Bug in SSL 3 Key Exchange ?

Thu, 06 Jul 2000 00:21:00 -0700 

Hi Guys,

I send this mail to the dev mailing list also because it seems that there is
a bug in the OpenSSL key exchange mechanism.
Anyway, I've been debugging this problem for the past 2 weeks without any
success and need urgent help.

My configuration is :

Server based on OpenSSL  version 0.9.5 on NT 4.0 OS,  
Verisign class 3 certificate,
that was certified by "www.verisign.com/CPS Incorp.by Ref. LIABILITY
LTD.(c)97 VeriSign", 
that was certified by "Class 3 Public Primary Certification Authority"

The Problem :

When I am trying  to connect from Win2000 OS using Internet Explorer 5.01
(Windows 2000, build 5.00.2195) version 5.00.2920.0000
with Cipher Strength: 56 Bit,
I get the following error: "Page can not be displayed".
This problem occurs only if the server certificate is verified successfully
on the browser 
without any warning (trusted certifying authority, date valid, name on
certificate match name of site)
and when using SSL 3 as the protocol.

When I debug my OpenSSL server I can see the following:

1.The negotiated cipher is EXP1024-RC4-SHA.
  This is Odd because this cipher is defined in the tls1.h header file and
I'm  using ssl3. I don't think that
  the cipher is the problem because with the same cipher, if the server
certificate is not verified successfully on the    
  browser (e.g. the name on the certificate does not match the name of the
site) everything is OK.

2.The server sends server_done message and then the browser resets the
connection 
  (I get a read error message on my OpenSSL server). 
   So it seems that there is a successful negotiation but the browser close
the connection after it gets the server done  
   message. 
     
I don't think that the problem is a bug on the browser because with the same
browser I can connect to other SSL servers  that 
use the same kind of certificate and same protocol. The only reasonable
conclusion is that the browser is not satisfied with one of the parameters
that are sent to it during the key exchange.

Please help, since I need to solve this problem urgently.

Thanks in advance,

Itai Levy,
Software Developer R&D
Algorithmic Research Ltd. ( Data Security Across the Enterprise )
10 Nevatim st., Kiryat Matalon
Petah Tikva 49561
Israel

Tel: +972-3-9279514
e-mail:[EMAIL PROTECTED]
http://www.arx.com


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to