AES_256_CBC_SHA        { 0x00, 0x39 }
     + TLSCipherSuites: TLS_DHE_DSS_WITH_AES_256_CBC_SHA        { 0x00, 0x38 }
     + TLSCipherSuites: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA   { 0x00, 0x88 }
     + TLSCipherSuites: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA   { 0x00, 0x87 }
     + TLSCipherSuites: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA       { 0xC0,0x0F }
     + TLSCipherSuites: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA     { 0xC0,0x05 }
     + TLSCipherSuites: TLS_RSA_WITH_AES_256_CBC_SHA            { 0x00, 0x35 }
     + TLSCipherSuites: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA       { 0x00, 0x84 }
     + TLSCipherSuites: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA     { 0xC0,0x12 }
     + TLSCipherSuites: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA   { 0xC0,0x08 }
     + TLSCipherSuites: TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA   { 0xC0,0x1C }
     + TLSCipherSuites: TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA   { 0xC0,0x1B }
     + TLSCipherSuites: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA        { 0x00,0x16}
     + TLSCipherSuites: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA        { 0x00,0x13 }
     + TLSCipherSuites: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA      { 0xC0,0x0D }
     + TLSCipherSuites: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA    { 0xC0,0x03 }
     + TLSCipherSuites: TLS_RSA_WITH_3DES_EDE_CBC_SHA           { 0x00,0x0A }
     + TLSCipherSuites: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      { 0xC0,0x13 }
     + TLSCipherSuites: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    { 0xC0,0x09 }
     + TLSCipherSuites: TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA    { 0xC0,0x1F }
     + TLSCipherSuites: TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA    { 0xC0,0x1E }
     + TLSCipherSuites: TLS_DHE_RSA_WITH_AES_128_CBC_SHA        { 0x00, 0x33 }
     + TLSCipherSuites: TLS_DHE_DSS_WITH_AES_128_CBC_SHA        { 0x00, 0x32 }
     + TLSCipherSuites: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA   { 0x00, 0x45 }
     + TLSCipherSuites: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA   { 0x00, 0x44 }
     + TLSCipherSuites: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA       { 0xC0,0x0E }
     + TLSCipherSuites: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA     { 0xC0,0x04 }
     + TLSCipherSuites: TLS_RSA_WITH_AES_128_CBC_SHA            { 0x00, 0x2F }
     + TLSCipherSuites: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA       { 0x00, 0x41 }
     + TLSCipherSuites: TLS_ECDHE_RSA_WITH_RC4_128_SHA          { 0xC0,0x11 }
     + TLSCipherSuites: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA        { 0xC0,0x07 }
     + TLSCipherSuites: TLS_ECDH_RSA_WITH_RC4_128_SHA           { 0xC0,0x0C }
     + TLSCipherSuites: TLS_ECDH_ECDSA_WITH_RC4_128_SHA         { 0xC0,0x02 }
     + TLSCipherSuites: TLS_RSA_WITH_RC4_128_SHA                { 0x00,0x05 }
     + TLSCipherSuites: TLS_RSA_WITH_RC4_128_MD5                { 0x00,0x04 }
     + TLSCipherSuites: TLS_RSA_WITH_NULL_SHA                   { 0x00,0x02 }
       CompressionMethodsLength: 1 (0x1)
       CompressionMethods: 0 (0x0)
       ExtensionsLength: 102 (0x66)
     + ClientHelloExtension: Server Name(0x0000)
     + ClientHelloExtension: EC Point Formats(0x000B)
     + ClientHelloExtension: Elliptic Curves(0x000A)
     + ClientHelloExtension: SessionTicket TLS(0x0023)
     + ClientHelloExtension: Unknown Extension Type

Hope, I could explain the problem and you can fix it soon and the fix will be 
applied soon to all web proxies...

Regards,
Stephan

Stephan Kaufmann
Engineer Application & System

connectis AG
Nauenstrasse 49 | CH-4052 Basel
T +41 58 301 12 21 | M +41 76 301 12 21
[email protected] | www.connectis.ch


________________________________

This email and any attachments to it may be confidential and are intended 
solely for the use of the individual to whom it is addressed.
Any views or opinions expressed are solely those of the author and do not 
necessarily represent those of connectis AG.

If you are not the intended recipient of this email, you must neither take any 
action based upon its contents, nor copy or show it to anyone.

Please destroy the message and/or contact the sender if you believe you have 
received this email in error.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager                           [email protected]

Reply via email to