On Tue, Jun 11, 2002 at 11:16:49AM +0200, Joerg Bartholdt wrote: > trying the 0.9.7-beta1 I came across a problem with a OpenSSL097 server > (e.g. openssl s_server) and a iSaSiLk 3.03 client (demo.basic.SSLClient). > When the Handshake took place, and the client send some initial data > (e.g. a GET / HTTP/1.0), the reponse of the server will be corrupted. > OpenSSL on the server-side sends a 24byte reply prior to the "real" > reply containing the data all in one TCP-packet: [...] > The last packet from the Server contains two TLS records in one packet. > I marked the beginning of each packet with two slashes (//) (dump from > ethereal): > Secure Socket Layer > TLS Record Layer: Application Data > Content Type: Application Data (23) > Version: TLS 1.0 (0x0301) > Length: 24 > Application Data > TLS Record Layer: Application Data > Content Type: Application Data (23) > Version: TLS 1.0 (0x0301) > Length: 48 > Application Data > > 0000 00 00 08 00 45 00 00 86 74 d9 40 00 40 06 c7 96 ....E...t.@.@... > 0010 7f 00 00 01 7f 00 00 01 11 51 82 52 57 07 5a 0f .........Q.RW.Z. > 0020 57 28 c3 29 80 18 7f ff ac f8 00 00 01 01 08 0a W(.)............ > 0030 0a d7 24 d9 0a d7 20 ff //17 03 01 00 18 2f 29 68 ..$... ....../)h > 0040 d9 a7 0f 95 a7 09 45 a1 2d 75 f0 dc 8c 05 25 ee ......E.-u....%. > 0050 c2 4e cd be a4 //17 03 01 00 30 39 26 bd 0c e1 ec .N.......09&.... > 0060 fb 37 19 b9 2f eb 02 a8 46 6b a8 4c 0d 89 90 4a .7../...Fk.L...J > 0070 5e b0 b2 72 2c 13 29 ed de e7 0d 6c 89 54 19 2c ^..r,.)....l.T., > 0080 62 2a a6 5d 16 66 b1 ff e6 a2 b*.].f....
Starting with the next snapshots, you can use the new SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option to disable the SSL/TLS vulnerability countermeasure that caused these interoperability problems. Most application protocols should not be vulnerable, so in many cases the countermeasure may be safely disabled to ensure interoperability with broken SSL/TLS implementations. The new option will also be part of SSL_OP_ALL, meaning that it will be automatically enabled in software such as mod_ssl (for 'openssl s_server', use the '-bugs' option). -- Bodo Möller <[EMAIL PROTECTED]> PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
