httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <shen...@oss-institute.org>
Subject Re: Strange error(parse tlsext bug) in mod_ssl since httpd-2.2.12
Date Tue, 27 Oct 2009 22:47:25 GMT
Kamesh Jayachandran wrote:
> Hi Kaspar,
> 
> I applied your 'mod_ssl-disable_tls_tickets.diff' and
> 'mod_ssl-log_ssloptions.diff' to apache-2.2.12
> 
> and initiated the 'failing svn import operation'.
> 
> <snip from error_log while this fails>
> [Mon Oct 26 15:48:21 2009] [warn] [client 10.2.0.88]
> ssl_init_ssl_connection: options=0x1114fff
> [Mon Oct 26 15:48:22 2009] [warn] [client 10.2.0.88]
> ssl_init_ssl_connection: options=0x1114fff
> [Mon Oct 26 15:48:22 2009] [warn] [client 10.2.0.88]
> ssl_init_ssl_connection: options=0x1114fff
> </snip>
> 
> The tcpdump for this failure is at,
> 
> http://www.livecipher.com/tlsext_dump/tlsext.dmp.4
> 

As I mentioned something strange is going on there. The server is sending back
empty session IDs which shouldn't be happening if tickets are disabled properly.

With OpenSSL 0.9.8k client, can you try this connecting to that server:

openssl s_client -connect hostname.whatever.com:443
		-servername hostname.whatever.com -tls1

Does any value appear after "Session-ID"? Hit Q<return> to exit.

Also try:

openssl s_client -connect hostname.whatever.com:443
		-servername hostname.whatever.com -tls1 -no_ticket

again do you get anything after "Session-ID"?

Finally this pair of commands:

openssl s_client -connect hostname.whatever.com:443
		-servername hostname.whatever.com -tls1
		-sess_out foo.pem


openssl s_client -connect hostname.whatever.com:443
		-servername hostname.whatever.com -tls1
		-sess_in foo.pem

Do you still get the error when you call the command with the server including
SSL_OP_NO_TICKET?

Steve.
-- 
Dr Stephen N. Henson. Senior Technical/Cryptography Advisor,
Open Source Software Institute: www.oss-institute.org
OpenSSL Core team: www.openssl.org

Mime
View raw message