EldoS | Feel safer!

Software components for data protection, secure storage and transfer

TLS 1.1,1.2 causes SSL error in HTTP

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.
#13025
Posted: 04/20/2010 07:22:35
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Hello,

I'm recompiling an auto-update module and I'm finding that a SBB update seems to have caused TLS 1.1 and 1.2 options to cause the SSL connection to fail with "Cannot establish SSL connection" error.

I checked the packet dmp and, when either TLS 1.1 or TLS 1.2 is enabled in the client component, the server sends a "bad record MAC" alert (0x14) back right after the client sent the "change cipher"+"encrypted handshake" packet.

If I disable both of these options, then connection succeeds.

It's not critical since I don't actually need TLS 1.1+, but I would like to know what can cause this behavior.

Thanks
#13026
Posted: 04/20/2010 07:30:13
by Eugene Mayevski (EldoS Corp.)

This is a common bug of some servers (including OpenSSL up until most recent versions) that misbehave when TLS 1.1 is requested.


Sincerely yours
Eugene Mayevski
#13028
Posted: 04/20/2010 07:50:32
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Thank you for answering so quickly.

Why does it work with older version of SBB ?

For my personal curiosity, do you happen to have a reference to that bug handy ? (the server is LAMP and might need an update).
#13029
Posted: 04/20/2010 07:59:23
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Ah, I think I know: it doesn't work with older SBB versions either: the server was moved to another machine which, apparently, had an older OpenSSL version (and still does).

A reference to the bug would be useful for communicating with the hosting provider.

Thanks again,
Stephane
#13030
Posted: 04/20/2010 08:15:09
by Eugene Mayevski (EldoS Corp.)

Well, from OpenSSL developers point of view this is probably not a bug. They just didn't support that versions of protocol, and, consequently, their code was confused by unknown numbers. I don't think anybody filed this as a bug (we didn't). Yet we've been notifying the users for years about this and we even have a message regarding this in some of the sample applications (in FTPS one, if memory serves).


Sincerely yours
Eugene Mayevski
#13033
Posted: 04/20/2010 08:20:12
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Thank you. I'll go bother our hosting provider, then.

regards,
Stephane
Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.

Reply

Statistics

Topic viewed 1361 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!