Hi,
Using OpenSSL 1.0.1j 15 Oct 2014 on a GNU/Linux machine, I observe that if
openssl s_server receives a ClientHello with FALLBACK_SCSV before the actual
ciphersuites, it breaks the handshake with a fatal handshake_failure(40) alert,
regardless of whether the version is the highest supported or not.
% openssl s_server -www -cert some.crt -key some.key -debug
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
read from 0x20531d0 [0x20588c0] (11 bytes = 11 (0xB))
- 16 03 01 00 89 01 00 00-85 03 03 ...
read from 0x20531d0 [0x20588ce] (131 bytes = 131 (0x83))
- 54 44 ed 69 3a 59 5f dd-0b 5c 68 89 9c 6f e5 32 TD.i:Y_..\h..o.2
0010 - 58 5c 31 e0 6f 6b e8 b6-c8 c9 a4 6d 90 af f0 db X\1.ok.m
0020 - 00 00 06 00 ff 56 00 c0-09 01 00 00 56 00 00 00 .V..V...
0030 - 0e 00 0c 00 00 09 6c 6f-63 61 6c 68 6f 73 74 00 ..localhost.
0040 - 0d 00 1a 00 18 06 01 05-01 04 01 03 01 02 01 01
0050 - 01 06 03 05 03 04 03 03-03 02 03 01 03 00 0a 00
0060 - 18 00 16 00 19 00 1c 00-18 00 1b 00 17 00 16 00
0070 - 1a 00 15 00 14 00 13 00-12 00 0b 00 02 01 00 00
0080 - 23#
0083 - SPACES/NULS
write to 0x20531d0 [0x20623b0] (7 bytes = 7 (0x7))
- 15 03 03 00 02 02 28 ..(
140292492379792:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
cipher:s3_srvr.c:1360:
ACCEPT
(Ciphersuite list starts as 0x23 with EMPTY_RENEGOTIATION_INFO, followed by
FALLBACK_SCSV, then TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA, which is supported.)
The expected behaviour would be the one that happens when the SCSV is placed
after the actual ciphersuites. Indeed, the draft does not mandate that the SCSV
be at the end of the list, it merely states it will generally happen this way.
Manuel.
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
