EldoS | Feel safer!

Software components for data protection, secure storage and transfer

TLS 1.1,1.2 causes SSL error in HTTP

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
#13025
Posted: 04/20/2010 07:22:35
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Hello,

I'm recompiling an auto-update module and I'm finding that a SBB update seems to have caused TLS 1.1 and 1.2 options to cause the SSL connection to fail with "Cannot establish SSL connection" error.

I checked the packet dmp and, when either TLS 1.1 or TLS 1.2 is enabled in the client component, the server sends a "bad record MAC" alert (0x14) back right after the client sent the "change cipher"+"encrypted handshake" packet.

If I disable both of these options, then connection succeeds.

It's not critical since I don't actually need TLS 1.1+, but I would like to know what can cause this behavior.

Thanks
#13026
Posted: 04/20/2010 07:30:13
by Eugene Mayevski (EldoS Corp.)

This is a common bug of some servers (including OpenSSL up until most recent versions) that misbehave when TLS 1.1 is requested.


Sincerely yours
Eugene Mayevski
#13028
Posted: 04/20/2010 07:50:32
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Thank you for answering so quickly.

Why does it work with older version of SBB ?

For my personal curiosity, do you happen to have a reference to that bug handy ? (the server is LAMP and might need an update).
#13029
Posted: 04/20/2010 07:59:23
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Ah, I think I know: it doesn't work with older SBB versions either: the server was moved to another machine which, apparently, had an older OpenSSL version (and still does).

A reference to the bug would be useful for communicating with the hosting provider.

Thanks again,
Stephane
#13030
Posted: 04/20/2010 08:15:09
by Eugene Mayevski (EldoS Corp.)

Well, from OpenSSL developers point of view this is probably not a bug. They just didn't support that versions of protocol, and, consequently, their code was confused by unknown numbers. I don't think anybody filed this as a bug (we didn't). Yet we've been notifying the users for years about this and we even have a message regarding this in some of the sample applications (in FTPS one, if memory serves).


Sincerely yours
Eugene Mayevski
#13033
Posted: 04/20/2010 08:20:12
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Thank you. I'll go bother our hosting provider, then.

regards,
Stephane
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 1362 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!