On 2013-02-25 at 10:42 +0200, Warren Baker wrote:
> Any other ideas?
Note that +all is "SSL_OP_ALL" from SSL_CTX_set_options and is *not*
"all options", but "all of a subset of options deemed safe".
You reported:
10:34:24 79951 openssl option, adding from 1000000: 80000bff (all)
10:34:24 79951 setting SSL CTX options: 0x81000bff
The values can be seen in <openssl/ssl.h> and are mostly stable across
versions. (Not entirely, alas).
So that shows us that SSL_OP_NO_SSLv2 was enabled by default, that
SSL_OP_LEGACY_SERVER_CONNECT was *not* already set, despite the
documentation (*sigh*) but that it was set by SSL_OP_ALL (again, despite
the documentation). Clearly, the manpage SSL_CTX_set_options(3) is
dangerously unsafe to rely upon.
So you've ended up with these options set:
#define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L
#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L
#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L
#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L
#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L
#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L
#define SSL_OP_TLS_D5_BUG 0x00000100L
#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L
#define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0x00000800L
#define SSL_OP_NO_SSLv2 0x01000000L
#define SSL_OP_CRYPTOPRO_TLSEXT_BUG 0x80000000L
That leaves these:
(four DTLS options in mask 0x0000F000L)
#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L
#define SSL_OP_NO_COMPRESSION 0x00020000L
#define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L
#define SSL_OP_SINGLE_ECDH_USE 0x00080000L
#define SSL_OP_SINGLE_DH_USE 0x00100000L
#define SSL_OP_EPHEMERAL_RSA 0x00200000L
#define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L
#define SSL_OP_TLS_ROLLBACK_BUG 0x00800000L
#define SSL_OP_NO_SSLv3 0x02000000L
#define SSL_OP_NO_TLSv1 0x04000000L
#define SSL_OP_NO_TLSv1_2 0x08000000L
#define SSL_OP_NO_TLSv1_1 0x10000000L
#define SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000L
#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L
Try adding in +no_tlsv1_1 and +no_tlsv1_2 -- if this fixes it, then it
looks like MS bugs around the use of TLS1.1/TLS1.2.
OpenSSL 1.0.1 series a-c had a bug in renegotiation, fixed from d
onwards, which led them to use the wrong version number in
renegotiation. You said you're on 1.0.1e, so the issue is fixed there,
but perhaps there's something similar going on in MS's TLS stack.
If this really is not encountered with GnuTLS though, then it's
something else, since GnuTLS has supported TLS1.1/1.2 for longer than
OpenSSL.
-Phil
