Thanks for the response, switching caching off would probably kill our
server. Probably best for me to try rebuilding some of these malformed ssl
handshakes to see if we can corrupt our server in test. I found another
odd handshake reported by wireshark, further down the snoop, this time the
client appears to send a duff ServerHello after ChangeCipher. The 3 packet
sequence is summarised below. clients should not send a server hello, and
in this 3rd packet, which is advertised as a server hello, the packet does
have 56 bytes as advertised but they are obviously not a server hello. This
occurs about 5 mins before the server starts spewing out a proliferation of
bad record macs. This SSL connection does survive, session reuse was granted
by the server and valid data was transmitted.
packet 1 from client:
Transmission Control Protocol, Src Port: 41286 (41286), Dst Port: https
(443), Seq: 1, Ack: 1, Len: 102
Source port: 41286 (41286)
Destination port: https (443)
Sequence number: 1 (relative sequence number)
[Next sequence number: 103 (relative sequence number)]
Acknowledgement number: 1 (relative ack number)
Header length: 32 bytes
Flags: 0x0018 (PSH, ACK)
Window size: 17520
Checksum: 0x8aac [correct]
Options: (12 bytes)
Secure Socket Layer
SSLv3 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: SSL 3.0 (0x0300)
Length: 97
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 93
Version: SSL 3.0 (0x0300)
Random.gmt_unix_time: Oct 17, 2006 14:35:34.000000000
Random.bytes
Session ID Length: 32
Session ID (32 bytes)
Cipher Suites Length: 22
Cipher Suites (11 suites)
Compression Methods Length: 1
Compression Methods (1 method)
packet 2 from server:
Transmission Control Protocol, Src Port: https (443), Dst Port: 41286
(41286), Seq: 1, Ack: 103, Len: 146
Source port: https (443)
Destination port: 41286 (41286)
Sequence number: 1 (relative sequence number)
[Next sequence number: 147 (relative sequence number)]
Acknowledgement number: 103 (relative ack number)
Header length: 32 bytes
Flags: 0x0018 (PSH, ACK)
Window size: 66608 (scaled)
Checksum: 0x5dc5 [correct]
Options: (12 bytes)
Secure Socket Layer
SSLv3 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: SSL 3.0 (0x0300)
Length: 74
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 70
Version: SSL 3.0 (0x0300)
Random.gmt_unix_time: Oct 17, 2006 14:39:17.000000000
Random.bytes
Session ID Length: 32
Session ID (32 bytes)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Compression Method: null (0)
SSLv3 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
Content Type: Change Cipher Spec (20)
Version: SSL 3.0 (0x0300)
Length: 1
Change Cipher Spec Message
SSLv3 Record Layer: Handshake Protocol: Encrypted Handshake Message
Content Type: Handshake (22)
Version: SSL 3.0 (0x0300)
Length: 56
Handshake Protocol: Encrypted Handshake Message
packet 3 from client (malformed SSL)
Transmission Control Protocol, Src Port: 41286 (41286), Dst Port: https
(443), Seq: 103, Ack: 147, Len: 67
Source port: 41286 (41286)
Destination port: https (443)
Sequence number: 103 (relative sequence number)
[Next sequence number: 170 (relative sequence number)]
Acknowledgement number: 147 (relative ack number)
Header length: 32 bytes
Flags: 0x0018 (PSH, ACK)
Window size: 17520
Checksum: 0x199d [correct]
Options: (12 bytes)
Secure Socket Layer
SSLv3 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
Content Type: Change Cipher Spec (20)
Version: SSL 3.0 (0x0300)
Length: 1
Change Cipher Spec Message
SSLv3 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: SSL 3.0 (0x0300)
Length: 56
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 1453772
Version: Unknown (0x103e)
Random.gmt_unix_time: Not representable
Random.bytes
Session ID Length: 203
[Malformed Packet: SSL]
======================================================
From: Marek Marcola <[EMAIL PROTECTED]>
Reply-To: [email protected]
To: [email protected]
Subject: Re: wireshark and malformed ssl
Date: Fri, 27 Oct 2006 02:46:02 +0200
Hello,
> I have been using wireshark(0.99.3) to analyse ssl data flows to try to
> track down an issue where our SSL server(0.9.7d based) somehow gets
> corrupted and degrades over a period of time to the point where all ssl
> handshakes result in fatal alerts of "bad record mac". When analysing a
> capture taken before the corruption occurs using wireshark it tells me
there
> are a few malformed packets. One such example is:
> data Packet 1 from client:
> Secure Socket Layer
> SSLv3 Record Layer: Handshake Protocol: Client Hello
> Content Type: Handshake (22)
> Version: SSL 3.0 (0x0300)
> Length: 97
> Handshake Protocol: Client Hello
> Handshake Type: Client Hello (1)
> Length: 93
> Version: SSL 3.0 (0x0300)
> Random.gmt_unix_time: Oct 17, 2006 14:11:14.000000000
> Random.bytes
> Session ID Length: 32
> Session ID (32 bytes)
> Cipher Suites Length: 22
> Cipher Suites (11 suites)
> Compression Methods Length: 1
> Compression Methods (1 method)
> Compression Method: null (0)
>
> data packet 2, from server:
> Secure Socket Layer
> SSLv3 Record Layer: Handshake Protocol: Server Hello
> Content Type: Handshake (22)
> Version: SSL 3.0 (0x0300)
> Length: 74
> Handshake Protocol: Server Hello
> Handshake Type: Server Hello (2)
> Length: 70
> Version: SSL 3.0 (0x0300)
> Random.gmt_unix_time: Oct 17, 2006 14:10:16.000000000
> Random.bytes
> Session ID Length: 32
> Session ID (32 bytes)
> Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
> Compression Method: null (0)
> SSLv3 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
> Content Type: Change Cipher Spec (20)
> Version: SSL 3.0 (0x0300)
> Length: 1
> Change Cipher Spec Message
> SSLv3 Record Layer: Handshake Protocol: Encrypted Handshake Message
> Content Type: Handshake (22)
> Version: SSL 3.0 (0x0300)
> Length: 56
> Handshake Protocol: Encrypted Handshake Message:
>
> data packet 3 from client (malformed):
> Secure Socket Layer
> SSLv3 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
> Content Type: Change Cipher Spec (20)
> Version: SSL 3.0 (0x0300)
> Length: 1
> Change Cipher Spec Message
> SSLv3 Record Layer: Handshake Protocol: Client Hello
> Content Type: Handshake (22)
> Version: SSL 3.0 (0x0300)
> Length: 56
> Handshake Protocol: Client Hello
> Handshake Type: Client Hello (1)
> Length: 4022620
> Version: Unknown (0xae45)
> Random.gmt_unix_time: Not representable
> Random.bytes
> Session ID Length: 186
In this dump we have situation where client tries to reuse
already negotiated session.
SSL packet flow should be:
CLIENT SERVER
ClientHello ->
<- ServerHello
<- ChangeCipherSpec
<- Finished (encrypted)
ChangeCipherSpec ->
Finished (encrypted) ->
but client after ChangeCipherSpec sends really malformed
(and out of order) ClientHello.
Length of any SSL handshake packet should be not bigger than
2^14 and session length should be 0-32 bytes.
My proposition is first to disable session caching, for example:
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
and then look if it helps.
Best regards,
--
Marek Marcola <[EMAIL PROTECTED]>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
_________________________________________________________________
Windows LiveĀ Messenger has arrived. Click here to download it for free!
http://imagine-msn.com/messenger/launch80/?locale=en-gb
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
