Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic
 
PerlMonks  

Re^5: Net::SSLeay and secure renegotiation

by noxxi (Pilgrim)
on Dec 12, 2016 at 07:29 UTC ( [id://1177631]=note: print w/replies, xml ) Need Help??


in reply to Re^4: Net::SSLeay and secure renegotiation
in thread Net::SSLeay and secure renegotiation

> With that line, i am forcing SSLv2 to be wrapper for client

I very much doubt this will work. While you set ssl_version you do it after creating the context. Also ssl_version is only looked at if you use sslcat or https_cat (i.e. users of new_x_ctx) which you don't do. Which means that setting ssl_version does nothing in the code. The rest of this line calls CTX_set_options with the option "2" which is not even a defined SSL_OP.
Also, setting ssl_version to 2 in the cases were it actually does something will not force if SSLv2 wrapper but force use of SSL 2.0. This one is mostly disabled fully in current versions of openssl and SSL 2.0 does not support renegotiation anyway. SSLv2 wrapper would be instead mean that you want to have a SSLv23 context which is actually the default.

> I need to test server behavior when TLS_EMPTY_RENEGOTIATION_INFO_SCSV is set/included in client hello.

This should be included by default in the initial ClientHello and a short test with IO::Socket::SSL shows that it actually is.

  • Comment on Re^5: Net::SSLeay and secure renegotiation

Replies are listed 'Best First'.
Re^6: Net::SSLeay and secure renegotiation
by iThunder (Beadle) on Dec 13, 2016 at 04:49 UTC

    Well for some reason, its not appearing in my client hello. Below is my code. With SSL_cipher_list set to ALL, i can see 38 cipher suites being sent but not the "TLS_EMPTY_RENEGOTIATION_INFO_SCSV". What OS and openssl version are you using? 

    #!/usr/bin/perl

 use IO::Socket::SSL;
 use IO::Socket qw(:DEFAULT :crlf);
 $/ = CRLF;
 $| = 1;
use warnings;
my $client = IO::Socket::SSL->new(PeerHost => "1.1.1.115", PeerPort =>
+ "443", SSL_verify_mode => SSL_VERIFY_NONE, SSL_cipher_list => 'ALL')
+;

    $msg1 = "GET /index.html HTTP/1.1".$/;
    $msg2 = "Host: windows".$/;
    $msg3 = "User-Agent: curl/7.18.1 (i386-redhat-linux-gnu) libcurl/7
+.18.1 NSS/3.12 Beta 3 zlib/1.2.3 libidn/0.6.14".$/;


    print $client $msg1,$msg2,$msg3.CRLF;

    shutdown($client,2);

    [download]
[reply]
[d/l]

      > With SSL_cipher_list set to ALL, i can see 38 cipher suites being sent but not the "TLS_EMPTY_RENEGOTIATION_INFO_SCSV".

      With SSL_cipher_list ALL I get 91 ciphers and it includes TLS_EMPTY_RENEGOTIATION_INFO_SCSV. I'm using OpenSSL 1.0.1 on Linux. Having only this few ciphers in ALL looks for me like a very old OpenSSL version which might not even support TLS_EMPTY_RENEGOTIATION_INFO_SCSV. What version you are using? My guess is that you still might be using 0.9.8, probably on OS X which shipped this very old and for ages unsupported version by default.

[reply]

        The openssl version on my linux is 1.0.2j 26 Sep 2016 and i can send that TLS_EMPTY_RENEGOTIATION_INFO_SCSV if i use openssl commands.

[reply]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://1177631]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others surveying the Monastery: (6)
As of 2024-04-23 11:31 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found