I found this post:
https://groups.google.com/forum/#!topic/mailing.openssl.dev/ZLQcp87Zx8A
This is the right solution
Lee
On Fri, Jan 10, 2014 at 1:04 PM, yueyue papa <yueyuep...@gmail.com> wrote:
> I use these macro to disable TLSEXT,
> CPPOPTS +=-DOPENSSL_NO_TLSEXT -DOPENSSL_NO_HEARTBEATS -DOPENSSL_NO_SRTP
> -DOPENSSL_NO_DTLS1
>
> whether there is other macro is required to set, so openSSL 1.0.1 won't
> tell server TLS features
>
> Lee
>
>
>
> On Fri, Jan 10, 2014 at 12:30 PM, Dave Thompson <dthomp...@prinpay.com>wrote:
>
>> (Due to Outlook upgrade, I can no longer reply inline to richtext. Sorry.)
>>
>>
>>
>> Is it possible your failing client openssl was built with –no-tlsext ?
>>
>> Both ServerHello replies do contain the RI extension (because the
>>
>> cipherlist contained SCSV_ERI); if the code to parse extensions
>>
>> isn’t executed, then the packet length will mismatch.
>>
>>
>>
>> Maybe if TLSEXT is disabled client shouldn’t send SCSV_ERI,
>>
>> since it is promising capability we can’t deliver on. OTOH,
>>
>> more and more TLS usage depends on extensions, so
>>
>> disabling TLSEXT is increasingly a bad idea.
>>
>>
>>
>>
>>
>> *From:* owner-openssl-us...@openssl.org [mailto:
>> owner-openssl-us...@openssl.org] *On Behalf Of *yueyue papa
>> *Sent:* Thursday, January 09, 2014 22:21
>> *To:* openssl-users@openssl.org
>> *Subject:* *** Spam *** about ssl3_get_server_hello
>>
>>
>>
>> The 0.9.8h openSSL version is working correct in my system. Recently, I
>> updated to 1.0.1e openSSL, I meet the SSL connection failure.
>>
>>
>>
>> The problem is in here
>>
>>
>>
>> case SSL3_ST_CR_SRVR_HELLO_A:
>>
>> case SSL3_ST_CR_SRVR_HELLO_B:
>>
>> ret=ssl3_get_server_hello(s);
>>
>> if (ret <= 0)
>>
>>
>>
>> ###### My embedded environment connect log#########
>>
>> ssl3_connect state[5000]
>>
>> ssl3_connect state[1110]
>>
>> ssl sock_write(), want in1 = 66
>>
>> sock_write=: length = 66 [0x42]
>>
>> 0x20a66fcb 16 03 00 00 3D 01 00 00 - 39 03 00 52 CF 0B D8 E8 |
>> ....=...9..R....
>>
>> 0x20a66fdb C2 06 F6 5B AD 42 CB 65 - 29 1D 76 3C 82 EF 36 F3 |
>> ...[.B.e).v<..6.
>>
>> 0x20a66feb 81 89 CE AD 68 24 DF 98 - 7C A8 64 00 00 12 00 35 |
>> ....h$..|.d....5
>>
>> 0x20a66ffb 00 0A 00 2F 00 05 00 04 - 00 09 00 08 00 03 00 FF |
>> .../............
>>
>> 0x20a6700b 01 00 - | ..
>>
>> ssl3_connect state[1120]
>>
>> ssl sock_read(), want out1 = 5
>>
>> sock_read=: length = 5 [0x5]
>>
>> 0x20a62e7b 16 03 00 00 51 - |
>> ....Q
>>
>> ssl sock_read(), want out1 = 81
>>
>> sock_read=: length = 81 [0x51]
>>
>> 0x20a62e80 02 00 00 4D 03 00 52 CF - 60 34 AE D2 CF C7 5D A7 |
>> ...M..R.`4....].
>>
>> 0x20a62e90 15 71 39 36 08 8B D3 DB - C8 E8 15 23 94 AE EB E6 |
>> .q96.......#....
>>
>> 0x20a62ea0 3E CE 3B 55 63 60 20 2F - 3D 93 96 71 B2 FE 3A 10 |
>> >.;Uc` /=..q..:.
>>
>> 0x20a62eb0 53 31 84 59 06 B2 5F 09 - 62 A0 89 91 A3 20 E2 9A |
>> S1.Y.._.b.... ..
>>
>> 0x20a62ec0 5F 32 24 75 4A 28 5E 00 - 05 00 00 05 FF 01 00 01 |
>> _2$uJ(^.........
>>
>> 0x20a62ed0 00 - | .
