Article delegate-en/3780 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A3779@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: Can I force ssl version 3.0 only?
26 Jun 2007 15:38:02 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project


Joe,

In message <_A3779@delegate-en.ML_> on 06/26/07(04:27:49)
you "Joe Moore" <pvyhabdyi-vhnmk2d64gtr.ml@ml.delegate.org> wrote:
 |I am not able to connect when I force ssl version3 or tls version 1. I
 |have tried with a delegated executable that I compiled as well as with
 |the binary download from ftp.delegate.org.
 |
 |The client tries and then times out after  minutes.
 |
 |Here is the log of the unsuccessful connection when specifying
 |STLS="fcl,sslway -ssl3".
 |
 |>From /var/spool/delegate-nobody/log/stdout.log:
 |
 |605:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
 |number:s3_pkt.c:299:

I think this message (from the SSLway process id 605) is not a part
of the session logged as follows (with the SSLway process id 613).

 |from /var/spool/delegate-nobody/log/23:
...
 |06/25 12:48:39.08 [612] 1+0: SSL Hello?5 [80 76 1 3 1]
 |06/25 12:48:39.08 [612] 1+0: ## STLS ## IMPLICIT SSL ON 50,50,-1,19
 |06/25 12:48:39.08 [613] 1+0: -- Fork(FCL): 612 -> 613
 |06/25 12:48:39.08 [612] 1+0: 0.008 CFI_SYNC ready=2 [53/S]
 |06/25 12:48:39.08 [612] 1+0: 0.008 CFI_SYNC ready=1 [57/W]
 |06/25 12:48:40.08 [612] 1+0: waiting CFI_SYNC from sslway (300)...
 |06/25 12:53:40.08 [612] 1+0: 301.008 CFI_SYNC ready=0 [FFFFFFFE]
 |06/25 12:53:40.08 [612] 1+0: ERROR: SSL/cl disconnected
 |06/25 12:53:40.08 [612] 1+0: disconnected [50]
 |-@[10.0.8.102]10.0.8.102:3132 (301.020s)(0)
 |06/25 12:53:41.12 [612] 1+0: CFI process remaining (1/1)

Running DeleGate with SSLway with "-vd" option instead of "-vs"
will show us more information to see the reason of the problem.

I saw that "SSLv2 only" HTTP-DeleGate, invoked as follows, was blocked
with (SSLv3 only) Firefox like shown in your log above.
  delegated -P9080 -v SERVER=https STLS="fcl,sslway -ssl2"
Using gdb, I saw the SSLway process is blocking trying to send some
message onto the socket on which the SSL_accept() negotioation is failed.

  #0  0x9000ed04 in read ()
  #1  0x0141e220 in sock_read ()
  #2  0x0141aed4 in BIO_read ()
  #3  0x0139cae8 in read_n ()
  #4  0x0139ce3c in ssl2_read_internal ()
  #5  0x013994d0 in ssl2_accept ()
  #6  0x0139d1a0 in ssl2_write ()
  #7  0x001a003c in ssl_printf(void*, int, char const*, ...) ()
  #8  0x001a06d8 in ssl_acc(void*, int) ()
  #9  0x001a57b8 in sslway_mainX(int, char**, int, int, int) ()

Thus disabling ssl_prrintf() in the ssl_acc() solved the blocking.
But just rejecting the negotiation of a certain version of SSL might
disalbe whole SSL versions.  Thus it will be necessary to specify
"-no_ssl2" instead of "-ssl3" to disable SSLv2 usage while accepting
the negotiaion in SSLv2.
I implemented "-no_ssl2" option as enclosed and uploaded version of
sslway.c to "ftp://ftp.delegate.org/pub/DeleGate/tmp/sslway.c"

Cheers,
Yutaka
--
  9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller


*** ../delegate9.5.6/filters/sslway.c	Sun Mar 18 23:30:10 2007
--- filters/sslway.c	Tue Jun 26 23:58:31 2007
***************
*** 144,149 ****
--- 144,154 ----
  #define SSL_VERIFY_FAIL_IF_NO_PEER_CERT	0x02
  #define SSL_VERIFY_CLIENT_ONCE		0x04
  
+ #define SSL_CTRL_OPTIONS		32
+ #define SSL_OP_NO_SSLv2			0x01000000
+ #define SSL_OP_NO_SSLv3			0x02000000
+ #define SSL_OP_NO_TLSv1			0x04000000
+ 
  typedef void SSL_CTX;
  typedef void SSL_METHOD;
  typedef void SSL;
***************
*** 719,725 ****
--- 724,733 ----
  	if( SSL_accept(accSSL) < 0 ){
  		ERROR("accept failed");
  		ERR_print_errors_fp(stderr);
+ 		/*
+ 		9.5.7 don't try writing to the non-established connection
  		ssl_printf(accSSL,0,"SSLway: accept failed\n");
+ 		*/
  		if( SSL_fatalCB ){
  			(*SSL_fatalCB)("ssl_acc() failed\n");
  		}
***************
*** 770,775 ****
--- 778,784 ----
  	int	 x_verify;
  	int	 x_peeraddr;
  	int	 x_sslver;
+ 	int	 x_sslnover;
  } SSLContext;
  
  static const char sv_cert_default[] = "server-cert.pem";
***************
*** 803,808 ****
--- 812,818 ----
  #define cl_nego_FTPDATA	sslctx[XACC].x_nego_FTPDATA
  #define cl_addr		sslctx[XACC].x_peeraddr
  #define cl_sslver	sslctx[XACC].x_sslver
+ #define cl_sslnover	sslctx[XACC].x_sslnover
  
  #define cl_Cert		sslctx[XCON].x_certkey
  #define cl_Ncert	sslctx[XCON].x_certkey.v_Ncert
***************
*** 818,823 ****
--- 828,834 ----
  #define sv_nego_FTPDATA	sslctx[XCON].x_nego_FTPDATA
  #define sv_addr		sslctx[XCON].x_peeraddr
  #define sv_sslver	sslctx[XCON].x_sslver
+ #define sv_sslnover	sslctx[XCON].x_sslnover
  
  #define ST_OPT		1
  #define ST_FORCE	2
***************
*** 828,833 ****
--- 839,845 ----
  {	SSL_CTX *ctx;
  	SSL_METHOD *meth;
  	int sslver;
+ 	int sslnover;
  
  	SSL_library_init();
  	SSL_load_error_strings();
***************
*** 866,871 ****
--- 878,894 ----
  		else	meth = SSLv23_client_method();
  	}
  	ctx = SSL_CTX_new(meth);
+ 
+ 	if( ctx )
+ 	if( sslnover = serv ? cl_sslnover : sv_sslnover ){
+ 		int opts = 0;
+ 		switch( sslnover ){
+ 			case 1: opts |= SSL_OP_NO_SSLv2; break;
+ 			case 2: opts |= SSL_OP_NO_SSLv3; break;
+ 			case 3: opts |= SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3; break;
+ 		}
+ 		SSL_CTX_ctrl(ctx,SSL_CTRL_OPTIONS,opts,NULL);
+ 	}
  	return ctx;
  }
  static void passfilename(PCStr(keyfile),PVStr(passfile))
***************
*** 1277,1282 ****
--- 1300,1309 ----
  		ERROR("## no session to be saved");
  		goto CEXIT;
  	}
+ 	if( shp->ssl_version == 2 ){
+ 		DEBUG("## don't cache the session of SSL2");
+ 		goto CEXIT;
+ 	}
  
  	len = i2d_SSL_SESSION(sess,NULL);
  	if( len == 0 ){
***************
*** 2187,2192 ****
--- 2214,2226 ----
  		if( strncmp(arg,"-vt",3) == 0 ){
  		}else
  		if( strncmp(arg,"-vs",3) == 0 ){
+ 		}else
+ 		if( strneq(arg,"-no_ssl",7) ){
+ 			int sslnover = 0;
+ 			if( streq(arg+7,"2") ) sslnover = 1; else
+ 			if( streq(arg+7,"3") ) sslnover = 2; else
+ 			if( streq(arg+7,"23")) sslnover = 3;
+ 			sv_sslnover = cl_sslnover = sslnover;
  		}else
  		if( strneq(arg,"-ssl",4) ){
  			int sslver = 0;

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V