Andy Polyakov | 1 Apr 12:17 2012
Picon

Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007

> It's empirically found that SSL 2.0 and TLS 1.0
> ClientHellos larger than 256 bytes *are* accepted, while TLS 1.1 and 1.2
> have to be shorter to be accepted.

TLS version in ClientHello *message* is denoted by corresponding field.
But then the *message* is placed to TLS *record*, which is denoted with
own protocol version. Quoting RFC5246, appendix E.1.

   Earlier versions of the TLS specification were not fully clear on
   what the record layer version number (TLSPlaintext.version) should
   contain when sending ClientHello (i.e., before it is known which
   version of the protocol will be employed).  Thus, TLS servers
   compliant with this specification MUST accept any value {03,XX} as
   the record layer version number for ClientHello.

   TLS clients that wish to negotiate with older servers MAY send any
   value {03,XX} as the record layer version number.  Typical values
   would be {03,00}, the lowest version number supported by the client,
   and the value of ClientHello.client_version.  No single value will
   guarantee interoperability with all old servers, but this is a
   complex topic beyond the scope of this document.

Yes, it's beyond document scope, but it seems that it's acceptable to
send TLS 1.2 ClientHello *message* in TLS 1.0 *record*. I.e. initial
record version would denote minimal TLS version, while message version -
maximal version.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org
(Continue reading)

Kurt Roeckx | 1 Apr 12:34 2012
Picon

Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007

On Sun, Apr 01, 2012 at 12:17:19PM +0200, Andy Polyakov wrote:
> > It's empirically found that SSL 2.0 and TLS 1.0
> > ClientHellos larger than 256 bytes *are* accepted, while TLS 1.1 and 1.2
> > have to be shorter to be accepted.
> 
> TLS version in ClientHello *message* is denoted by corresponding field.
> But then the *message* is placed to TLS *record*, which is denoted with
> own protocol version. Quoting RFC5246, appendix E.1.
> 
>    Earlier versions of the TLS specification were not fully clear on
>    what the record layer version number (TLSPlaintext.version) should
>    contain when sending ClientHello (i.e., before it is known which
>    version of the protocol will be employed).  Thus, TLS servers
>    compliant with this specification MUST accept any value {03,XX} as
>    the record layer version number for ClientHello.
> 
>    TLS clients that wish to negotiate with older servers MAY send any
>    value {03,XX} as the record layer version number.  Typical values
>    would be {03,00}, the lowest version number supported by the client,
>    and the value of ClientHello.client_version.  No single value will
>    guarantee interoperability with all old servers, but this is a
>    complex topic beyond the scope of this document.
> 
> Yes, it's beyond document scope, but it seems that it's acceptable to
> send TLS 1.2 ClientHello *message* in TLS 1.0 *record*. I.e. initial
> record version would denote minimal TLS version, while message version -
> maximal version.

And they now both contain 0x03,0x03.  At least gnutls is sending
0x03,0x00 with 0x03,0x03.
(Continue reading)

Dr. Stephen Henson | 1 Apr 13:06 2012
Picon

Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007

On Sun, Apr 01, 2012, Kurt Roeckx wrote:

> 
> And they now both contain 0x03,0x03.  At least gnutls is sending
> 0x03,0x00 with 0x03,0x03.
> 

Gnutls is also sending client hellos shorter than 256 bytes (couldn't see a
way to extend it though I'm not familiar with gnutls).

> I already wondered about this before, but I assumed it didn't
> matter.
> 

Did a quick hack modification setting header version to 0x3,0x0 and it now
*will* connect to some sites it didn't before with a long client hello
including paypal. It ends up negotiating TLS 1.2 anyway.

I'll do some more tests to see what happens.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org

(Continue reading)

Dr. Stephen Henson | 1 Apr 14:42 2012
Picon

Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007

On Sun, Apr 01, 2012, Dr. Stephen Henson wrote:

> 
> Did a quick hack modification setting header version to 0x3,0x0 and it now
> *will* connect to some sites it didn't before with a long client hello
> including paypal. It ends up negotiating TLS 1.2 anyway.
> 
> I'll do some more tests to see what happens.
> 

SSLv3 or TLSv1 version in record header connects, anything higher hangs.

So I'd say we set it to TLSv1 in header unless we only support SSLv3. That
should retain compatibility with older versions of OpenSSL.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org

Kurt Roeckx | 1 Apr 16:41 2012
Picon

Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007

On Sun, Apr 01, 2012 at 02:42:20PM +0200, Dr. Stephen Henson wrote:
> On Sun, Apr 01, 2012, Dr. Stephen Henson wrote:
> 
> > 
> > Did a quick hack modification setting header version to 0x3,0x0 and it now
> > *will* connect to some sites it didn't before with a long client hello
> > including paypal. It ends up negotiating TLS 1.2 anyway.
> > 
> > I'll do some more tests to see what happens.
> > 
> 
> SSLv3 or TLSv1 version in record header connects, anything higher hangs.
> 
> So I'd say we set it to TLSv1 in header unless we only support SSLv3. That
> should retain compatibility with older versions of OpenSSL.

Is there a reason not to send SSLv3 as the lowest version if
SSLv3 is enabled?

