httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kamesh Jayachandran <kam...@collab.net>
Subject Re: Strange error(parse tlsext bug) in mod_ssl since httpd-2.2.12
Date Mon, 02 Nov 2009 11:41:19 GMT
On 10/28/2009 04:17 AM, Dr Stephen Henson wrote:
> Kamesh Jayachandran wrote:
>    
>> Hi Kaspar,
>>
>> I applied your 'mod_ssl-disable_tls_tickets.diff' and
>> 'mod_ssl-log_ssloptions.diff' to apache-2.2.12
>>
>> and initiated the 'failing svn import operation'.
>>
>> <snip from error_log while this fails>
>> [Mon Oct 26 15:48:21 2009] [warn] [client 10.2.0.88]
>> ssl_init_ssl_connection: options=0x1114fff
>> [Mon Oct 26 15:48:22 2009] [warn] [client 10.2.0.88]
>> ssl_init_ssl_connection: options=0x1114fff
>> [Mon Oct 26 15:48:22 2009] [warn] [client 10.2.0.88]
>> ssl_init_ssl_connection: options=0x1114fff
>> </snip>
>>
>> The tcpdump for this failure is at,
>>
>> http://www.livecipher.com/tlsext_dump/tlsext.dmp.4
>>
>>      
>    

Sorry for the delay.

> As I mentioned something strange is going on there. The server is sending back
> empty session IDs which shouldn't be happening if tickets are disabled properly.
>
> With OpenSSL 0.9.8k client, can you try this connecting to that server:
>
> openssl s_client -connect hostname.whatever.com:443
> 		-servername hostname.whatever.com -tls1
>
> Does any value appear after "Session-ID"? Hit Q<return>  to exit.
>    

Yes it appears.

> Also try:
>
> openssl s_client -connect hostname.whatever.com:443
> 		-servername hostname.whatever.com -tls1 -no_ticket
>
> again do you get anything after "Session-ID"?
>    

Yes I get.

> Finally this pair of commands:
>
> openssl s_client -connect hostname.whatever.com:443
> 		-servername hostname.whatever.com -tls1
> 		-sess_out foo.pem
>
>
> openssl s_client -connect hostname.whatever.com:443
> 		-servername hostname.whatever.com -tls1
> 		-sess_in foo.pem
>
> Do you still get the error when you call the command with the server including
> SSL_OP_NO_TICKET?
>    

Yes I get the error with Server running SSL_OP_NO_TICKET patch.

[kamesh@kamesh httpd-2.2.12]$ openssl s_client -connect kamesh:443 
-servername kamesh -tls1 -sess_in foo.pem
CONNECTED(00000003)
4155:error:140920DF:SSL routines:SSL3_GET_SERVER_HELLO:parse 
tlsext:s3_clnt.c:880:


FYI I used this openssl client on my linux for this test which is 
openssl0.9.8-k(while original issue was posted against the win32 svn 
client built with openssl-0.9.8j.

With regards
Kamesh Jayachandran

Mime
View raw message