Setup: Client: Curl/libcurl 7.21.7 OpenSSL 1.0.1 on powerpc linux Server: Win2008 R2 IIS 7. Virtual directory with Client Authentication set to Accept or Require Local network, IPV4 addressing I do not have the specific build of openssl 1.0.1 yet, will get that from the other dev.
Symptom: openssl starts with TLS v1.2, gets TLS v1.0 back from IIS, and client authentication fails with bad_record_mac . If TLS v1.0 is forced in curl, TLS v1.0 is used in the initial CLIENT HELLO and the full connection handshakes successfully. More detail: When client authentication is enabled on the IIS 7 virtual directory, connections from curl are getting hard reset by the server after the client provides the certificate, CLIENT KEY EXCHANGE and CERITIFICATE VERIFY messages. Windows schannel provider reports event ID 36888 fatal alert 20. This maps to TLS definition of BAD_RECORD_MAC The client is showing TLS v1.2 in the initial CLIENT HELLO, but SERVER HELLO uses TLS v1.0 moving the rest of the conversation down to v1.0. The negotiated cipher used is TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) The connection establishes at first without client auth until the client does its HTTP post and IIS sees that client auth is required on that site. IIS starts a renegotiation using the existing session and proceeds to send it's CERTIFICATE and the CERTIFICATE REQUEST. Client replies with CERTIFICATE, CLIENT KEY EXCHANGE, CERTIFICATE VERIFY, CHANGE CIPHER SPEC and FINISHED, but IIS never sends the CHANGE CIPHER SPEC and just hard resets the connection. This behavior is consistent and happens everytime. But if through curl I force TLS v1.0 (with it's -1 parameter), initial CLIENT HELLO is sent with TLS v1.0, server responds v1.0 - and connection establishes correctly - no errors. So issue is why when the initial hello is v1.2 and steps down to v1.0, the CERTIFICATE VERIFY message appears to be rejected by IIS as having a bad MAC... but if v1.0 is forced, all is good. -Steve ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
