On Thursday 19 February 2015 13:48:43 Hubert Kario wrote: > On Wednesday 18 February 2015 23:49:39 Stephen Henson via RT wrote: > > On Wed Feb 18 21:12:09 2015, laurenz.a...@wien.gv.at wrote: > > > I ran into this problem while connecting to a PostgreSQL server > > > (PostgreSQL uses OpenSSL > > > for SSL support) with a Java client using > > > the PostgreSQL JDBC driver (which uses > > > the Java Secure Socket > > > Extension which is part of Oracle's Java Runtime Environment). > > > Since database connections are potentially long-lived, the PostgreSQL > > > server will > > > trigger a renegotiation after a certain amount of data > > > has been exchanged via the > > > TLS channel; this amount is configurable > > > with the parameter "ssl_renegotiation_limit". > > > > > > This renegotiation is > > > always aborted by OpenSSL with the error "unexpected record". > > > I could > > > reproduce the problem with OpenSSL 1.0.1e on Linux and OpenSSL 1.0.1j > > > on > > > Windows using Oracle JRE 1.7.0_71 and 1.7.0_75 on the client side. > > > The protocol version in effect is TLS 1.2 (0x303). > > > > There were some fixes related to renegotiation handling in OpenSSL which > > first appeared in 1.0.1k. Can you see if this problem still happens in the > > latest version of OpenSSL? > > I was able to reproduce this issue on master, OpenSSL_1_0_2-stable and > OpenSSL_1_0_1-stable branches as of *now* (2015-02-19). > > I have a standalone (python - tlsfuzzer/tlslite) reproducer for that, but > the code is pre-alpha quality, I'll try to publish it anyway. > > I've done it with server running in -legacy_renegotiation mode, but I'm not > sure if this can have any impact on it.
Ok, the reproducer is available: openssl req -x509 -newkey rsa:1024 -keyout localhost.key -out localhost.crt \ -subj /CN=localhost -nodes -batch -sha1 openssl s_server -key /tmp/localhost.key -cert /tmp/localhost.crt \ -legacy_renegotiation In another console: git clone https://github.com/tomato42/tlslite-1.git --branch ort-3712 git clone https://github.com/tomato42/tlsfuzzer.git cd tlsfuzzer PYTHONPATH=.:../tlslite-1/ python scripts/test-tls-server.py That will cause the openssl process to report: 140090260403872:error:140940F5:SSL routines:ssl3_read_bytes:unexpected record:s3_pkt.c:1610: You'll need python 2.6, 3.2 or later (though I haven't verified if this exact reproducer works on 2.6, so 2.7 is recommended) -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev