Re: interoperability, esp. with a SSLv3(?) server

Bodo Moeller Fri, 19 May 2000 05:47:37 -0700
On Tue, May 16, 2000 at 08:45:08PM -0700, Claus Assmann wrote:

> I have a question about the different SSL versions, i.e., which one
> should a client use to be interoperable? The specific problem is
> with the MTA at mail.stalker.com. I finally got around to do some
> more debugging and found out that openssl (starttls) can connect
> to it if it uses either SSLv23 with SSL_OP_NO_TLSv1 or SSLv3.
> However, in general the client should use SSLv23 without turning
> off other protocol versions, correct? So how should I write a client
> that can connect to (almost) all servers?
> 
> I'm a bit irritated, because this behavior doesn't match with the
> interoperability matrix I posted back in March. Is that MTA running
> SSLv3?

When connecting with SSLv23_client_method, protocol negotiation starts
correctly, i.e. the server sends a ServerHello with version 3.0 in
response to the SSL 2.0 format ClientHello with version number 3.1;
but then when the client sends ClientKeyExchange with version 3.0
(followed by ChangeCipherSpec and Finished; but the server does not
wait for these), an "unexpected message" fatal alert ist returned.
This is a server bug (CommuniGate Pro 3.3b6).

[Side note: RFC 2487 talks only about "TLS negotiation", and it cannot
be inferred from the RFC that using the backward-compatible client
hello format is legal, i.e. that servers can be expected to understand
it.  In discussions about his drafts for a successor to RFC 2487, I've
asked Paul Hoffman to clarify this -- e.g. servers MUST be able to
understand the backward compatible formats even though they are not
required to actually be able to perform SSL 2.0 or SSL 3.0 handshakes,
and clients MAY use the backward compatible formats for
interoperability with pre-TLS clients --, but that's not what the
current RFC says.  Of course always using strict TLS will not get
you very far, for maximum interoperability you have to use the SSL 2.0
client hello format (in theory TLS 1.0 in SSL 3.0 format would make
sense, but SSLeay and old versions of OpenSSL can't handle this format
because of bugs in the SSL server implementation).  Or connect again
and try different SSL/TLS settings if the first handshake attempt
fails.]


