While we are running test for client cert auth between the new IE version that supports TLS 1.1/1.2 and our server (running openssl 0.9.8d, only supports up to TLS1.0) which initiates server renegotiation for the client cert, we noticed that the IE sends the wrong version number in the PreMasterSecret in the renegotiation cycle. Then the server generates an alert and fails the handshaking.
However according to the RFC, it says the server should randomize the PreMasterSecret in case of error, rather than generate an alert. See below from the RFC: Note: The version number in the PreMasterSecret MUST be the version offered by the client in the ClientHello, not the version negotiated for the connection. This feature is designed to prevent rollback attacks. Unfortunately, many implementations use the negotiated version instead, and therefore checking the version number may lead to failure to interoperate with such incorrect client implementations. Client implementations, MUST and Server implementations MAY, check the version number. In practice, since the TLS handshake MACs prevent downgrade and no good attacks are known on those MACs, ambiguity is not considered a serious security risk. Note that if servers choose to check the version number, they should randomize the PreMasterSecret in case of error, rather than generate an alert, in order to avoid variants on the Bleichenbacher attack. [KPR03] 7.4.7.1. RSA Encrypted Premaster Secret Message Does openSSL have a fix in that behavior in newer versions? Thanks, -binlu -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Thursday, March 01, 2012 5:26 AM To: openssl-users@openssl.org Subject: Re: OpenSSL & "Security Update for Windows Server 2008 R2 x 64 Edition (KB2585542)" Since I can't reproduce this I'm wondering if the CAC cards introduce an additional element. I can see two possible reasons why they might: 1. Client authentication requires renegotiation if it is enabled on certain webpages and not across the whole site. The was a problem with version numbers in premaster secrets with IIS which has been fixed: I wonder if there is a similar one with MSIE which affects OpenSSL servers. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org