In Ubuntu, we build OpenSSL 1.0.1 with -DOPENSSL_NO_TLS1_2_CLIENT and -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50. At first glance, this seems like a strange combination of build options to me. Ignoring that for the moment, I've ran into a bug where the TLS 1 and TLS 1.1 ClientHello suggested ciphersuites are being incorrectly truncated.
The negotiated protocol version, s->version, is being used in ssl23_client_hello() rather than the highest protocol version supported by the client, which is s->client_version. Since a ServerHello hasn't been received yet, the negotiated protocol version has not yet been decided and I think that using s->version at this point is incorrect. Additionally, 'make test' fails with this error: --- test sslv2/sslv3 w/o (EC)DHE via BIO pair Available compression methods: NONE ERROR in SERVER 47452334661472:error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher:s3_srvr.c:1375: TLSv1.2, cipher (NONE) (NONE) 1 handshakes of 256 bytes done make[1]: *** [test_ssl] Error 1 make[1]: Leaving directory `/tmp/openssl.orig/test' make: *** [tests] Error 2 --- With the patch below, 'make test' completes successfully. Another reproducer for this bug is the following command: $ openssl s_client -connect d2chzxaqi4y7f8.cloudfront.net:443 \ -CAfile /etc/ssl/certs/ca-certificates.crt It fails with a handshake error which I assume is because the server preferred cipher (RC4-MD5) is getting incorrectly chopped off in the outgoing ClientHello. Specifying -tls1 allows for the handshake to successfully complete, but this shouldn't be required. Here's the proposed fix. Thanks! diff -Nurp openssl.orig/ssl/s23_clnt.c openssl/ssl/s23_clnt.c --- openssl.orig/ssl/s23_clnt.c 2012-09-17 11:11:57.526282229 -0700 +++ openssl/ssl/s23_clnt.c 2012-09-17 11:52:24.854232417 -0700 @@ -499,7 +499,7 @@ static int ssl23_client_hello(SSL *s) * as hack workaround chop number of supported ciphers * to keep it well below this if we use TLS v1.2 */ - if (TLS1_get_version(s) >= TLS1_2_VERSION + if (TLS1_get_client_version(s) >= TLS1_2_VERSION && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH) i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; #endif diff -Nurp openssl.orig/ssl/s3_clnt.c openssl/ssl/s3_clnt.c --- openssl.orig/ssl/s3_clnt.c 2012-09-17 11:11:57.526282229 -0700 +++ openssl/ssl/s3_clnt.c 2012-09-17 11:52:02.698232870 -0700 @@ -776,7 +776,7 @@ int ssl3_client_hello(SSL *s) * as hack workaround chop number of supported ciphers * to keep it well below this if we use TLS v1.2 */ - if (TLS1_get_version(s) >= TLS1_2_VERSION + if (TLS1_get_client_version(s) >= TLS1_2_VERSION && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH) i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; #endif ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org