Hi ALL, I did some studies on this patch. Gone through the OpenSSL CVS and find that http://cvs.openssl.org/chngview?cn=18791<http://cvs.openssl.org/chngview?cn=18791%0AObtained-From> http://cvs.openssl.org/chngview?cn=18794 <http://cvs.openssl.org/chngview?cn=18791%0AObtained-From>patch went into OpenSSL 0.9.8l release and this patch is making renegotiation state to be in hang state.
Where as http://cvs.openssl.org/chngview?cn=18790 <http://cvs.openssl.org/chngview?cn=18791%0AObtained-From>atleast disconnect the connection if renegotiation and which was suppose to be done to deal with this problem. Please correct me if i am wrong? and also please guide me which patch need to be used . Thanks in Advance Samuel On Fri, Nov 20, 2009 at 4:45 PM, samuel smith <samuel123sm...@gmail.com>wrote: > > Sorry , I have mistyped the second patch .This is the patch > http://cvs.openssl.org/chngview?cn=18790<http://cvs.openssl.org/chngview?cn=18791%0AObtained-From> > which disconnection the connection . Please guide me, which patch should i > use to apply to OpenSSL 0.9.8k > Thanks > Samuel > > <http://cvs.openssl.org/chngview?cn=18791%0AObtained-From> > On Fri, Nov 20, 2009 at 3:23 PM, Samuel123smith > <samuel123sm...@gmail.com>wrote: > >> >> Hi ALL, >> >> I am newbie to openssl and i have recently joined in openssl activities.As >> we all know , we have come across the security vulnerability issue >> CVE-2009-3555 and i need to patch the OpenSSL 0.9.8k version. I was going >> from some of query already in this forum . >> >> >From this link >> >> http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2009-11/msg00000.html >> , >> I came to know the patch for this problem . >> Obtained-From: http://cvs.openssl.org/chngview?cn=18791 >> Obtained-From <http://cvs.openssl.org/chngview?cn=18791%0AObtained-From>: >> http://cvs.openssl.org/chngview?cn=18794 >> >> which i applied to openssl 0.9.8k >> but when i ran the openssl s_server and s_client . >> >> I can see the output as >> At the client side , I can see >> >> openssl s_client >> >> R >> RENEGOTIATING >> >> It stays in this stage and when ever i type any thing in the server or >> client , the data is passed to the other side >> >> Server Side: >> The server is sending the data to client >> >> Client Side: >> R >> RENEGOTIATING >> The server is sending the data to client. >> >> I was thinking the connection should be dropped if the client tries for >> renegotiation . >> >> But if i have this patch http://cvs.openssl.org/chngview?cn=18791 . >> The server drops the connection >> >> Server Side: >> SSL3 alert write:fatal:handshake failure >> SSL_accept:error in SSLv3 read client hello A >> ERROR >> 487572:error:1408A13F:SSL routines:SSL3_GET_CLIENT_HELLO:no >> renegotiation:s3_srvr.c:725: >> shutting down SSL >> CONNECTION CLOSED >> ACCEPT >> >> Client Side: >> R >> RENEGOTIATING >> SSL_connect:SSL renegotiate ciphers >> >>> TLS 1.0 Handshake [length 0057], ClientHello >> 01 00 00 53 03 01 4b 06 60 60 24 71 1f db 0d fe >> c8 39 83 1f c4 b1 fb af 64 5e 66 f4 5a 24 cb 7a >> 73 98 32 f9 1d cf 00 00 26 00 39 00 38 00 35 00 >> 16 00 13 00 0a 00 33 00 32 00 2f 00 05 00 04 00 >> 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 01 >> 00 00 04 00 23 00 00 >> SSL_connect:SSLv3 write client hello A >> <<< TLS 1.0 Alert [length 0002], fatal handshake_failure >> 02 28 >> SSL3 alert read:fatal:handshake failure >> SSL_connect:failed in SSLv3 read server hello A >> 499818:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake >> failure:s3_pkt.c:1060:SSL alert number 40 >> 499818:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake >> failure:s3_pkt.c:530: >> >> Client Session is terminated . >> >> Can any one please tell me which is the intended behaviour? >> >> As i can not move to OpenSSL 0.9.8l now , I have to apply the patch for >> this >> problem in OpenSSL 0.9.8k.. Please direct me to the correct patch which i >> need to apply to OpenSSL 0.9.8k . >> >> Thanks In Advance >> >> Samuel >> >> >> >> -- >> View this message in context: >> http://old.nabble.com/New-Babie---Query-on-CVE-2009-3555-tp26435399p26435399.html >> Sent from the OpenSSL - User mailing list archive at Nabble.com. >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> > >
