lost and found ( for me ? )

SSL renegotiation: RFC 5746

Here is SSL re-negotiation comparison between openssl 0.9.8k which does not support RFC5746 and  1.0.1e-fips which supports RFC5746 when an web server allows re-negotiation only if clients use RFC 5746.

install openssl 0.9.8k from source on fedora 19 64bit.
openssl 0.9.8k does not support RFC 5746.

error.
# yum install gcc make perl
# tar czvf openssl-0.9.8k
# cd openssl-0.9.8k
# ./config --prefix=/root/openssl098k
# make
make[2]: ディレクトリ `/root/openssl-0.9.8k/crypto/md5' に入ります
gcc -I.. -I../.. -I../../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -c  -o md5-x86_64.o md5-x86_64.s
md5-x86_64.s: Assembler messages:
md5-x86_64.s:41: Error: 0xd76aa478 out range of signed 32bit displacement
md5-x86_64.s:50: Error: 0xe8c7b756 out range of signed 32bit displacement
md5-x86_64.s:68: Error: 0xc1bdceee out range of signed 32bit displacement
md5-x86_64.s:77: Error: 0xf57c0faf out range of signed 32bit displacement
md5-x86_64.s:95: Error: 0xa8304613 out range of signed 32bit displacement
md5-x86_64.s:104: Error: 0xfd469501 out range of signed 32bit displaceme


googling this error, you can resolve this by specifying “no-asm -fPIC” options.

# make clean
# ./config --prefix=/root/openssl098k no-asm -fPIC
# make
# make install

# /root/openssl098k/bin/openssl
OpenSSL> version
OpenSSL 0.9.8k 25 Mar 2009
OpenSSL> exit

[ openssl 0.9.8k ]

the server rejected renegotiation because the client(openssl 0.9.8k) does not support RFC5746



# /root/openssl098k/bin/openssl
OpenSSL> version
OpenSSL 0.9.8k 25 Mar 2009

# pwd
/root/SSL_certs

# ls
foo.private  foo.public



# /root/openssl098k/bin/openssl s_client -connect www.foo.bar:443 -CAfile foo.public -CApath ./

   Verify return code: 0 (ok)
---
GET / HTTP/1.1
Host: www.foo.bar

HTTP/1.1 200 OK
Server: Apache/2.2.15 (CentOS)
Content-Type: text/html; charset=UTF-8
Date: Mon, 07 Oct 2013 18:00:57 GMT
Accept-Ranges: bytes
ETag: "9f64d-6-4e829b5d5bb4a"
Connection: Keep-Alive
Last-Modified: Mon, 07 Oct 2013 17:09:08 GMT
Content-Length: 6

hello
GET / HTTP/1.1
Host: www.foo.bar
R
RENEGOTIATING
13948:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1060:SSL alert number 40
13948:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

[ opnessl 1.0.1e-fips ]

renegotiation was accepted by the server because openssl 1.0.1e-fips support RFC5746.

# pwd
/root/SSL_certs

# ls
foo.private  foo.public
[root@localhost SSL_certs]# /bin/openssl
OpenSSL> version
OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL>

# /bin/openssl s_client -connect www.foo.bar:443 -CAfile foo.public -CApath ./

   Verify return code: 0 (ok)
---
GET / HTTP/1.1
Host: www.foo.bar

HTTP/1.1 200 OK
Server: Apache/2.2.15 (CentOS)
Content-Type: text/html; charset=UTF-8
Date: Mon, 07 Oct 2013 17:53:06 GMT
Accept-Ranges: bytes
ETag: "9f64d-6-4e829b5d5bb4a"
Connection: Keep-Alive
Last-Modified: Mon, 07 Oct 2013 17:09:08 GMT
Content-Length: 6

hello
GET / HTTP/1.1
Host: www.foo.bar
R
RENEGOTIATING
depth=0 C = US, ST = foo, L = foo, O = foo, OU = foo, CN = www.foo.bar
verify return:1

HTTP/1.1 200 OK
Server: Apache/2.2.15 (CentOS)
Content-Type: text/html; charset=UTF-8
Date: Mon, 07 Oct 2013 17:53:20 GMT
Accept-Ranges: bytes
ETag: "9f64d-6-4e829b5d5bb4a"
Connection: Keep-Alive
Last-Modified: Mon, 07 Oct 2013 17:09:08 GMT
Content-Length: 6

hello
GET / HTTP/1.1
Host: www.foo.bar
R
RENEGOTIATING
depth=0 C = US, ST = foo, L = foo, O = foo, OU = foo, CN = www.foo.bar
verify return:1

HTTP/1.1 200 OK
Server: Apache/2.2.15 (CentOS)
Content-Type: text/html; charset=UTF-8
Date: Mon, 07 Oct 2013 17:53:31 GMT
Accept-Ranges: bytes
ETag: "9f64d-6-4e829b5d5bb4a"
Connection: Keep-Alive
Last-Modified: Mon, 07 Oct 2013 17:09:08 GMT
Content-Length: 6

hello
GET / HTTP/1.1
Host: www.foo.bar
R
RENEGOTIATING
depth=0 C = US, ST = foo, L = foo, O = foo, OU = foo, CN = www.foo.bar
verify return:1

HTTP/1.1 200 OK
Server: Apache/2.2.15 (CentOS)
Content-Type: text/html; charset=UTF-8
Date: Mon, 07 Oct 2013 17:53:43 GMT
Accept-Ranges: bytes
ETag: "9f64d-6-4e829b5d5bb4a"
Connection: Keep-Alive
Last-Modified: Mon, 07 Oct 2013 17:09:08 GMT
Content-Length: 6



No comments:

Post a Comment

Note: Only a member of this blog may post a comment.