On Thu, 7 May 1998, Theodore Hope wrote:
> The following appeared in my web server's SSL error log (newlines added
> for readability):
>
> [Fri May 1 07:08:20 1998]
> error:0406406F:rsa routines:RSA_EAY_PRIVATE_DECRYPT:sslv3 rollback attack
>
> I'm running Apache_1.2.4 + SSL_1.11 (using ssleay 0.8.1).
hmm... very interesting.
If a client connects, saying it can do SSLv3 and the server responds with
SSLv2, it then encodes the RSA pkcs1 padding in a special way.
The server, if it can do SSLv3, will check that this padding is not present
when doing SSLv2. It is basically meant to check that SSLv3 capable servers
and browsers are talking the top protocol they can.
I know some browsers don't implemented this correctly (I seem to rememeber old
versions of MSIE are all over the place), and the check can be turned off by
using the SSL_OP_MSIE_SSLV2_RSA_PADDING option to the
SSL_CTX_set_options() call.
Ah! I knew I had it documented somewhere. In
http://www.cryptsoft.com/ssleay/doc/vendor-bugs.html
MICROSOFT SSLv2 PKCS#1 padding error
MSIE 3.02, when doing SSLv2 (SSLv3 is turned off), all ways uses the
SSLv2/v3 special PKS1 padding of 8 bytes of value 3. In it should not
do so if it is talking only SSLv2 (SSLv2 hello message with a version
of number of 2).
eric
+-------------------------------------------------------------------------+
| Administrative requests should be sent to [EMAIL PROTECTED] |
| List service provided by Open Software Associates, http://www.osa.com/ |
+-------------------------------------------------------------------------+
