[openssl.org #288] session reuse: getting "old session cipher not returned" errors

[Steve Haslam via RT]

Hi,

I'm working on putting SSL/TLS session caching into Exim, and I've almost
got it working, borrowing heavily from the mod_ssl dbm caching code.

The problem I'm getting is that when I reuse a session from the client side,
I get this:

Initialised TLS
DBM file record "@192.168.254.1" suggests
"=3b9e064333eaf74126c821672a34c776700552b74b71b509f82984601c51957d" as a
session id record
tls_get_client_session: got session record
"=3b9e064333eaf74126c821672a34c776700552b74b71b509f82984601c51957d" from DBM
file; attempting to reuse session
SSL info: before/connect initialization
SSL info: before/connect initialization
SSL info: SSLv3 write client hello A
SSL info: SSLv3 read server hello B
SSL info: SSLv3 read server hello B
LOG: MAIN
  TLS error on connection to arise.sinshack [192.168.254.1] (SSL_connect):
error:140920C5:SSL routines:SSL3_GET_SERVER_HELLO:old session cipher not
returned

AIUI, this error means that the cipher suite in the "server hello" record
was different this time round from when the session was originally
negotiated.

However, I was tracking the handshake with ssldump, and it says this:

* First time round:

1 1  0.2710 (0.0276)  C>S  Handshake
      ClientHello
        Version 3.0 
        cipher suites
        SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        SSL_RSA_WITH_3DES_EDE_CBC_SHA
        SSL_DHE_DSS_WITH_RC4_128_SHA
        SSL_RSA_WITH_RC4_128_SHA
        SSL_RSA_WITH_RC4_128_MD5
        SSL_DHE_DSS_WITH_RC2_56_CBC_SHA
        SSL_RSA_EXPORT1024_WITH_RC4_56_SHA
        SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
        SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA
        SSL_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5
        SSL_RSA_EXPORT1024_WITH_RC4_56_MD5
        SSL_DHE_RSA_WITH_DES_CBC_SHA
        SSL_DHE_DSS_WITH_DES_CBC_SHA
        SSL_RSA_WITH_DES_CBC_SHA
        SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
        SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
        SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
        SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
        SSL_RSA_EXPORT_WITH_RC4_40_MD5
        compression methods
                  NULL
1 2  0.2958 (0.0247)  S>C  Handshake
      ServerHello
        Version 3.0 
        session_id[32]=
          3b 9e 06 43 33 ea f7 41 26 c8 21 67 2a 34 c7 76 
          70 05 52 b7 4b 71 b5 09 f8 29 84 60 1c 51 95 7d 
        cipherSuite         SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        compressionMethod                   NULL
1 3  0.2959 (0.0001)  S>C  Handshake
      Certificate
1 4  0.3186 (0.0226)  S>C  Handshake
      ServerKeyExchange
[...]

* Second time round:

1 1  0.2295 (0.0272)  C>S  Handshake
      ClientHello
        Version 3.0 
        resume [32]=
          3b 9e 06 43 33 ea f7 41 26 c8 21 67 2a 34 c7 76 
          70 05 52 b7 4b 71 b5 09 f8 29 84 60 1c 51 95 7d 
        cipher suites
        SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        SSL_RSA_WITH_3DES_EDE_CBC_SHA
        SSL_DHE_DSS_WITH_RC4_128_SHA
        SSL_RSA_WITH_RC4_128_SHA
        SSL_RSA_WITH_RC4_128_MD5
        SSL_DHE_DSS_WITH_RC2_56_CBC_SHA
        SSL_RSA_EXPORT1024_WITH_RC4_56_SHA
        SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
        SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA
        SSL_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5
        SSL_RSA_EXPORT1024_WITH_RC4_56_MD5
        SSL_DHE_RSA_WITH_DES_CBC_SHA
        SSL_DHE_DSS_WITH_DES_CBC_SHA
        SSL_RSA_WITH_DES_CBC_SHA
        SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
        SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
        SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
        SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
        SSL_RSA_EXPORT_WITH_RC4_40_MD5
        compression methods
                  NULL
1 2  0.2349 (0.0053)  S>C  Handshake
      ServerHello
        Version 3.0 
        session_id[32]=
          3b 9e 06 43 33 ea f7 41 26 c8 21 67 2a 34 c7 76 
          70 05 52 b7 4b 71 b5 09 f8 29 84 60 1c 51 95 7d 
        cipherSuite         SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        compressionMethod                   NULL
1 3  0.2349 (0.0000)  S>C  ChangeCipherSpec
1 4  0.2349 (0.0000)  S>C  Handshake
1 5  0.2628 (0.0278)  C>S  Alert
    level           fatal
    value           illegal_parameter
1    0.2638 (0.0010)  C>S  TCP RST


So, according to ssldump, the "cipherSuite" entry in the ServerHello is the
same the second time round. Is it a problem that the client seems to be in
"read server hello B" state twice?

OK, can anyone advise me? Is ssldump really useful for debugging or is there
something I can do with the ssl libs to show more debugging info? I'm using
OpenSSL 0.9.6g (from the Debian package) on both machines.

SRH
-- 
Steve Haslam      Reading, UK                           [EMAIL PROTECTED]
Debian GNU/Linux Maintainer                               [EMAIL PROTECTED]
Your heart has been ruptured and it will never heal
To get another heart you'll have to steal                    [le�ther strip]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]