www.harryanddavid.com SSL handshake failure error in non-blocking mode.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

www.harryanddavid.com SSL handshake failure error in non-blocking mode.

Krishna M Singh-2
Hi All

I have written an SSL client that performs SSL handshake with any
webserver and validates the certificate recevied from the Webserver.
With all other site the handshake works pefectly fine and has been
tested with 100's of secure sites..

the SSL handshake between my client and www.harryanddavid.com webserver
fails. Instead of the last SSL finished message during handshake, the
webserver sends an 85 byte alert message and than a TCP FIN message to
close the connection. apart from that all other packes in sniffer
traces are identical to the sniffer traces when Internet Explorer is
doing SSL handshake with same webserver.

The SSL error string is some decrypt failure...


Even the OpenSSL windows client (openssl.exe) provided when u build
openSSL over windows gives same error when doing SSL handshake with the
above harry webserver..

Anyone having an SSL Client plz try to do SSL handshake with
www.harryanddavid.com server and let me know whether its succesful or
not. I am assuming i might be missing some scenario.

Also when we use SSLv2 only this works fine.. Only with SSLv23 the
handshake fails. Any ideas or pointers how to proceed further wud be of
great help..

Also does the OpenSSL supports the chained certificates (i.e. server
certificate than has one Cert + its issuer in same cert).. Do we need
to call any specific API to handle these..???

Thanks and regards
-Krishna
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: www.harryanddavid.com SSL handshake failure error in non-blocking mode.

Dr. Stephen Henson
On Tue, Jan 10, 2006, Krishna M Singh wrote:

>
> Also when we use SSLv2 only this works fine.. Only with SSLv23 the
> handshake fails. Any ideas or pointers how to proceed further wud be of
> great help..
>

Seems it doesn't support TLS and messes up SSLv3 when the client indicates it
supports TLS.

Disabling TLS works though: the -no_tls1 option in s_client does that.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: www.harryanddavid.com SSL handshake failure error in non-blocking mode.

Krishna M Singh-2
Hi

Thank for the inputs. Disabling TLS removes the problem.

Apart from that i tried following

 With the default configuration set and page accessed through Netscape
7.2 the web page is not accessible and when refreshed the page is
accessible. Every time the browser is closed and reopened the same
behaviour is noticed. The first time the Netscape sends version 3.1
and the next time on refresh it tries with version 3.0 and which
works. Netscape is storing this information that this web server does
not work with 3.1 and hence uses lower protocol version in next
requests.
In case of Firefox 1.5, the browser retries the web page with version
3.0 automatically when it is not accessible the first time with 3.1
version. Only difference with Firefox and Netscape is that Firefox
retries on it's own whereas in Netscape user needs to refresh the
page.

It seems Netscape doesn't handled this problem and required use to do
refresh. Firefox discovers this on runtime and retries connection with
SSL 3.0 (when SSL handshake with SSL3.1 fails with harryandavid site).

I remember the SSL stack of Netscape and Firefox are OpenSSL variants.
Does this mean the same has been fixed in their stacks or is it
handled by the application itself?.

Any pointers will be of great help. thanks a lot for going thru my long mail.

thanks and regards
-Krishna


On 1/10/06, Dr. Stephen Henson <[hidden email]> wrote:

> On Tue, Jan 10, 2006, Krishna M Singh wrote:
>
> >
> > Also when we use SSLv2 only this works fine.. Only with SSLv23 the
> > handshake fails. Any ideas or pointers how to proceed further wud be of
> > great help..
> >
>
> Seems it doesn't support TLS and messes up SSLv3 when the client indicates it
> supports TLS.
>
> Disabling TLS works though: the -no_tls1 option in s_client does that.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: www.harryanddavid.com SSL handshake failure error in non-blocking mode.

Dr. Stephen Henson
On Fri, Jan 13, 2006, Krishna M Singh wrote:

>
> I remember the SSL stack of Netscape and Firefox are OpenSSL variants.
> Does this mean the same has been fixed in their stacks or is it
> handled by the application itself?.
>

Then you remember incorrectly. Netscape and Firefox use NSS which is not based
on OpenSSL.

> Any pointers will be of great help. thanks a lot for going thru my long mail.
>

The problem is that server, not the client. If the server handled this
correctly it would recognize that the client supported TLS[*] but would
negotiate SSLv3 instead. The server attempts to do this but messes up
somewhere during the handshake or the internal session setup.

Steve.
[*] Well it wouldn't know it was TLS if it had no knowledge of TLS. It would
simply appear to be a version of SSL higher than it could handle so it would
use the version it could handle: SSLv3.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]