Hi All,
We are having a problem with Telnet/SSL. The server (IBM UniVerse) uses OpenSSL 0.9.7e. It was upgraded from OpenSSL 0.9.6e, which is where our troubles started. Under Windows Vista, we are connecting to the server and the SSL handshake is failing. Under Windows XP or using the older version of UniVerse, the connection was established correctly. Some information that we have been able to discover: When connecting to the old version of the server from XP SP2, TLS_RSA_WITH_RC4_MD5 is used. When connecting to the old version of the server from Vista, TLS_RSA_WITH_RC4_SHA is used. When connecting to the new version of the server from XP SP2, TLS_RSA_WITH_RC4_MD5 is used. When connecting to the new version of the server from Vista, TLS_RSA_WITH_AES_128_CBC_SHA is used. This one fails. We have tried connecting to the Telnet/SSL server with Wintegrate 6.0 and Network Magic (which are both Telnet clients that support Telnet/SSL) from Vista, both are compiled against OpenSSL, and both connect fine. It is worth noting that both connect using TLS_DHE_RSA_WITH_AES_256_CBC_SHA. However, when we use our third-party control in our application that supports Telnet/SSL, it fails. I've put in a support call with both IBM and our third-party provider, but I figured I would also hit up this group to see if anybody has any ideas or thoughts as to why this could be happening. I'm at a loss as to where the problem is occurring and whos fault it is (and hence how to fix it!). I don't know if it is an OpenSSL issue, Microsoft Issue (the third party control uses the Microsoft Unified Security Protocol Provider) or something else entirely. One interesting thing is that we have found that by modifying the SSL Cipher Order in Vista through the policy editor that we can move the order of SSL Cipher choices and that if we move TLS_RSA_WITH_RC4_SHA to the top, we can connect with Vista. This is, however, not a useable solution for our customers (since it involves group policy changes, rebooting machines, etc...). To me, this points to Microsoft, but I don't know... I'm not knowledgeable enough about SSL and all this stuff. Here is the client request through Ethereal: Frame 4 (123 bytes on wire, 123 bytes captured) Transmission Control Protocol, Src Port: 49274 (49274), Dst Port: 992 (992), Seq: 1, Ack: 1, Len: 69 Secure Socket Layer SSLv2 Record Layer: Client Hello Length: 67 Handshake Message Type: Client Hello (1) Version: TLS 1.0 (0x0301) Cipher Spec Length: 42 Session ID Length: 0 Challenge Length: 16 Cipher Specs (14 specs) Cipher Spec: TLS_RSA_WITH_AES_128_CBC_SHA (0x00002f) Cipher Spec: TLS_RSA_WITH_AES_256_CBC_SHA (0x000035) Cipher Spec: TLS_RSA_WITH_RC4_128_SHA (0x000005) Cipher Spec: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x00000a) Cipher Spec: Unknown (0x00c009) Cipher Spec: Unknown (0x00c00a) Cipher Spec: Unknown (0x00c013) Cipher Spec: Unknown (0x00c014) Cipher Spec: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x000032) Cipher Spec: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x000038) Cipher Spec: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x000013) Cipher Spec: TLS_RSA_WITH_RC4_128_MD5 (0x000004) Cipher Spec: SSL2_RC4_128_WITH_MD5 (0x010080) Cipher Spec: SSL2_DES_192_EDE3_CBC_WITH_MD5 (0x0700c0) Challenge Here is a copy of the server response through Ethereal: No. Time Source Destination Protocol Info 6 0.346840 172.27.1.6 172.27.5.126 SSLv3 Server Hello, Certificate, Server Hello Done Frame 6 (792 bytes on wire, 792 bytes captured) Transmission Control Protocol, Src Port: 992 (992), Dst Port: 49274 (49274), Seq: 1, Ack: 70, Len: 738 Secure Socket Layer SSLv3 Record Layer: Handshake Protocol: Server Hello Content Type: Handshake (22) Version: SSL 3.0 (0x0300) Length: 74 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 70 Version: SSL 3.0 (0x0300) Random.gmt_unix_time: May 3, 2007 14:31:49.000000000 Random.bytes Session ID Length: 32 Session ID (32 bytes) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Compression Method: null (0) SSLv3 Record Layer: Handshake Protocol: Certificate Content Type: Handshake (22) Version: SSL 3.0 (0x0300) Length: 645 Handshake Protocol: Certificate Handshake Type: Certificate (11) Length: 641 Certificates Length: 638 Certificates (638 bytes) Certificate Length: 635 Certificate: 308201E0020100300D06092A864886F70D01010505003081... () signedCertificate serialNumber: 0 signature (shaWithRSAEncryption) Algorithm Id: 1.2.840.113549.1.1.5 (shaWithRSAEncryption) issuer: rdnSequence (0) *removed certificate information* validity notBefore: utcTime (0) utcTime: 050427175442Z notAfter: utcTime (0) utcTime: 050527175442Z subject: rdnSequence (0) *removed certificate information* subjectPublicKeyInfo algorithm (rsaEncryption) Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption) Padding: 0 subjectPublicKey: 30818902818100C2B16C6617DE98949B8D9A04232CCCCFAA... algorithmIdentifier (shaWithRSAEncryption) Algorithm Id: 1.2.840.113549.1.1.5 (shaWithRSAEncryption) Padding: 0 encrypted: 32EEAB3A5EA0BDE55492B478AAC2144D0585DA7E610FF227... SSLv3 Record Layer: Handshake Protocol: Server Hello Done Content Type: Handshake (22) Version: SSL 3.0 (0x0300) Length: 4 Handshake Protocol: Server Hello Done Handshake Type: Server Hello Done (14) Length: 0 Any and all help is much appreciated! Clayton Boucher Campana Systems Inc ============================================================================== This email and any attachments may contain confidential and privileged information which is not subject to public disclosure. If you are not the intended recipient, please notify the sender immediately by return email and delete this email. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal. L'information ou tout fichier joint contenu dans ce courriel est confidentiel et destiné uniquement au(x) récipiendaire(s) nommé(s) ci-dessus. Si vous n'êtes pas le récipiendaire identifié, prière de répondre immédiatement par courriel à l'expéditeur et effacer toute copie de ce courriel. La diffusion ou l'usage de cette information par une autre personne que le ou les récipiendaires prévus est non autorisé et peut être illégal. ==============================================================================