I am using OpenSSL 0.9.6d. The application uses a Win32 compile, but this
problem has been demonstrated under a FreeBSD compile too.
I was doing application development (not the topic of this email)
interacting with an IBM developed SSL library. I experienced unexpected
disconnects immediately after the SSL handshake takes place. According to
the IBM developer, this is an OpenSSL bug due to an extra 24 bytes
supposedly sent by OpenSSL after the handshake is complete.
"I did some more digging over the weekend, and ran some more traces for
IBM - what I found was that OpenSSL sends an additional packet of 24
bytes of what appears to be garbage following the handshake. The OpenSSL
libraries and the s_client command both behave in this manor."
"The traces I gathered using "ssldump" demonstrate the working (Java) and
non-working (OpenSSL) scenarios."
"In summary, this ends up being an OpenSSL issue."
"I guess for the time being it'll have to be noted that TUNA doesn't play
ball with OpenSSL, at least until such time as someone on the client
side can get rid of those 24 bytes."
"using the z/OS System SSL libraries."
"In the meantime, it is definately an OpenSSL bug, and that's about as
far as we will take it."
Can anyone shed some light on this supposed 24 "extra" bytes sent after the
handshake?
Below is a sample TCP dump showing the IBM server simply hanging up on the
OpenSSL client.
New TCP connection #1: 192.168.0.241(2549) <-> 63.78.183.70(3018)
1 1 0.1667 (0.1667) C>S SSLv2 compatible client hello
Version 3.1
cipher suites
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
SSL2_CK_3DES
TLS_DHE_DSS_WITH_RC4_128_SHA
TLS_RSA_WITH_IDEA_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
SSL2_CK_IDEA
SSL2_CK_RC2
SSL2_CK_RC4
SSL2_CK_RC464
TLS_DHE_DSS_WITH_RC2_56_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5
TLS_RSA_EXPORT1024_WITH_RC4_56_MD5
TLS_DHE_RSA_WITH_DES_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
SSL2_CK_DES
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_RSA_EXPORT_WITH_RC4_40_MD5
SSL2_CK_RC2_EXPORT40
SSL2_CK_RC4_EXPORT40
1 2 0.2779 (0.1111) S>C Handshake
ServerHello
Version 3.0
session_id[32]=
28 f9 ef a6 18 2c fb aa fc 34 2d 4e 3e 69 22 c8
ad 80 5a 4b b7 4c c9 53 4d db 56 76 36 fd 71 1e
cipherSuite SSL_RSA_WITH_3DES_EDE_CBC_SHA
compressionMethod NULL
1 3 0.2799 (0.0019) S>C Handshake
Certificate
1 4 0.3990 (0.1191) S>C Handshake
CertificateRequest
certificate_types rsa_sign
certificate_authority
30 81 81 31 0b 30 09 06 03 55 04 06 13 02 55 53
31 11 30 0f 06 03 55 04 08 13 08 49 6c 6c 69 6e
6f 69 73 31 10 30 0e 06 03 55 04 07 13 07 43 68
69 63 61 67 6f 31 18 30 16 06 03 55 04 0a 13 0f
54 72 61 6e 73 20 55 6e 69 6f 6e 20 4c 4c 43 31
10 30 0e 06 03 55 04 0b 13 07 53 79 73 74 65 6d
73 31 21 30 1f 06 03 55 04 03 13 18 54 72 61 6e
73 20 55 6e 69 6f 6e 20 43 49 43 53 20 52 6f 6f
74 20 43 41
certificate_authority
30 81 95 31 0b 30 09 06 03 55 04 06 13 02 55 53
31 11 30 0f 06 03 55 04 08 13 08 49 6c 6c 69 6e
6f 69 73 31 10 30 0e 06 03 55 04 07 13 07 43 68
69 63 61 67 6f 31 18 30 16 06 03 55 04 0a 13 0f
54 72 61 6e 73 20 55 6e 69 6f 6e 20 4c 4c 43 31
10 30 0e 06 03 55 04 0b 13 07 53 79 73 74 65 6d
73 31 10 30 0e 06 03 55 04 0c 13 07 53 79 73 74
65 6d 73 31 23 30 21 06 03 55 04 03 13 1a 54 72
61 6e 73 20 55 6e 69 6f 6e 20 43 49 43 53 20 53
69 67 6e 65 72 20 43 41
certificate_authority
30 81 81 31 0b 30 09 06 03 55 04 06 13 02 55 53
31 11 30 0f 06 03 55 04 08 13 08 49 6c 6c 69 6e
6f 69 73 31 10 30 0e 06 03 55 04 07 13 07 43 68
69 63 61 67 6f 31 18 30 16 06 03 55 04 0a 13 0f
54 72 61 6e 73 20 55 6e 69 6f 6e 20 4c 4c 43 31
0c 30 0a 06 03 55 04 0b 13 03 43 50 41 31 25 30
