On Wednesday 18 February 2015 23:49:39 Stephen Henson via RT wrote: > On Wed Feb 18 21:12:09 2015, laurenz.a...@wien.gv.at wrote: > > I ran into this problem while connecting to a PostgreSQL server > > (PostgreSQL uses OpenSSL > > for SSL support) with a Java client using > > the PostgreSQL JDBC driver (which uses > > the Java Secure Socket > > Extension which is part of Oracle's Java Runtime Environment). > > Since database connections are potentially long-lived, the PostgreSQL > > server will > > trigger a renegotiation after a certain amount of data > > has been exchanged via the > > TLS channel; this amount is configurable > > with the parameter "ssl_renegotiation_limit". > > > > This renegotiation is > > always aborted by OpenSSL with the error "unexpected record". > > I could > > reproduce the problem with OpenSSL 1.0.1e on Linux and OpenSSL 1.0.1j > > on > > Windows using Oracle JRE 1.7.0_71 and 1.7.0_75 on the client side. > > The protocol version in effect is TLS 1.2 (0x303). > > There were some fixes related to renegotiation handling in OpenSSL which > first appeared in 1.0.1k. Can you see if this problem still happens in the > latest version of OpenSSL?
I was able to reproduce this issue on master, OpenSSL_1_0_2-stable and OpenSSL_1_0_1-stable branches as of *now* (2015-02-19). I have a standalone (python - tlsfuzzer/tlslite) reproducer for that, but the code is pre-alpha quality, I'll try to publish it anyway. I've done it with server running in -legacy_renegotiation mode, but I'm not sure if this can have any impact on it. -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
