On Sat, Jun 14, 2014 at 04:42:19PM +0000, Viktor Dukhovni wrote: > On Sat, Jun 14, 2014 at 04:23:13PM +0200, Kurt Roeckx via RT wrote: > > > > Yes. As far as I can see all reports are about 0.9.8o sending > > > large amounts of data to 1.0.1e. > > > > So I can reproduce it. But I can only seem to be reproducing it > > when using postgres having a 1.0.1 talk to a 0.9.8. For me it > > happens at exactly the same place in the dump file each time, > > after 480 MB has been transfered. Other are reporting it after a > > different amount. > > Is it perhaps a renegotiation with resumption. Can you arrange to > export the session master key in wireshark-compatible form, and > decrypt the second handshake? > > Which is the client, which is the server, and which one reports > the "early ccs"? Have you run the party that complains under a > debugger with a breakpoint at the line where the problem is reported? > What is the stack trace and what are the values of the fields of the > connection's SSL structure?
postgresql has an option ssl_renegotiation_limit. Lowering that makes the error appear faster. So it's 0.9.8o (+patches) (server, sending data) talking to OpenSSL_1_0_1-stable (client). After some data transfer I see: s->c: Hello Request c->s: Client Hello s->c: Server Hello, Certificate, Server Hello Done c->s: Client Key Exchange, Change Cipher Spec, Finished s->c: Change Cipher Spec, Finished c->s: Alert (Fatal, Unexpected Message) kurt ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
