There seems to be a bug in the SSL implementation of an https server I'm connecting to; the problem initially arose in my application, but I've since been debugging / reproducing it with the openssl commandline utility, so I'm fairly certain it has nothing to do with my application at this point.
If I connect to the remote server with no options other than -connect
, OpenSSL sends an SSLv2 CLIENT-HELLO, the server responds with a TLSv1 ServerHello, and everything proceeds normally.
If I connect with -ssl3
, OpenSSL sends an SSLv3 ClientHello, the server responds with an SSLv3 ServerHello, and again everything is fine.
However, if I connect with -no_ssl2
or -tls1
, OpenSSL sends a TLSv1 ClientHello, and the server responds with "TLS 1.0 Alert [length 0002], fatal unexpected_message"
, which is the original problem I was seeing in my application.
There are a number of possible workarounds that suggest themselves at this point, but I'm ideally looking for something generic, rather than special-casing this particular server, so I'm hoping there's some kind of "standard" workaround for this.
-
It seems the problem was actually caused by the RFC 5077 session ticket extension; disabling this (by passing
-no_ticket
to openssl, for example) allowed the TLSv1 ClientHello to succeed with the remote server. Since I have no particular need for this extension in my application, this workaround seems like the most appropriate way to proceed.A little research suggests that the problem may just be empty session ticket extensions, but I didn't bother trying to figure out whether this particular server had problems with non-empty ones.
0 comments:
Post a Comment