EldoS | Feel safer!

Software components for data protection, secure storage and transfer

TLS 1.1,1.2 causes SSL error in HTTP

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#13025
Posted: 04/20/2010 07:22:35
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 172

Hello,

I'm recompiling an auto-update module and I'm finding that a SBB update seems to have caused TLS 1.1 and 1.2 options to cause the SSL connection to fail with "Cannot establish SSL connection" error.

I checked the packet dmp and, when either TLS 1.1 or TLS 1.2 is enabled in the client component, the server sends a "bad record MAC" alert (0x14) back right after the client sent the "change cipher"+"encrypted handshake" packet.

If I disable both of these options, then connection succeeds.

It's not critical since I don't actually need TLS 1.1+, but I would like to know what can cause this behavior.

Thanks
#13026
Posted: 04/20/2010 07:30:13
by Eugene Mayevski (EldoS Corp.)

This is a common bug of some servers (including OpenSSL up until most recent versions) that misbehave when TLS 1.1 is requested.


Sincerely yours
Eugene Mayevski
#13028
Posted: 04/20/2010 07:50:32
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 172

Thank you for answering so quickly.

Why does it work with older version of SBB ?

For my personal curiosity, do you happen to have a reference to that bug handy ? (the server is LAMP and might need an update).
#13029
Posted: 04/20/2010 07:59:23
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 172

Ah, I think I know: it doesn't work with older SBB versions either: the server was moved to another machine which, apparently, had an older OpenSSL version (and still does).

A reference to the bug would be useful for communicating with the hosting provider.

Thanks again,
Stephane
#13030
Posted: 04/20/2010 08:15:09
by Eugene Mayevski (EldoS Corp.)

Well, from OpenSSL developers point of view this is probably not a bug. They just didn't support that versions of protocol, and, consequently, their code was confused by unknown numbers. I don't think anybody filed this as a bug (we didn't). Yet we've been notifying the users for years about this and we even have a message regarding this in some of the sample applications (in FTPS one, if memory serves).


Sincerely yours
Eugene Mayevski
#13033
Posted: 04/20/2010 08:20:12
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 172

Thank you. I'll go bother our hosting provider, then.

regards,
Stephane
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 1444 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!