This can be seen with version 0.9.7a and 0.9.7c (only versions I checked): Run openssl s_client -tls1 with a SSL server that will choose one of the TripleDES cipher suites.
The Finished message sent by the server at the end of the handshake is incorrectly rejected by the OpenSSL implementation. Compiling SSL 0.9.7c with #define TLS1_DEBUG, it seems the problem is the following: the tl1_mac() routine computes the MAC incorrectly: the TLS1 Finished message is always 16 bytes long, however the tl1_mac computes the expected MAC thinking the message is 20 bytes long:it uses 20 bytes of the message (including the first 4 bytes of the sent MAC) and the length used in the first part of the MAC input is also set to 20. The MAC generated is incorrect, does not match the MAC sent by the server and therefore the handshake fails. It's possible the length problem is related to the fact that the padding for the Finished message will be 4 bytes long (20 bytes padded to 24 to make 3 blocks of 8 bytes for encryption by 3-DES). Note that the MAC generated for the client Finished message is correct, so it seems the problem is in the arguments sent to tls1_mac() when processing a received Finished message. Apologies if this is a well-known problem, I could not find any reference to it in the RT system, except maybe the problem reported by Tim Tassonis recently. Regards, Fabrice Ferino. __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
