On Sat, May 20, 2000 at 02:07:04AM +0100, Dr Stephen Henson wrote:
>> ! Everywhere within the *protocol* itself, OpenSSL
>> ! properly switches to SSL v3 and uses 3.0 everywhere. BUT. There is a thing
>> ! called "premaster secret". NOT the protocol block that exchange that secret -
>> ! that block correctly contains the 3.0 version tag. The "premaster secret"
>> ! itself (when decoded) is a 48 byte "random" number. But this number should
>> ! have 2 first bytes fixed. And those bytes should be 3 and 0 - i.e. the same as
>> ! the version bytes in the protocol blocks.
>> The problem is in s3_clnt.c around line 1345:
>> tmp_buf[0]=s->client_version>>8;
>> tmp_buf[1]=s->client_version&0xff;
>> in function ssl3_send_client_key_exchange(SSL *s)
>>
>> s->client_version has the value 0x0301, but it should have 0x0300
>> according to Stalker.
> Its not apparent that this actually *is* a bug. If you examine the SSLv3
> spec: [...]
It is *definitely not* a bug. The SSL 3.0 and TLS 1.0 specifications
are quite clear on this: "The latest (newest) version supported by the
client. This is used to detect version roll-back attacks."
(Detecting version roll-back attacks is not possible if the client
does not send the maximum client_version cryptographically secured.)
> I recall various servers not tolerating s_client unless TLSv1 support is
> turned off so maybe this should be changed.
The servers, not s_client. If compatibility with broken servers
is desired, you have to reconnect with different settings.
> However if things are
> changed its possible some SSLv3 servers also work like OpenSSL and they
> will stop working :-(
Actually there's no security problem for servers to accept a
PreMasterSecret that contains the negotiated protocol version instead
of the client_version from the ClientHello if these don't match;
so it's possible for servers to adopt to both correct and broken
clients, in case there are already TLS 1.0-aware clients that send
incorrect PreMasterSecret messages as expected by those broken SSLv3
servers.
--
Bodo M�ller <[EMAIL PROTECTED]>
PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
