Hi All,
We are having a problem with Telnet/SSL. The server (IBM UniVerse) uses
OpenSSL 0.9.7e. It was upgraded from OpenSSL 0.9.6e, which is where our
troubles started.
Under Windows Vista, we are connecting to the server and the SSL
handshake is failing. Under Windows XP or using the older version of
UniVerse, the connection was established correctly.
Some information that we have been able to discover:
When connecting to the old version of the server from XP SP2,
TLS_RSA_WITH_RC4_MD5 is used.
When connecting to the old version of the server from Vista,
TLS_RSA_WITH_RC4_SHA is used.
When connecting to the new version of the server from XP SP2,
TLS_RSA_WITH_RC4_MD5 is used.
When connecting to the new version of the server from Vista,
TLS_RSA_WITH_AES_128_CBC_SHA is used. This one fails.
We have tried connecting to the Telnet/SSL server with Wintegrate 6.0
and Network Magic (which are both Telnet clients that support
Telnet/SSL) from Vista, both are compiled against OpenSSL, and both
connect fine. It is worth noting that both connect using
TLS_DHE_RSA_WITH_AES_256_CBC_SHA.
However, when we use our third-party control in our application that
supports Telnet/SSL, it fails. I've put in a support call with both IBM
and our third-party provider, but I figured I would also hit up this
group to see if anybody has any ideas or thoughts as to why this could
be happening. I'm at a loss as to where the problem is occurring and
whos fault it is (and hence how to fix it!). I don't know if it is an
OpenSSL issue, Microsoft Issue (the third party control uses the
Microsoft Unified Security Protocol Provider) or something else
entirely.
One interesting thing is that we have found that by modifying the SSL
Cipher Order in Vista through the policy editor that we can move the
order of SSL Cipher choices and that if we move TLS_RSA_WITH_RC4_SHA to
the top, we can connect with Vista. This is, however, not a useable
solution for our customers (since it involves group policy changes,
rebooting machines, etc...). To me, this points to Microsoft, but I
don't know... I'm not knowledgeable enough about SSL and all this stuff.
Here is the client request through Ethereal:
Frame 4 (123 bytes on wire, 123 bytes captured)
Transmission Control Protocol, Src Port: 49274 (49274), Dst Port: 992
(992), Seq: 1, Ack: 1, Len: 69
Secure Socket Layer
SSLv2 Record Layer: Client Hello
Length: 67
Handshake Message Type: Client Hello (1)
Version: TLS 1.0 (0x0301)
Cipher Spec Length: 42
Session ID Length: 0
Challenge Length: 16
Cipher Specs (14 specs)
Cipher Spec: TLS_RSA_WITH_AES_128_CBC_SHA (0x00002f)
Cipher Spec: TLS_RSA_WITH_AES_256_CBC_SHA (0x000035)
Cipher Spec: TLS_RSA_WITH_RC4_128_SHA (0x000005)
Cipher Spec: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x00000a)
Cipher Spec: Unknown (0x00c009)
Cipher Spec: Unknown (0x00c00a)
Cipher Spec: Unknown (0x00c013)
Cipher Spec: Unknown (0x00c014)
Cipher Spec: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x000032)
Cipher Spec: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x000038)
Cipher Spec: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x000013)
Cipher Spec: TLS_RSA_WITH_RC4_128_MD5 (0x000004)
Cipher Spec: SSL2_RC4_128_WITH_MD5 (0x010080)
Cipher Spec: SSL2_DES_192_EDE3_CBC_WITH_MD5 (0x0700c0)
Challenge
Here is a copy of the server response through Ethereal:
No. Time Source Destination Protocol
Info
6 0.346840 172.27.1.6 172.27.5.126 SSLv3
Server Hello, Certificate, Server Hello Done
Frame 6 (792 bytes on wire, 792 bytes captured)
Transmission Control Protocol, Src Port: 992 (992), Dst Port: 49274
(49274), Seq: 1, Ack: 70, Len: 738
Secure Socket Layer
SSLv3 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: SSL 3.0 (0x0300)
Length: 74
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 70
Version: SSL 3.0 (0x0300)
Random.gmt_unix_time: May 3, 2007 14:31:49.000000000
Random.bytes
Session ID Length: 32
Session ID (32 bytes)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Compression Method: null (0)
SSLv3 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: SSL 3.0 (0x0300)
Length: 645
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 641
Certificates Length: 638
Certificates (638 bytes)
Certificate Length: 635
Certificate:
308201E0020100300D06092A864886F70D01010505003081... ()
signedCertificate
serialNumber: 0
signature (shaWithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.5
(shaWithRSAEncryption)
issuer: rdnSequence (0)
*removed certificate information*
validity
notBefore: utcTime (0)
utcTime: 050427175442Z
notAfter: utcTime (0)
utcTime: 050527175442Z
subject: rdnSequence (0)
*removed certificate information*
subjectPublicKeyInfo
algorithm (rsaEncryption)
Algorithm Id: 1.2.840.113549.1.1.1
(rsaEncryption)
Padding: 0
subjectPublicKey:
30818902818100C2B16C6617DE98949B8D9A04232CCCCFAA...
algorithmIdentifier (shaWithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.5
(shaWithRSAEncryption)
Padding: 0
encrypted:
32EEAB3A5EA0BDE55492B478AAC2144D0585DA7E610FF227...
SSLv3 Record Layer: Handshake Protocol: Server Hello Done
Content Type: Handshake (22)
Version: SSL 3.0 (0x0300)
Length: 4
Handshake Protocol: Server Hello Done
Handshake Type: Server Hello Done (14)
Length: 0
Any and all help is much appreciated!
Clayton Boucher
Campana Systems Inc
==============================================================================
This email and any attachments may contain confidential and privileged
information which is not subject to public disclosure. If you are not the
intended recipient, please notify the sender immediately by return email and
delete this email. Any dissemination or use of this information by a person
other than the intended recipient is unauthorized and may be illegal.
L'information ou tout fichier joint contenu dans ce courriel est confidentiel
et destiné uniquement au(x) récipiendaire(s) nommé(s) ci-dessus. Si vous n'êtes
pas le récipiendaire identifié, prière de répondre immédiatement par courriel à
l'expéditeur et effacer toute copie de ce courriel. La diffusion ou l'usage de
cette information par une autre personne que le ou les récipiendaires prévus
est non autorisé et peut être illégal.
==============================================================================
