Openssl 0.9.8a is incorrectly encoding the DTLS version as 0x01,0x00 instead
of 0xfe,0xff
$ ./openssl s_client -dtls1 -debug
CONNECTED(00000003)
write to 0x5d3640 [0x5dd3f8] (119 bytes => 119 (0x77))
0000 - 16 01 00 00 00 00 00 00-00 00 00 00 6a 01 00 00 ............j...
Openssl 0.9.8a is incorrectly encoding the ChangeCipherSpec message as 3
bytes instead of 1 byte, including a 2 byte message sequence number.
$ ./openssl s_client -dtls1 -debug
<snipped>
write to 0x5d3640 [0x5e2d80] (16 bytes => 16 (0x10))
0000 - 14 01 00 00 00 00 00 00-00 00 03 00 03 01 00 03 ................
The first 13 bytes are the record header followed by the CCS which is 3
bytes: 01 00 03
There is no MSN in the CCS. I had a lengthy discussion with Eric on this
topic and he was very clear that the CCS has no MSN and he did not want to
add it to the CCS.
I also discovered it is very easy to crash openssl or make the handshake
fail using the -mtu argument (testing on windows xp).
./openssl s_server -dtls1 -debug -mtu 100
./openssl s_client -dtls1 -debug -mtu 100
- server Segmentation fault (core dumped)
./openssl s_server -dtls1 -debug -mtu 128
./openssl s_client -dtls1 -debug -mtu 128
- server 888:error:143F8412:SSL routines:DTLS1_READ_BYTES:sslv3 alert bad
certificate
- client 4052:error:1409000D:SSL routines:SSL3_GET_SERVER_CERTIFICATE:ASN1
lib:s3_clnt.c
./openssl s_server -dtls1 -debug -mtu 256
./openssl s_client -dtls1 -debug -mtu 256
- server DTLS1_READ_BYTES:sslv3 alert bad certificate
- client 3080:error:1409000D:SSL routines:SSL3_GET_SERVER_CERTIFICATE:ASN1
lib:s3_clnt.c
./openssl s_server -dtls1 -debug -mtu 512
./openssl s_client -dtls1 -debug -mtu 512
- server SSL3_GET_FINISHED:digest check failed
- client handshake failure
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
