[openssl.org #2687] OpenSSL 1.0.1-beta1 sends certificate_verify in ServerHello and breaks Java 1.6.x clients, Firefox, and Chrome

[Ivan Ristic via RT]

I am testing a Java 1.6.x SSL client against Apache httpd 2.2.21
compiled against OpenSSL 1.0.1 beta 1.

The Java client refuses to connect to the server, complaining about
unsupported type_15 extension.

Network traffic capture shows the server responding to an
uninteresting TLS 1.0 ClientHello (without any extensions) with a
ServerHello that does indeed contain extension 15. The bytes are: 00
0f 00 01 01. My understanding is that the server should not be
responding with any ServerHello extensions the client did not ask for.
The RFC states that clients should abandon such connections, which is
what the Java client is doing.

The extension is also there when I connect with an older version of
OpenSSL, but it seems that the OpenSSL client ignores it. Firefox and
Chrome, on the other hand, do not, and bail out.

-- 
Ivan Risti?

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #2687] OpenSSL 1.0.1-beta1 sends certificate_verify in ServerHello and breaks Java 1.6.x clients, Firefox, and Chrome

[Stephen Henson via RT]

 [ivan.ris...@gmail.com - Wed Jan 18 14:07:52 2012]:
 
 I am testing a Java 1.6.x SSL client against Apache httpd 2.2.21
 compiled against OpenSSL 1.0.1 beta 1.
 
 The Java client refuses to connect to the server, complaining about
 unsupported type_15 extension.
 

This is caused by a bug in the heartbeat code which should be fixed in
1.0.1 snapshots.

Steve.
-- 
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org