Dr. Stephen Henson wrote:
> On Sat, Jan 23, 2010, Dr. Stephen Henson wrote:
>
>
>> On Fri, Jan 22, 2010, Michael Stone wrote:
>>
>>
>>> This certainly looks like a 12-byte verify_data field encoded as a
>>> variable-length vector (i.e. prefixed with a 1-byte length).
>>>
>>> 6. We receive a fatal unexpected_message alert:
>>>
>>> <<< TLS 1.0 Alert [length 0002], fatal unexpected_message
>>> 02 0a
>>>
>>> 7. The end.
>>>
>>> ## Questions
>>>
>>> 1. Everything looks good until we get the unexpected_message
>>> alert. Is there some reason why we should expect to see it?
>>>
>>>
>> Just a quick note. I can reproduce this now and I'm investigating it further.
>>
>>
>
> I've traced the cause this was *fun*. The full story is in:
>
> http://cvs.openssl.org/chngview?cn=19145
>
> This is a case of a bug in OpenSSL (PR#1949) being fixed but a related bug in
> Apache still existing in older versions.
>
> The clue to this was that the hello request message was never sent back to the
> client. As a result it never initiated the renegotiation handsgake and
> appeared
> to refuse the renegotiation request (which we regard as a fatal error) and
> that was the result.
>
> The above patch should address this, if you trace the reference in PR#1949
> you'll also see and Apache only fix for this.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [email protected]
> Automated List Manager [email protected]
>
Hi Steve,
I tried the new fix and it did not work for me. The Apache only fix did
make renegotiation work however. The new fix hangs with the following
output on s_client:
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
62ABA153873FB6B1739D45679F686975BD80C45E8B6428ACD465E44652941B08
Session-ID-ctx:
Master-Key:
09A9AB1A2499B6D4327FF84026111E829BC4077DD694A9AAA37E1B0AF641BE2DB651FBA9ED0EAC9367EF3A488A97B4ED
Key-Arg : None
TLS session ticket: ...
Start Time: 1264451239
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
GET /cgi-bin/client-cert-reneg/printenv?p1=v1&p2=v2&p3=v3 HTTP/1.0
Host: caqa3-3.ssltest.akamai.com
SSL_connect:SSL renegotiate ciphers
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=US/ST=California/L=San Mateo/O=Akamai Technologies/OU=Ghost CA 2
verify error:num=19:self signed certificate in certificate chain
verify return:0
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
[hang]
Let me know if there is anything I can provide to help.
Thanks,
fred
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
