Quantum commissioned tests for TLS 1.2. The following appear to be valid (although minor) bugs in how OpenSSL servers and clients process unexpected TLS/SSL version numbers.
OpenSSL Server Anomalies: 300.001.004 Tester sets major & minor version fields to 0 in Client Hello Expected: Server should issue protocol_version alert and close the connection. Actual: Server closes connection (sends TCP [FIN, ACK]) 300.001.005: Tester sets ProtocolVersion major and minor fields to 254.254 in ClientHello. Expected: Server should send Server Hello with major = 3 and minor = 3 Actual: Server closes connection Note: GnuTLS responds. OpenSSL Client Anomalies: 300.003.010: Tester sets ProtocolVersion major and minor fields to 254.254 in ServerHello. Expected: Client must issue a handshake_failure or protocol_version alert and close the connection. Actual: Client waited until server sent Certificate, Server Hello Done, then closed connection without sending an alert. _____________________________________________________________________________________________________ Paul A. Suhler, PhD | Firmware Engineer | Quantum Corporation | Office: 949.856.7748 | [email protected]<mailto:[email protected]> Preserving the World's Most Important Data. Yours.(tm) ---------------------------------------------------------------------- The information contained in this transmission may be confidential. Any disclosure, copying, or further distribution of confidential information is not permitted unless such privilege is explicitly granted in writing by Quantum. Quantum reserves the right to have electronic communications, including email and attachments, sent across its networks filtered through anti virus and spam software programs and retain such messages in order to comply with applicable data security and retention requirements. Quantum is not responsible for the proper and complete transmission of the substance of this communication or for any delay in its receipt.
|
Quantum commissioned tests for TLS 1.2. The following appear to be valid (although minor) bugs in how OpenSSL servers and clients process unexpected TLS/SSL version numbers. OpenSSL Server Anomalies: 300.001.004 Tester sets major & minor version fields to 0 in Client Hello Expected: Server should issue protocol_version alert and close the connection. Actual: Server closes connection (sends TCP [FIN, ACK]) 300.001.005: Tester sets ProtocolVersion major and minor fields to 254.254 in ClientHello. Expected: Server should send Server Hello with major = 3 and minor = 3 Actual: Server closes connection Note: GnuTLS responds. OpenSSL Client Anomalies: 300.003.010: Tester sets ProtocolVersion major and minor fields to 254.254 in ServerHello. Expected: Client must issue a handshake_failure or protocol_version alert and close the connection. Actual: Client waited until server sent Certificate, Server Hello Done, then closed connection without sending an alert. _____________________________________________________________________________________________________
The information contained in this transmission may be confidential. Any disclosure, copying, or further distribution of confidential information is not permitted unless such privilege is explicitly granted in writing by Quantum. Quantum reserves the right to have electronic communications, including email and attachments, sent across its networks filtered through anti virus and spam software programs and retain such messages in order to comply with applicable data security and retention requirements. Quantum is not responsible for the proper and complete transmission of the substance of this communication or for any delay in its receipt. |
