Modify client hello version when renegotiating to enhance interop with some servers.
diff --git a/CHANGES b/CHANGES index 86b2f92..3712444 100644 --- a/CHANGES +++ b/CHANGES
@@ -267,6 +267,13 @@ Changes between 1.0.0f and 1.0.1 [xx XXX xxxx] + *) Some servers which support TLS 1.0 can choke if we initially indicate + support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA + encrypted premaster secret. As a workaround use the maximum pemitted + client version in client hello, this should keep such servers happy + and still work with previous versions of OpenSSL. + [Steve Henson] + *) Add support for TLS/DTLS heartbeats. [Robin Seggelmann <seggelmann@fh-muenster.de>]
diff --git a/apps/s_client.c b/apps/s_client.c index dbc0700..d724981 100644 --- a/apps/s_client.c +++ b/apps/s_client.c
@@ -2056,7 +2056,7 @@ } #endif -#ifdef SSL_DEBUG +#ifndef SSL_DEBUG { /* Print out local port of connection: useful for debugging */ int sock;
diff --git a/demos/certs/mkcerts.sh b/demos/certs/mkcerts.sh index 0d55e8f..2cf3948 100644 --- a/demos/certs/mkcerts.sh +++ b/demos/certs/mkcerts.sh
@@ -30,7 +30,10 @@ # First DH parameters -[ -f dhp.pem ] || $OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem +$OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem + +# Uncomment out this line for X9.42 DH parameters instead +$OPENSSL genpkey -genparam -algorithm DH -out dhp.pem -pkeyopt dh_rfc5114:2 # Now a DH private key $OPENSSL genpkey -paramfile dhp.pem -out dhskey.pem
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index e7b477a..323a732 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c
@@ -689,9 +689,43 @@ /* Do the message type and length last */ d=p= &(buf[4]); + /* version indicates the negotiated version: for example from + * an SSLv2/v3 compatible client hello). The client_version + * field is the maximum version we permit and it is also + * used in RSA encrypted premaster secrets. Some servers can + * choke if we initially report a higher version then + * renegotiate to a lower one in the premaster secret. This + * didn't happen with TLS 1.0 as most servers supported it + * but it can with TLS 1.1 or later if the server only supports + * 1.0. + * + * Possible scenario with previous logic: + * 1. Client hello indicates TLS 1.2 + * 2. Server hello says TLS 1.0 + * 3. RSA encrypted premaster secret uses 1.2. + * 4. Handhaked proceeds using TLS 1.0. + * 5. Server sends hello request to renegotiate. + * 6. Client hello indicates TLS v1.0 as we now + * know that is maximum server supports. + * 7. Server chokes on RSA encrypted premaster secret + * containing version 1.0. + * + * For interoperability it should be OK to always use the + * maximum version we support in client hello and then rely + * on the checking of version to ensure the servers isn't + * being inconsistent: for example initially negotiating with + * TLS 1.0 and renegotiating with TLS 1.2. We do this by using + * client_version in client hello and not resetting it to + * the negotiated version. + */ +#if 0 *(p++)=s->version>>8; *(p++)=s->version&0xff; s->client_version=s->version; +#else + *(p++)=s->client_version>>8; + *(p++)=s->client_version&0xff; +#endif /* Random stuff */ memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
diff --git a/ssl/ssl3.h b/ssl/ssl3.h index 91089f3..7e01d8d 100644 --- a/ssl/ssl3.h +++ b/ssl/ssl3.h
@@ -1,4 +1,4 @@ -/* ssl/ssl3.h */ + /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -388,6 +388,7 @@ #define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 #define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 #define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020 +#define SSL3_FLAGS_CLEAR_CLIENT_CERT 0x0040 /* SSL3_FLAGS_SGC_RESTART_DONE is set when we * restart a handshake because of MS SGC and so prevents us