Re: Strange error(parse tlsext bug) in mod_ssl since httpd-2.2.12

Mon, 02 Nov 2009 03:42:56 -0800 

On 10/28/2009 04:17 AM, Dr Stephen Henson wrote:

Kamesh Jayachandran wrote:

Hi Kaspar,

I applied your 'mod_ssl-disable_tls_tickets.diff' and
'mod_ssl-log_ssloptions.diff' to apache-2.2.12

and initiated the 'failing svn import operation'.

<snip from error_log while this fails>
[Mon Oct 26 15:48:21 2009] [warn] [client 10.2.0.88]
ssl_init_ssl_connection: options=0x1114fff
[Mon Oct 26 15:48:22 2009] [warn] [client 10.2.0.88]
ssl_init_ssl_connection: options=0x1114fff
[Mon Oct 26 15:48:22 2009] [warn] [client 10.2.0.88]
ssl_init_ssl_connection: options=0x1114fff
</snip>

The tcpdump for this failure is at,

http://www.livecipher.com/tlsext_dump/tlsext.dmp.4



Sorry for the delay.


As I mentioned something strange is going on there. The server is sending back
empty session IDs which shouldn't be happening if tickets are disabled properly.

With OpenSSL 0.9.8k client, can you try this connecting to that server:

openssl s_client -connect hostname.whatever.com:443
                -servername hostname.whatever.com -tls1

Does any value appear after "Session-ID"? Hit Q<return>  to exit.


Yes it appears.


Also try:

openssl s_client -connect hostname.whatever.com:443
                -servername hostname.whatever.com -tls1 -no_ticket

again do you get anything after "Session-ID"?


Yes I get.


Finally this pair of commands:

openssl s_client -connect hostname.whatever.com:443
                -servername hostname.whatever.com -tls1
                -sess_out foo.pem


openssl s_client -connect hostname.whatever.com:443
                -servername hostname.whatever.com -tls1
                -sess_in foo.pem

Do you still get the error when you call the command with the server including
SSL_OP_NO_TICKET?


Yes I get the error with Server running SSL_OP_NO_TICKET patch.
[kam...@kamesh httpd-2.2.12]$ openssl s_client -connect kamesh:443 -servername kamesh -tls1 -sess_in foo.pem 
CONNECTED(00000003)
4155:error:140920DF:SSL routines:SSL3_GET_SERVER_HELLO:parse tlsext:s3_clnt.c:880:
FYI I used this openssl client on my linux for this test which is openssl0.9.8-k(while original issue was posted against the win32 svn client built with openssl-0.9.8j. 

With regards
Kamesh Jayachandran

Reply via email to