In Ubuntu, we build OpenSSL 1.0.1 with -DOPENSSL_NO_TLS1_2_CLIENT and
-DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50. At first glance, this seems like
a strange combination of build options to me. Ignoring that for the
moment, I've ran into a bug where the TLS 1 and TLS 1.1 ClientHello
suggested ciphersuites are being incorrectly truncated.
The negotiated protocol version, s->version, is being used in
ssl23_client_hello() rather than the highest protocol version supported
by the client, which is s->client_version. Since a ServerHello hasn't
been received yet, the negotiated protocol version has not yet been
decided and I think that using s->version at this point is incorrect.
Additionally, 'make test' fails with this error:
---
test sslv2/sslv3 w/o (EC)DHE via BIO pair
Available compression methods:
NONE
ERROR in SERVER
47452334661472:error:1408A0C1:SSL routines:ssl3_get_client_hello:no
shared cipher:s3_srvr.c:1375:
TLSv1.2, cipher (NONE) (NONE)
1 handshakes of 256 bytes done
make[1]: *** [test_ssl] Error 1
make[1]: Leaving directory `/tmp/openssl.orig/test'
make: *** [tests] Error 2
---
With the patch below, 'make test' completes successfully. Another
reproducer for this bug is the following command:
$ openssl s_client -connect d2chzxaqi4y7f8.cloudfront.net:443 \
-CAfile /etc/ssl/certs/ca-certificates.crt
It fails with a handshake error which I assume is because the server
preferred cipher (RC4-MD5) is getting incorrectly chopped off in the
outgoing ClientHello. Specifying -tls1 allows for the handshake to
successfully complete, but this shouldn't be required.
Here's the proposed fix. Thanks!
diff -Nurp openssl.orig/ssl/s23_clnt.c openssl/ssl/s23_clnt.c
--- openssl.orig/ssl/s23_clnt.c 2012-09-17 11:11:57.526282229 -0700
+++ openssl/ssl/s23_clnt.c 2012-09-17 11:52:24.854232417 -0700
@@ -499,7 +499,7 @@ static int ssl23_client_hello(SSL *s)
* as hack workaround chop number of supported ciphers
* to keep it well below this if we use TLS v1.2
*/
- if (TLS1_get_version(s) >= TLS1_2_VERSION
+ if (TLS1_get_client_version(s) >= TLS1_2_VERSION
&& i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
#endif
diff -Nurp openssl.orig/ssl/s3_clnt.c openssl/ssl/s3_clnt.c
--- openssl.orig/ssl/s3_clnt.c 2012-09-17 11:11:57.526282229 -0700
+++ openssl/ssl/s3_clnt.c 2012-09-17 11:52:02.698232870 -0700
@@ -776,7 +776,7 @@ int ssl3_client_hello(SSL *s)
* as hack workaround chop number of supported ciphers
* to keep it well below this if we use TLS v1.2
*/
- if (TLS1_get_version(s) >= TLS1_2_VERSION
+ if (TLS1_get_client_version(s) >= TLS1_2_VERSION
&& i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
#endif
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