23 06 03 55 04 03 13 1c 74 65 73 74 2e 74 72 61
6e 73 75 6e 69 6f 6e 6e 65 74 61 63 63 65 73 73
2e 63 6f 6d
certificate_authority
30 81 81 31 0b 30 09 06 03 55 04 06 13 02 55 53
31 11 30 0f 06 03 55 04 08 13 08 49 6c 6c 69 6e
6f 69 73 31 10 30 0e 06 03 55 04 07 13 07 43 68
69 63 61 67 6f 31 18 30 16 06 03 55 04 0a 13 0f
54 72 61 6e 73 20 55 6e 69 6f 6e 20 4c 4c 43 31
0c 30 0a 06 03 55 04 0b 13 03 43 50 41 31 25 30
23 06 03 55 04 03 13 1c 74 65 73 74 2e 74 72 61
6e 73 75 6e 69 6f 6e 6e 65 74 61 63 63 65 73 73
2e 63 6f 6d
certificate_authority
30 7c 31 0b 30 09 06 03 55 04 06 13 02 55 53 31
11 30 0f 06 03 55 04 08 13 08 49 6c 6c 69 6e 6f
69 73 31 10 30 0e 06 03 55 04 07 13 07 43 68 69
63 61 67 6f 31 18 30 16 06 03 55 04 0a 13 0f 54
72 61 6e 73 55 6e 69 6f 6e 2c 20 4c 4c 43 31 2e
30 2c 06 03 55 04 03 13 25 54 72 61 6e 73 55 6e
69 6f 6e 20 54 55 4e 41 20 43 65 72 74 69 66 69
63 61 74 65 20 41 75 74 68 6f 72 69 74 79
certificate_authority
30 7d 31 0b 30 09 06 03 55 04 06 13 02 55 53 31
11 30 0f 06 03 55 04 08 13 08 49 6c 6c 69 6e 6f
69 73 31 10 30 0e 06 03 55 04 07 13 07 43 68 69
63 61 67 6f 31 18 30 16 06 03 55 04 0a 13 0f 54
72 61 6e 73 55 6e 69 6f 6e 2c 20 4c 4c 43 31 2f
30 2d 06 03 55 04 03 13 26 54 72 61 6e 73 55 6e
69 6f 6e 20 54 55 4e 41 20 52 65 67 69 73 74 72
61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79
certificate_authority
30 7b 31 0b 30 09 06 03 55 04 06 13 02 55 53 31
11 30 0f 06 03 55 04 08 13 08 49 6c 6c 69 6e 6f
69 73 31 10 30 0e 06 03 55 04 07 13 07 43 68 69
63 61 67 6f 31 18 30 16 06 03 55 04 0a 13 0f 54
72 61 6e 73 55 6e 69 6f 6e 2c 20 4c 4c 43 31 2d
30 2b 06 03 55 04 03 13 24 54 72 61 6e 73 55 6e
69 6f 6e 20 4e 65 74 20 41 63 63 65 73 73 20 43
6c 69 65 6e 74 20 54 65 73 74 69 6e 67
certificate_authority
30 73 31 0b 30 09 06 03 55 04 06 13 02 55 53 31
11 30 0f 06 03 55 04 08 13 08 49 6c 6c 69 6e 6f
69 73 31 10 30 0e 06 03 55 04 07 13 07 43 68 69
63 61 67 6f 31 18 30 16 06 03 55 04 0a 13 0f 54
72 61 6e 73 55 6e 69 6f 6e 2c 20 4c 4c 43 31 25
30 23 06 03 55 04 03 13 1c 74 65 73 74 2e 74 72
61 6e 73 75 6e 69 6f 6e 6e 65 74 61 63 63 65 73
73 2e 63 6f 6d
certificate_authority
30 81 a4 31 0b 30 09 06 03 55 04 06 13 02 55 53
31 16 30 14 06 03 55 04 08 13 0d 4e 65 77 20 48
61 6d 70 73 68 69 72 65 31 10 30 0e 06 03 55 04
07 13 07 43 6f 6e 63 6f 72 64 31 3d 30 3b 06 03
55 04 0a 13 34 4e 65 77 20 48 61 6d 70 73 68 69
72 65 20 48 69 67 68 65 72 20 45 64 75 63 61 74
69 6f 6e 20 41 73 73 69 73 74 61 6e 63 65 20 46
6f 75 6e 64 61 74 69 6f 6e 31 13 30 11 06 03 55
04 0b 13 0a 6e 68 68 65 61 66 2e 6f 72 67 31 17
30 15 06 03 55 04 03 13 0e 77 77 77 2e 6e 68 68
65 61 66 2e 6f 72 67
1 5 0.3990 (0.0000) S>C Handshake
ServerHelloDone
1 6 0.4051 (0.0061) C>S Handshake
Certificate
1 7 0.4051 (0.0000) C>S Handshake
ClientKeyExchange
1 8 0.4051 (0.0000) C>S Handshake
CertificateVerify
Signature[128]=
be 85 bc 9c 6b bc 12 f1 f3 d3 da af 6c 02 b5 2f
bc d0 da c7 d6 a8 76 99 48 73 30 27 f5 0b 6a 2d
02 d5 cd ee ed 21 4e 68 e1 05 4e 8d d0 40 3c b3
1a 02 d9 1e 37 0b 95 71 1a 8f 18 d6 cc a6 02 6f
89 b6 5a de e8 df 37 e3 34 92 9f 25 e0 50 d5 04
3a 9c c4 0a d9 7b 3d 0e f5 aa 11 03 19 cf 81 33
c0 7f 72 1a ee c2 9e 45 a2 aa 22 4d 6f 8a 6b 19
48 e6 46 a5 28 e6 a4 61 68 41 83 82 b5 92 1f b1
1 9 0.4051 (0.0000) C>S ChangeCipherSpec
1 10 0.4051 (0.0000) C>S Handshake
1 11 0.6474 (0.2422) S>C ChangeCipherSpec
1 12 0.9218 (0.2744) S>C Handshake
******Intentional delay of a few seconds*********
1 13 9.7249 (8.8030) C>S application_data <---- HTTP request
1 14 9.7249 (0.0000) C>S application_data <---- HTTP request
1 9.8506 (0.1257) S>C TCP FIN
1 15 9.8511 (0.0004) C>S Alert
1 9.8511 (0.0000) C>S TCP FIN
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
