Sorry , I have mistyped the second patch .This is the patch http://cvs.openssl.org/chngview?cn=18790<http://cvs.openssl.org/chngview?cn=18791%0AObtained-From> which disconnection the connection . Please guide me, which patch should i use to apply to OpenSSL 0.9.8k Thanks Samuel
<http://cvs.openssl.org/chngview?cn=18791%0AObtained-From> On Fri, Nov 20, 2009 at 3:23 PM, Samuel123smith <samuel123sm...@gmail.com>wrote: > > Hi ALL, > > I am newbie to openssl and i have recently joined in openssl activities.As > we all know , we have come across the security vulnerability issue > CVE-2009-3555 and i need to patch the OpenSSL 0.9.8k version. I was going > from some of query already in this forum . > > >From this link > > http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2009-11/msg00000.html > , > I came to know the patch for this problem . > Obtained-From: http://cvs.openssl.org/chngview?cn=18791 > Obtained-From <http://cvs.openssl.org/chngview?cn=18791%0AObtained-From>: > http://cvs.openssl.org/chngview?cn=18794 > > which i applied to openssl 0.9.8k > but when i ran the openssl s_server and s_client . > > I can see the output as > At the client side , I can see > > openssl s_client > > R > RENEGOTIATING > > It stays in this stage and when ever i type any thing in the server or > client , the data is passed to the other side > > Server Side: > The server is sending the data to client > > Client Side: > R > RENEGOTIATING > The server is sending the data to client. > > I was thinking the connection should be dropped if the client tries for > renegotiation . > > But if i have this patch http://cvs.openssl.org/chngview?cn=18791 . > The server drops the connection > > Server Side: > SSL3 alert write:fatal:handshake failure > SSL_accept:error in SSLv3 read client hello A > ERROR > 487572:error:1408A13F:SSL routines:SSL3_GET_CLIENT_HELLO:no > renegotiation:s3_srvr.c:725: > shutting down SSL > CONNECTION CLOSED > ACCEPT > > Client Side: > R > RENEGOTIATING > SSL_connect:SSL renegotiate ciphers > >>> TLS 1.0 Handshake [length 0057], ClientHello > 01 00 00 53 03 01 4b 06 60 60 24 71 1f db 0d fe > c8 39 83 1f c4 b1 fb af 64 5e 66 f4 5a 24 cb 7a > 73 98 32 f9 1d cf 00 00 26 00 39 00 38 00 35 00 > 16 00 13 00 0a 00 33 00 32 00 2f 00 05 00 04 00 > 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 01 > 00 00 04 00 23 00 00 > SSL_connect:SSLv3 write client hello A > <<< TLS 1.0 Alert [length 0002], fatal handshake_failure > 02 28 > SSL3 alert read:fatal:handshake failure > SSL_connect:failed in SSLv3 read server hello A > 499818:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake > failure:s3_pkt.c:1060:SSL alert number 40 > 499818:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake > failure:s3_pkt.c:530: > > Client Session is terminated . > > Can any one please tell me which is the intended behaviour? > > As i can not move to OpenSSL 0.9.8l now , I have to apply the patch for > this > problem in OpenSSL 0.9.8k.. Please direct me to the correct patch which i > need to apply to OpenSSL 0.9.8k . > > Thanks In Advance > > Samuel > > > > -- > View this message in context: > http://old.nabble.com/New-Babie---Query-on-CVE-2009-3555-tp26435399p26435399.html > Sent from the OpenSSL - User mailing list archive at Nabble.com. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
