Эхлэл Бүгдийг харах Тусламж
Нэвтрэх
OWEALs
/
openssl
-ын хуулбар git://git.openssl.org/openssl.git
2
0
Салаа 0
Файлууд Асуудлууд 1 Мэдлэгийн сан
Мод: 43206a2d7c
Салаанууд Тагууд
openssl
/
bugs
/
SSLv3

SSLv3 2.4 KB
Түүх Анхны өгөгдөл

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849 
  1. So far...
    2. 

  2. 

  3. ssl3.netscape.com:443 does not support client side dynamic
    4. 

  4. session-renegotiation.
    5. 

  5. 

  6. ssl3.netscape.com:444 (asks for client cert) sends out all the CA RDN
    7. 

  7. in an invalid format (the outer sequence is removed).
    8. 

  8. 

  9. Netscape-Commerce/1.12, when talking SSLv2, accepts a 32 byte
    10. 

  10. challenge but then appears to only use 16 bytes when generating the
    11. 

  11. encryption keys.  Using 16 bytes is ok but it should be ok to use 32.
    12. 

  12. According to the SSLv3 spec, one should use 32 bytes for the challenge
    13. 

  13. when opperating in SSLv2/v3 compatablity mode, but as mentioned above,
    14. 

  14. this breaks this server so 16 bytes is the way to go.
    15. 

  15. 

  16. www.microsoft.com - when talking SSLv2, if session-id reuse is
    17. 

  17. performed, the session-id passed back in the server-finished message
    18. 

  18. is different from the one decided upon.
    19. 

  19. 

  20. ssl3.netscape.com:443, first a connection is established with RC4-MD5.
    21. 

  21. If it is then resumed, we end up using DES-CBC3-SHA.  It should be
    22. 

  22. RC4-MD5 according to 7.6.1.3, 'cipher_suite'.
    23. 

  23. Netscape-Enterprise/2.01 (https://merchant.netscape.com) has this bug.
    24. 

  24. It only really shows up when connecting via SSLv2/v3 then reconnecting
    25. 

  25. via SSLv3. The cipher list changes....
    26. 

  26. NEW INFORMATION.  Try connecting with a cipher list of just
    27. 

  27. DES-CBC-SHA:RC4-MD5.  For some weird reason, each new connection uses
    28. 

  28. RC4-MD5, but a re-connect tries to use DES-CBC-SHA.  So netscape, when
    29. 

  29. doing a re-connect, always takes the first cipher in the cipher list.
    30. 

  30. 

  31. If we accept a netscape connection, demand a client cert, have a
    32. 

  32. non-self-signed CA which does not have it's CA in netscape, and the
    33. 

  33. browser has a cert, it will crash/hang.  Works for 3.x and 4.xbeta
    34. 

  34. 

  35. Netscape browsers do not really notice the server sending a
    36. 

  36. close notify message.  I was sending one, and then some invalid data.
    37. 

  37. netscape complained of an invalid mac. (a fork()ed child doing a
    38. 

  38. SSL_shutdown() and still sharing the socket with its parent).
    39. 

  39. 

  40. Netscape, when using export ciphers, will accept a 1024 bit temporary
    41. 

  41. RSA key.  It is supposed to only accept 512.
    42. 

  42. 

  43. If Netscape connects to a server which requests a client certificate
    44. 

  44. it will frequently hang after the user has selected one and never
    45. 

  45. complete the connection. Hitting "Stop" and reload fixes this and
    46. 

  46. all subsequent connections work fine. This appears to be because 
    47. 

  47. Netscape wont read any new records in when it is awaiting a server
    48. 

  48. done message at this point. The fix is to send the certificate request
    49. 

  49. and server done messages in one record.
    50.