On Thu, Dec 23, 2004, Maruthi Bhaskar (maruthi) wrote: > Pls read inline... > > > > The interop problem is with 0.9.7d (no hardware switch was > > used, but I > > > do not know at the moment wether this is relevant to the issue at > > > hand). The setup works fine with 0.9.6b with all others remaining > > > constant. However, with 0.9.7d, it seems that an empty > > record (unable > > > to deduce if the 24B length reported by ssldump indicates a truly > > > empty record) is being written first, and the second record carries > > > all of the data. With 0.9.6b on the other hand, the very first app > > > record carries all the data and things work fine. Given > > these external > > > symptoms as viewed with ssldump, I am guessing that the 0.9.7d > > > behaviour is unacceptable to IAIK/Webmethods. > > > > > > What are the differences between openssl-engine-0.9.6b and > > > openssl-0.9.7d wrt SSL_write that might explain this, if at all? > > > Why/what is this first app record with 0.9.7d? ssldump o/p > > in either > > > cases is included below. (Pls search for [EMAIL PROTECTED]@ to get to the > > relevant > > > sections in ssldump) > > > > > > Thanks in advance for all responses, and for any advice on how to > > > further debug such situations (gdb bio?). > > > > > > > This may be due to the fact that more recent version protect > > against a certain attack by including empty fragments. This > > is permitted in the spec but some implementations don't like it. > > > > There are various flags which can be set to disable this > > behaviour. How you enable them depends on the application you > > are using. > > Is it true that the attack mitigation would deterministically send an > empty record first, or is it a coincidence of the implementation and > the window I am looking at? >
I think it does send an empty fragment first. > What are these flags, and could you please point me to ptrs/docs > for handling them? I am using stunnel for ssl proxying, but the test > results I posted are from a simple http client that is SSL capable. > IOW, I do maintain the code and can hence use any openssl api that > might control these flags (not necessarily an app level knob). > These are the various things enabled when the -bugs option is used on the command line to s_client/s_server. They are documented in the SSL_CTX_set_options() manual page, that specific one is SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