Connected to port 25 of "mail.stalker.com".
<<< 000000  32 32 30 20 6d 61 69 6c 2e 73 74 61 6c 6b 65 72  220 mail.stalker
<<< 000010  2e 63 6f 6d 20 45 53 4d 54 50 20 43 6f 6d 6d 75  .com ESMTP Commu
<<< 000020  6e 69 47 61 74 65 20 50 72 6f 20 33 2e 33 62 36  niGate Pro 3.3b6
<<< 000030  0d 0a                                            ..
[...]
>>> 00002a  53 54 41 52 54 54 4c 53 0d 0a                    STARTTLS..
<<< 0000f1  32 32 30 20 70 6c 65 61 73 65 20 73 74 61 72 74  220 please start
<<< 000101  20 61 20 54 4c 53 20 63 6f 6e 6e 65 63 74 69 6f   a TLS connectio
<<< 000111  6e 0d 0a                                         n..
>>> 000034  80 80 01 03 01 00 57 00 00 00 20 00 00 16 00 00  ......W... .....
>>> 000044  13 00 00 0a 07 00 c0 00 00 66 00 00 07 00 00 05  .........f......
>>> 000054  00 00 04 05 00 80 03 00 80 01 00 80 08 00 80 00  ................
>>> 000064  00 65 00 00 64 00 00 63 00 00 62 00 00 61 00 00  .e..d..c..b..a..
>>> 000074  60 00 00 15 00 00 12 00 00 09 06 00 40 00 00 14  `...........@...
>>> 000084  00 00 11 00 00 08 00 00 06 00 00 03 04 00 80 02  ................
>>> 000094  00 80 20 7c 49 7c ca 5c 93 5a 84 54 f7 d9 83 73  .. |I|.\.Z.T...s
>>> 0000a4  7d 5b de 5b d5 95 4e 30 27 3c ff 3e ea 45 87 09  }[.[..N0'<.>.E..
>>> 0000b4  18 7e                                            .~
<<< 000114  16 03 00 00 4a 02 00 00 46 03 00 39 49 30 fa 30  ....J...F..9I0.0
<<< 000124  30 30 30 8a 8a d1 59 11 89 d1 f9 69 40 d0 10 0f  000...Y....i@...
<<< 000134  0f 0f 9c 9b 65 a2 ea fd df 41 41 20 39 25 30 fd  ....e....AA 9%0.
<<< 000144  44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD
<<< 000154  44 44 44 44 44 44 44 44 44 44 44 44 00 05 00     DDDDDDDDDDDD...
<<< 000163  16 03 00 02 27 0b 00 02 23 00 02 20 00 02 1d 30  ....'...#.. ...0
<<< 000173  82 02 19 30 82 01 c3 02 04 1c 92 89 59 30 0d 06  ...0........Y0..
<<< 000183  09 2a 86 48 86 f7 0d 01 01 04 05 00 30 81 a9 31  .*.H........0..1
<<< 000193  1f 30 1d 06 03 55 04 0a 13 16 53 74 61 6c 6b 65  .0...U....Stalke
<<< 0001a3  72 20 53 6f 66 74 77 61 72 65 2c 20 49 6e 63 2e  r Software, Inc.
<<< 0001b3  31 0b 30 09 06 03 55 04 06 13 02 55 53 31 0b 30  1.0...U....US1.0
<<< 0001c3  09 06 03 55 04 08 13 02 43 41 31 14 30 12 06 03  ...U....CA1.0...
<<< 0001d3  55 04 07 13 0b 4d 69 6c 6c 20 56 61 6c 6c 65 79  U....Mill Valley
<<< 0001e3  31 18 30 16 06 03 55 04 0b 13 0f 43 6f 6d 6d 75  1.0...U....Commu
<<< 0001f3  6e 69 47 61 74 65 20 50 72 6f 31 14 30 12 06 03  niGate Pro1.0...
<<< 000203  55 04 03 13 0b 73 74 61 6c 6b 65 72 2e 63 6f 6d  U....stalker.com
<<< 000213  31 26 30 24 06 09 2a 86 48 86 f7 0d 01 09 01 16  1&0$..*.H.......
<<< 000223  17 63 67 70 2d 73 75 70 70 6f 72 74 40 73 74 61  .cgp-support@sta
<<< 000233  6c 6b 65 72 2e 63 6f 6d 30 1e 17 0d 30 30 30 35  lker.com0...0005
<<< 000243  31 39 31 30 30 38 35 30 5a 17 0d 30 30 30 36 31  19100850Z..00061
<<< 000253  38 31 30 30 38 35 30 5a 30 81 81 31 22 30 20 06  8100850Z0..1"0 .
<<< 000263  03 55 04 0a 13 19 53 74 61 6c 6b 65 72 20 53 6f  .U....Stalker So
<<< 000273  66 74 77 61 72 65 20 43 75 73 74 6f 6d 65 72 31  ftware Customer1
<<< 000283  14 30 12 06 03 55 04 0b 13 0b 42 65 74 61 2d 74  .0...U....Beta-t
<<< 000293  65 73 74 65 72 31 19 30 17 06 03 55 04 03 13 10  ester1.0...U....
<<< 0002a3  6d 61 69 6c 2e 73 74 61 6c 6b 65 72 2e 63 6f 6d  mail.stalker.com
<<< 0002b3  31 2a 30 28 06 09 2a 86 48 86 f7 0d 01 09 01 16  1*0(..*.H.......
<<< 0002c3  1b 70 6f 73 74 6d 61 73 74 65 72 40 6d 61 69 6c  .postmaster@mail
<<< 0002d3  2e 73 74 61 6c 6b 65 72 2e 63 6f 6d 30 5c 30 0d  .stalker.com0\0.
<<< 0002e3  06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 4b 00  ..*.H.........K.
<<< 0002f3  30 48 02 41 00 be fe 6a dc b7 4b 58 81 03 ff b2  0H.A...j..KX....
<<< 000303  c6 3c 6f e2 ad 4c 51 37 75 92 33 70 2f 89 58 29  .<o..LQ7u.3p/.X)
<<< 000313  ba 73 ce 59 82 e5 b7 9a 41 77 90 d9 19 86 31 35  .s.Y....Aw....15
<<< 000323  d4 fa 60 ef ba a2 2d 8d 51 ce 2b 70 ef 3c ae e5  ..`...-.Q.+p.<..
<<< 000333  4d c4 86 7e d5 02 03 01 00 01 30 0d 06 09 2a 86  M..~......0...*.
<<< 000343  48 86 f7 0d 01 01 04 05 00 03 41 00 15 1d c7 91  H.........A.....
<<< 000353  85 61 7a f1 e3 8c 01 41 ec fc d5 3d 6f 17 13 6d  .az....A...=o..m
<<< 000363  53 3f 62 bd 5a 39 90 9c 83 9b 1f 9a 6e c9 ad c6  S?b.Z9......n...
<<< 000373  1b 98 30 13 85 ff 21 20 30 54 52 bb 53 1f 3e 60  ..0...! 0TR.S.>`
<<< 000383  81 02 8a 7f 87 04 48 7f 98 2b 88 81 16 03 00 00  ......H..+......
<<< 000393  04 0e 00 00 00                                   .....
>>> 0000b6  16 03 00 00 44 10 00 00 40 19 98 cc 67 c1 fb 91  [email protected]...
>>> 0000c6  e5 87 38 78 c1 f3 51 83 4b 6f 23 47 bf cb 89 15  ..8x..Q.Ko#G....
>>> 0000d6  1a 3f b1 64 23 71 8b 87 9c 5c 1f 91 93 32 73 18  .?.d#q...\...2s.
>>> 0000e6  14 ca af 15 fb 5e ba 11 f1 8c 90 01 12 c7 d3 aa  .....^..........
>>> 0000f6  0d 04 fb d5 69 14 66 b1 ab                       ....i.f..
<<< 000398  15 03 00 00 02 02 0a                             .......
<<< 00039f  [closed]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
Re: interoperability, esp. with a SSLv3(?) server

Reply via email to
