Re: [openssl.org #3400] ccs received early
On Thu, Jun 12, 2014 at 06:00:05PM +0200, Kurt Roeckx wrote: On Thu, Jun 12, 2014 at 02:06:53PM +0200, Florian Weimer wrote: On 06/12/2014 01:28 PM, Salz, Rich wrote: Since the patch for CVE-2014-0224 I've so far received 2 reports about people getting the error: ccs received early. So they kiddies can read. We thought so, but good to have confirmation. Thanks! What do you mean? As far as I can tell, this is about an interoperability issue. Yes. As far as I can see all reports are about 0.9.8o sending large amounts of data to 1.0.1e. So I can reproduce it. But I can only seem to be reproducing it when using postgres having a 1.0.1 talk to a 0.9.8. For me it happens at exactly the same place in the dump file each time, after 480 MB has been transfered. Other are reporting it after a different amount. According to wireshark a CCS is send at that time, together with some Encrypted Handshake Messages. I'm not sure how to debug this. Kurt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3400] ccs received early
On Sat, Jun 14, 2014 at 04:23:13PM +0200, Kurt Roeckx via RT wrote: Yes. As far as I can see all reports are about 0.9.8o sending large amounts of data to 1.0.1e. So I can reproduce it. But I can only seem to be reproducing it when using postgres having a 1.0.1 talk to a 0.9.8. For me it happens at exactly the same place in the dump file each time, after 480 MB has been transfered. Other are reporting it after a different amount. Is it perhaps a renegotiation with resumption. Can you arrange to export the session master key in wireshark-compatible form, and decrypt the second handshake? Which is the client, which is the server, and which one reports the early ccs? Have you run the party that complains under a debugger with a breakpoint at the line where the problem is reported? What is the stack trace and what are the values of the fields of the connection's SSL structure? -- Viktor. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3400] ccs received early
On Sat, Jun 14, 2014 at 04:42:19PM +, Viktor Dukhovni wrote: On Sat, Jun 14, 2014 at 04:23:13PM +0200, Kurt Roeckx via RT wrote: Yes. As far as I can see all reports are about 0.9.8o sending large amounts of data to 1.0.1e. So I can reproduce it. But I can only seem to be reproducing it when using postgres having a 1.0.1 talk to a 0.9.8. For me it happens at exactly the same place in the dump file each time, after 480 MB has been transfered. Other are reporting it after a different amount. Is it perhaps a renegotiation with resumption. Can you arrange to export the session master key in wireshark-compatible form, and decrypt the second handshake? Which is the client, which is the server, and which one reports the early ccs? Have you run the party that complains under a debugger with a breakpoint at the line where the problem is reported? What is the stack trace and what are the values of the fields of the connection's SSL structure? postgresql has an option ssl_renegotiation_limit. Lowering that makes the error appear faster. So it's 0.9.8o (+patches) (server, sending data) talking to OpenSSL_1_0_1-stable (client). After some data transfer I see: s-c: Hello Request c-s: Client Hello s-c: Server Hello, Certificate, Server Hello Done c-s: Client Key Exchange, Change Cipher Spec, Finished s-c: Change Cipher Spec, Finished c-s: Alert (Fatal, Unexpected Message) kurt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3400] ccs received early
On Sat, Jun 14, 2014 at 07:12:06PM +0200, Kurt Roeckx via RT wrote: So it's 0.9.8o (+patches) (server, sending data) talking to OpenSSL_1_0_1-stable (client). After some data transfer I see: s-c: Hello Request c-s: Client Hello s-c: Server Hello, Certificate, Server Hello Done c-s: Client Key Exchange, Change Cipher Spec, Finished s-c: Change Cipher Spec, Finished c-s: Alert (Fatal, Unexpected Message) When I build 1.0.1h and trigger a server-initiated renegotiation via s_server by typing rRETURN after the connection is established, # Client is 1.0.1 (similar to report): $ openssl s_client -CAfile server.pem -msg -connect 127.0.0.1:12345 # Server is 1.0.1 (should not matter from client's perspective) $ openssl s_server -cert server.pem -accept 12345 \ -tls1 -no_dhe -no_ecdhe -no_ticket -no_cache I get: New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: AES256-SHA Session-ID: Session-ID-ctx: Master-Key: 78E63A22515E23E467774EB92C270055987B8CA0A4AFB462BAA0237F213BFC926D58587A707E3081E29E03CF2FC08B85 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1402770873 Timeout : 300 (sec) Verify return code: 0 (ok) --- TLS 1.0 Handshake [length 0004], HelloRequest TLS 1.0 Handshake [length 014f], ClientHello TLS 1.0 Handshake [length 004e], ServerHello TLS 1.0 Handshake [length 0214], Certificate TLS 1.0 Handshake [length 0004], ServerHelloDone TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS 1.0 ChangeCipherSpec [length 0001] TLS 1.0 Handshake [length 0010], Finished TLS 1.0 ChangeCipherSpec [length 0001] TLS 1.0 Handshake [length 0010], Finished read R BLOCK Is there anything materially different about the problem configuration? Protocol? Cipher-suite? Differences from 1.0.1h on the client? -- Viktor. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3400] ccs received early
Fixed now: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=3b77f01702cbbb75c77 Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3400] ccs received early
On 06/12/2014 01:28 PM, Salz, Rich wrote: Since the patch for CVE-2014-0224 I've so far received 2 reports about people getting the error: ccs received early. So they kiddies can read. We thought so, but good to have confirmation. Thanks! What do you mean? As far as I can tell, this is about an interoperability issue. -- Florian Weimer / Red Hat Product Security Team __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3400] ccs received early
On Thu, Jun 12, 2014 at 02:06:53PM +0200, Florian Weimer wrote: On 06/12/2014 01:28 PM, Salz, Rich wrote: Since the patch for CVE-2014-0224 I've so far received 2 reports about people getting the error: ccs received early. So they kiddies can read. We thought so, but good to have confirmation. Thanks! What do you mean? As far as I can tell, this is about an interoperability issue. Yes. As far as I can see all reports are about 0.9.8o sending large amounts of data to 1.0.1e. Kurt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org