>>
>> #############
>>
>>
>>
>> ######My PC connect log #########
>>
>> CONNECTED(00000180)
>>
>> write to 0x1fee3f0 [0x1e72fab] (152 bytes => 152 (0x98))
>>
>> 0000 - 16 03 00 00 93 01 00 00-8f 03 00 52 cf 5a 9e ee ...........R.Z..
>>
>> 0010 - f2 c6 eb ac bd 82 4d cf-34 17 88 5e e7 5d e4 f3 ......M.4..^.]..
>>
>> 0020 - ba b8 d0 04 12 88 bf 50-e4 4d 57 00 00 68 c0 14 .......P.MW..h..
>>
>> 0030 - c0 0a c0 22 c0 21 00 39-00 38 00 88 00 87 c0 0f ...".!.9.8......
>>
>> 0040 - c0 05 00 35 00 84 c0 12-c0 08 c0 1c c0 1b 00 16 ...5............
>>
>> 0050 - 00 13 c0 0d c0 03 00 0a-c0 13 c0 09 c0 1f c0 1e ................
>>
>> 0060 - 00 33 00 32 00 9a 00 99-00 45 00 44 c0 0e c0 04 .3.2.....E.D....
>>
>> 0070 - 00 2f 00 96 00 41 00 07-c0 11 c0 07 c0 0c c0 02 ./...A..........
>>
>> 0080 - 00 05 00 04 00 15 00 12-00 09 00 14 00 11 00 08 ................
>>
>> 0090 - 00 06 00 03 00 ff 01 .......
>>
>> 0098 - <SPACES/NULS>
>>
>> read from 0x1fee3f0 [0x1e6ea5b] (5 bytes => 5 (0x5))
>>
>> 0000 - 16 03 00 00 51 ....Q
>>
>> read from 0x1fee3f0 [0x1e6ea60] (81 bytes => 81 (0x51))
>>
>> 0000 - 02 00 00 4d 03 00 52 cf-5a 99 be 19 c0 7e 80 55 ...M..R.Z....~.U
>>
>> 0010 - d6 4c 2d af 05 41 f8 19-79 24 a3 66 ba 82 9b 05 .L-..A..y$.f....
>>
>> 0020 - cd 31 eb 4e 1d 14 20 6b-db c4 0f 3d 82 82 06 52 .1.N.. k...=...R
>>
>> 0030 - 52 66 54 b9 91 d8 2b ec-c4 27 c4 11 75 bb ec f6 RfT...+..'..u...
>>
>> 0040 - 64 9f ca bc e3 c9 12 c0-11 00 00 05 ff 01 00 01 d...............
>>
>> 0051 - <SPACES/NULS>
>>
>> read from 0x1fee3f0 [0x1e6ea5b] (5 bytes => 5 (0x5))
>>
>> 0000 - 16 03 00 0c c2 .....
>>
>> read from 0x1fee3f0 [0x1e6ea60] (3266 bytes => 3266 (0xCC2))
>>
>>
>>
>> #########
>>
>>
>>
>> It is clear that received data are the same, only the send data are
>> different. It is caused my different cipher supported.
>>
>>
>>
>> In ssl3_get_server_hello process,
>>
>>
>>
>> #ifndef OPENSSL_NO_TLSEXT
>>
>> /* TLS extensions*/
>>
>> if (s->version >= SSL3_VERSION)
>>
>> {
>>
>> if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al))
>>
>> {
>>
>> /* 'al' set by
>> ssl_parse_serverhello_tlsext */
>>
>>
>> SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLSEXT);
>>
>> goto f_err;
>>
>> }
>>
>> if (ssl_check_serverhello_tlsext(s) <= 0)
>>
>> {
>>
>>
>> SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT);
>>
>> goto err;
>>
>> }
>>
>> }
>>
>> #endif
>>
>>
>>
>> if (p != (d+n)) <<=== The error is caused here !!!!
>>
>> {
>>
>> /* wrong packet length */
>>
>> al=SSL_AD_DECODE_ERROR;
>>
>>
>> SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH);
>>
>> goto f_err;
>>
>> }
>>
>>
>>
>> ########
>>
>>
>>
>> The ssl3_get_server_hello () is working correct in the PC platform, only
>> meets problem in the embedded environment. The different is the supported
>> ciphers in different environment.
>>
>>
>>
>> If i remove the check: if (p != (d+n)), the SSL connection does not
>> have any problem. I do not think the problem is in the condition check.
>>
>>
>>
>> Any suggestion is welcome.
>>
>>
>>
>> Lee
>>
>>
>>
>>
>>
>>
>>
>
>