Kurt

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org

Dr. Stephen Henson | 1 Apr 17:40 2012
Picon

Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007

On Sun, Apr 01, 2012, Kurt Roeckx wrote:

> On Sun, Apr 01, 2012 at 02:42:20PM +0200, Dr. Stephen Henson wrote:
> > On Sun, Apr 01, 2012, Dr. Stephen Henson wrote:
> > 
> > > 
> > > Did a quick hack modification setting header version to 0x3,0x0 and it now
> > > *will* connect to some sites it didn't before with a long client hello
> > > including paypal. It ends up negotiating TLS 1.2 anyway.
> > > 
> > > I'll do some more tests to see what happens.
> > > 
> > 
> > SSLv3 or TLSv1 version in record header connects, anything higher hangs.
> > 
> > So I'd say we set it to TLSv1 in header unless we only support SSLv3. That
> > should retain compatibility with older versions of OpenSSL.
> 
> Is there a reason not to send SSLv3 as the lowest version if
> SSLv3 is enabled?
> 

Well only reason I suggested using TLS 1.0 is that's would retain the same
behaviour as OpenSSL 1.0 and earlier which would send the same record header
version as the currently supported version.

Doing some more tests... session resumption would also have to use version
SSLv3/TLSv1 in the client hello record but other handshake records must use the
negotiated version.

(Continue reading)

kD3V | 1 Apr 02:35 2012
Picon

OpenSSL Connection Hangs After Handshake


Hi, there!

I'm a C# dev trying to write a server using SSL encryption. I am using the
TcpClient class with the SSLStream class. I have created the Self-Signed
certificates I need and confirmed that they are in PEM format, these are
successfully loaded by the server and client. However, the problem I am
facing is as soon as the client and server do a TCP handshake, both hang and
do not do anything. I am really confused as to what the problem is and I
need the SSL encryption to work ASAP.

Thanks for your time :-D
--

-- 
View this message in context: http://old.nabble.com/OpenSSL-Connection-Hangs-After-Handshake-tp33544961p33544961.html
Sent from the OpenSSL - Dev mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org

Leandro Santiago via RT | 1 Apr 20:52 2012
Picon

[openssl.org #2781] OpenSSL 1.x doesn't compile on mingw-w64 (targeting win32)

I'm trying to compile openssl 1.0.1 (but I also tested the 1.0.0) on
mingw-w64 (gcc 4.7), but I'm having errors.
I tested in three configurations: Ubuntu 11.04 32-bit, Kubuntu 11.10
64-bit and Windows 7 32-bit having the same errors.

The command line I used was:

./Configure --prefix=$BUILD_PATH shared threads mingw32:gcc
--cross-compile-prefix=i686-w64-mingw32-

The error is:

In file included from err_all.c:96:0:
../../include/openssl/ocsp.h:157:4: error: expected ‘)’ before numeric constant
../../include/openssl/ocsp.h:206:3: error: expected
specifier-qualifier-list before ‘(’ token
../../include/openssl/ocsp.h:350:2: error: expected
specifier-qualifier-list before ‘(’ token
../../include/openssl/ocsp.h:404:1: error: expected identifier or ‘(’
before ‘LPCSTR’
../../include/openssl/ocsp.h:404:1: error: expected ‘)’ before numeric constant
../../include/openssl/ocsp.h:405:53: error: expected declaration
specifiers or ‘...’ before ‘(’ token
../../include/openssl/ocsp.h:407:23: error: expected declaration
specifiers or ‘...’ before ‘(’ token
../../include/openssl/ocsp.h:409:47: error: expected declaration
specifiers or ‘...’ before ‘(’ token
../../include/openssl/ocsp.h:416:10: error: expected declaration
specifiers or ‘...’ before ‘(’ token
../../include/openssl/ocsp.h:420:35: error: expected declaration
(Continue reading)

Roumen Petrov | 1 Apr 21:09 2012

Re: [openssl.org #2781] OpenSSL 1.x doesn't compile on mingw-w64 (targeting win32)

Leandro Santiago via RT wrote:
> I'm trying to compile openssl 1.0.1 (but I also tested the 1.0.0) on
> mingw-w64 (gcc 4.7), but I'm having errors.
> I tested in three configurations: Ubuntu 11.04 32-bit, Kubuntu 11.10
> 64-bit and Windows 7 32-bit having the same errors.
>
> The command line I used was:
>
> ./Configure --prefix=$BUILD_PATH shared threads mingw32:gcc
> --cross-compile-prefix=i686-w64-mingw32-
Platform is mingw, or may be you use patched version where mingw32 is 
defined.

[SNIP]

Roumen
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org

Roumen Petrov via RT | 1 Apr 21:09 2012
Picon

Re: [openssl.org #2781] OpenSSL 1.x doesn't compile on mingw-w64 (targeting win32)

Leandro Santiago via RT wrote:
> I'm trying to compile openssl 1.0.1 (but I also tested the 1.0.0) on
> mingw-w64 (gcc 4.7), but I'm having errors.
> I tested in three configurations: Ubuntu 11.04 32-bit, Kubuntu 11.10
> 64-bit and Windows 7 32-bit having the same errors.
>
> The command line I used was:
>
> ./Configure --prefix=$BUILD_PATH shared threads mingw32:gcc
> --cross-compile-prefix=i686-w64-mingw32-
Platform is mingw, or may be you use patched version where mingw32 is 
defined.

[SNIP]

Roumen

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org


Gmane