version number check in PreMasterSecret

Tue, 03 Apr 2012 10:43:15 -0700 

While we are running test for client cert auth between the new IE version that 
supports TLS 1.1/1.2 and our server (running openssl 0.9.8d, only supports up 
to TLS1.0) which initiates server renegotiation for the client cert, we noticed 
that the IE sends the wrong version number in the PreMasterSecret in the 
renegotiation cycle. Then the server generates an alert and fails the 
handshaking. 

However according to the RFC, it says the server should randomize the 
PreMasterSecret in case of error, rather than generate an alert. See below from 
the RFC:

   Note: The version number in the PreMasterSecret MUST be the version
         offered by the client in the ClientHello, not the version
         negotiated for the connection.  This feature is designed to
         prevent rollback attacks.  Unfortunately, many implementations
         use the negotiated version instead, and therefore checking the
         version number may lead to failure to interoperate with such
         incorrect client implementations.  Client implementations, MUST
         and Server implementations MAY, check the version number.  In
         practice, since the TLS handshake MACs prevent downgrade and no
         good attacks are known on those MACs, ambiguity is not
         considered a serious security risk.  Note that if servers
         choose to check the version number, they should randomize the
         PreMasterSecret in case of error, rather than generate an
         alert, in order to avoid variants on the Bleichenbacher attack.
         [KPR03]


   7.4.7.1. RSA Encrypted Premaster Secret Message

Does openSSL have a fix in that behavior in newer versions?

Thanks,
-binlu

-----Original Message-----
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Dr. Stephen Henson
Sent: Thursday, March 01, 2012 5:26 AM
To: openssl-users@openssl.org
Subject: Re: OpenSSL & "Security Update for Windows Server 2008 R2 x 64 Edition 
(KB2585542)"

 
Since I can't reproduce this I'm wondering if the CAC cards introduce an 
additional element. I can see two possible reasons why they might:

1. Client authentication requires renegotiation if it is enabled on certain 
webpages and not across the whole site. The was a problem with version numbers 
in premaster secrets with IIS which has been fixed: I wonder if there is a 
similar one with MSIE which affects OpenSSL servers.

 

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to