httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject Re: Strange error(parse tlsext bug) in mod_ssl since httpd-2.2.12
Date Sat, 24 Oct 2009 08:58:50 GMT
Kamesh Jayachandran wrote:
> Yes done, find the dump at http://www.livecipher.com/tlsext_dump/tlsext.dmp.2

Ok, thanks. So, for the sake of reference, your setup for this capture
was:

- (Windows) client with OpenSSL 0.9.8k, compiled with defaults
- server with OpenSSL 0.9.8j, compiled with defaults
- httpd 2.2.14, w/o the OP_NO_TICKET patch

Is that correct?

I have extracted the two Hello messages into a separate pcap file (attached).
It's the ServerHello in the second packet to which the client then immediately
replies to with SSL_AD_DECODE_ERROR. I'm also attaching Wireshark's
interpretation of the bytes in question, followed by their hex dumps.

As Joe observed in an earlier message, there are only two places in
t1_lib.c:ssl_parse_serverhello_tlsext() which set SSL_AD_DECODE_ERROR,
and it seems very likely that the following code is hit:

>         if (!s->hit && tlsext_servername == 1)
>                 {
>                 if (s->tlsext_hostname)
>                         {
>                         if (s->session->tlsext_hostname == NULL)
>                                 {
>                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
>                                 if (!s->session->tlsext_hostname)
>                                         {
>                                         *al = SSL_AD_UNRECOGNIZED_NAME;
>                                         return 0;
>                                         }
>                                 }
>                         else
>                                 {
>                                 *al = SSL_AD_DECODE_ERROR;
>                                 return 0;
>                                 }
>                         }
>                 }

I'll defer to the OpenSSL gurus for further analysis, but apparently
it has to do with the fact that the client reuses an SSL session
(s->session->tlsext_hostname is non-null), but this case is not
expected by ssl_parse_serverhello_tlsext(). It would also explain,
however, why the issue does not show up immediately, but only after
a couple of minutes (i.e., when a session is really being reused).

Kaspar


ClientHello: includes both an SNI and a SessionTicket extension
(i.e., client tries a stateless resume)

    TLSv1 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 316
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 312
            Version: TLS 1.0 (0x0301)
            Random
                gmt_unix_time: Sep  1, 2009 18:24:07.000000000
                random_bytes: DC61CBA8386F040540B164CA43C99C0A25618A34DC84B0CF...
            Session ID Length: 0
            Cipher Suites Length: 40
            Cipher Suites (20 suites)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
                Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_RSA_WITH_IDEA_CBC_SHA (0x0007)
                Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
                Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
                Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
                Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
                Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
                Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014)
                Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011)
                Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
                Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)
                Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
            Extensions Length: 231
            Extension: server_name
                Type: server_name (0x0000)
                Length: 15
                Data (15 bytes)
            Extension: SessionTicket TLS
                Type: SessionTicket TLS (0x0023)
                Length: 208
                Data (208 bytes)

0030                                   01 00 01 38 03              ...8.
0040  01 4a 9d 4a a7 dc 61 cb a8 38 6f 04 05 40 b1 64   .J.J..a..8o..@.d
0050  ca 43 c9 9c 0a 25 61 8a 34 dc 84 b0 cf e2 f2 0c   .C...%a.4.......
0060  ff 00 00 28 00 39 00 38 00 35 00 16 00 13 00 0a   ...(.9.8.5......
0070  00 33 00 32 00 2f 00 07 00 05 00 04 00 15 00 12   .3.2./..........
0080  00 09 00 14 00 11 00 08 00 06 00 03 01 00 00 e7   ................
0090  00 00 00 0f 00 0d 00 00 0a 6b 61 6d 65 73 68 2e   .........kamesh.
00a0  63 6f 6d 00 23 00 d0 cf 41 ef 4a 9b 41 98 ca 3b   com.#...A.J.A..;
00b0  11 01 5a 16 6d ed a0 86 56 79 24 5c a7 1e 3e ec   ..Z.m...Vy$\..>.
00c0  47 27 d3 07 47 f7 17 04 3a 4e b3 64 bb de e5 ca   G'..G...:N.d....
00d0  aa 48 1c 61 2c e4 80 df c0 f7 be 7e 81 b9 0c ad   .H.a,......~....
00e0  03 8f f1 df 0b 89 80 d1 7a de 5c 21 af ff b0 94   ........z.\!....
00f0  67 83 b7 91 67 b8 b3 8b e7 af de 6e 53 37 05 89   g...g......nS7..
0100  e8 b8 a0 2f 39 ec 38 9f fa 35 7f 41 66 b1 57 fa   .../9.8..5.Af.W.
0110  36 97 64 c9 39 22 9c f2 75 56 0d 4c b7 75 36 0f   6.d.9"..uV.L.u6.
0120  22 a2 5b 28 31 ff 26 26 5b 9f d9 ee 76 24 65 48   ".[(1.&&[...v$eH
0130  1d ad 13 8e d3 5d 8b f9 09 ea e8 a4 6c 8f c2 ae   .....]......l...
0140  73 67 e0 c4 a3 fd 13 cc 37 a9 20 eb 35 ba 66 86   sg......7. .5.f.
0150  3e 0e 5e af d8 6c df ba 8c ef 69 1a c1 fd 07 e9   >.^..l....i.....
0160  7a 44 04 b9 0f 70 90 b6 fe ff dc 49 f6 49 44 4c   zD...p.....I.IDL
0170  a1 03 e9 5b 12 f6 30                              ...[..0

-----

ServerHello: includes an acknowledgement for the SNI extension
(with an empty "extension_data" field, as specified in RFC 4366).

    TLSv1 Record Layer: Handshake Protocol: Server Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 48
        Handshake Protocol: Server Hello
            Handshake Type: Server Hello (2)
            Length: 44
            Version: TLS 1.0 (0x0301)
            Random
                gmt_unix_time: Oct 23, 2009 18:26:28.000000000
                random_bytes: 7BB7CEA14E031A61466D401D6633DD50D4B2513B845D2D0A...
            Session ID Length: 0
            Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
            Compression Method: null (0)
            Extensions Length: 4
            Extension: server_name
                Type: server_name (0x0000)
                Length: 0
                Data (0 bytes)

0030                                   02 00 00 2c 03              ...,.
0040  01 4a e1 d9 34 7b b7 ce a1 4e 03 1a 61 46 6d 40   .J..4{...N..aFm@
0050  1d 66 33 dd 50 d4 b2 51 3b 84 5d 2d 0a 1f cd bb   .f3.P..Q;.]-....
0060  f1 00 00 39 00 00 04 00 00 00 00                  ...9.......

Mime
View raw message