OpenSSL 0.9.7c 30 Sep 2003 built on: Thu Nov 13 23:47:30 2003 platform: VC-NT options: bn(64,32) md2(int) rc4(idx,int) des(idx,cisc,4,long) idea(int) blowfis h(idx) compiler: cl /MDd /W3 /WX /Zi /Yd /Od /nologo -DOPENSSL_SYSNAME_WIN32 -D_DEBUG -DL_ENDIAN -DWIN32_LEAN_AND_MEAN -DDEBUG -DDSO_WIN32 -DOPENSSL_SYSNAME_WINNT /Fd out32dll -DOPENSSL_NO_KRB5 OPENSSLDIR: "/usr/local/ssl"
Problem description: With the release of OpenSSL 0.9.7c, people start to see the error "SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:missing export tmp rsa key:s3_clnt.c:1952" on the cient side, e.g.: http://www.mail-archive.com/[EMAIL PROTECTED]/msg33162.html Analysis: The root of this problem is in line 109, x509type.c: if (EVP_PKEY_size(pk) <= 512/8) /* /8 because it's 512 bits we look New export regulations allow the export of 56-bit encryption and 1024-bit key exchange(check out #define SSL_EXPORT_PKEYLENGTH(a) (SSL_IS_EXPORT40(a) ? 512 : 1024) in ssl_locl.h), but this line will attribute any PKEY size bigger than 512 bit as non-exportable. In my scenario: the server has only export license, and chooses the cipher EXP1024-RC4-SHA. The server's RSA key is also 1024 bit, so it opts NOT to use ephemeral key exchange. Then on the client side, OpenSSL correctly identifies EXP1024-RC4-SHA as exportable, but incorrectly treats the server's 1024 bit RSA key used to sign the x509 certificate as non-exportable. Given that no ephemeral key is used to work around the "problem", the client side reports error "missing export tmp rsa key" and fails the handshake. A possible solution would be to change it to: if (EVP_PKEY_size(pk) <= 1024/8) Thanks, Charles Zhang [EMAIL PROTECTED] _________________________________________________________________ Great deals on high-speed Internet access as low as $26.95. https://broadband.msn.com (Prices may vary by service area.) ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
