Hi ALL, I am newbie to openssl and i have recently joined in openssl activities.As we all know , we have come across the security vulnerability issue CVE-2009-3555 and i need to patch the OpenSSL 0.9.8k version. I was going from some of query already in this forum .
>From this link http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2009-11/msg00000.html, I came to know the patch for this problem . Obtained-From: http://cvs.openssl.org/chngview?cn=18791 Obtained-From: http://cvs.openssl.org/chngview?cn=18794 which i applied to openssl 0.9.8k but when i ran the openssl s_server and s_client . I can see the output as At the client side , I can see openssl s_client R RENEGOTIATING It stays in this stage and when ever i type any thing in the server or client , the data is passed to the other side Server Side: The server is sending the data to client Client Side: R RENEGOTIATING The server is sending the data to client. I was thinking the connection should be dropped if the client tries for renegotiation . But if i have this patch http://cvs.openssl.org/chngview?cn=18791 . The server drops the connection Server Side: SSL3 alert write:fatal:handshake failure SSL_accept:error in SSLv3 read client hello A ERROR 487572:error:1408A13F:SSL routines:SSL3_GET_CLIENT_HELLO:no renegotiation:s3_srvr.c:725: shutting down SSL CONNECTION CLOSED ACCEPT Client Side: R RENEGOTIATING SSL_connect:SSL renegotiate ciphers >>> TLS 1.0 Handshake [length 0057], ClientHello 01 00 00 53 03 01 4b 06 60 60 24 71 1f db 0d fe c8 39 83 1f c4 b1 fb af 64 5e 66 f4 5a 24 cb 7a 73 98 32 f9 1d cf 00 00 26 00 39 00 38 00 35 00 16 00 13 00 0a 00 33 00 32 00 2f 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 01 00 00 04 00 23 00 00 SSL_connect:SSLv3 write client hello A <<< TLS 1.0 Alert [length 0002], fatal handshake_failure 02 28 SSL3 alert read:fatal:handshake failure SSL_connect:failed in SSLv3 read server hello A 499818:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1060:SSL alert number 40 499818:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530: Client Session is terminated . Can any one please tell me which is the intended behaviour? As i can not move to OpenSSL 0.9.8l now , I have to apply the patch for this problem in OpenSSL 0.9.8k.. Please direct me to the correct patch which i need to apply to OpenSSL 0.9.8k . Thanks In Advance Samuel -- View this message in context: http://old.nabble.com/New-Babie---Query-on-CVE-2009-3555-tp26435399p26435399.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
