Article delegate-en/3782 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A3780@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: Can I force ssl version 3.0 only?
27 Jun 2007 15:37:37 GMT "Joe Moore" <pvyhabdyi-jfjnzgm6qznr.ml@ml.delegate.org>


Yutaka,

I recompiled with the new sslway.c and ran with the "-vd" option.

I can now connect with the config:

STLS="fcl,sslway -no_ssl2"
-P23
-vd
SERVER=telnet://ss922
CACHE=no
RES_WAIT=0

The log of my test connection is below.

The good news is that my Nessus scans indicate that SSL version 3.0 is
all that is available. WooHoo! The not so good news is that low strength
ciphers can still be negotiated. Is there any way to achieve the openssl
equivalent of "cipher=HIGH" or "cipher= HIGH:MEDIUM"? I tried:

STLS="fcl,sslway -no_ssl2 cipher=HIGH"

Delegated started and functioned OK but Nessus indicated that ciphers
with 40 bit and 56 bit keys were still available.

Thanks for all your help!

			...jgm




06/26 16:21:40.08 [623] 0+0: AcceptByMain: TIMEOUT(children=0,
timeout=15)
06/26 16:21:40.08 [623] 0+0:
dirfopen(/var/spool/delegate-nobody/act/restart/_23_,r): 0 [-1]
06/26 16:21:40.08 [623] 0+0: AcceptByMain: start polling(100)[14]...
06/26 16:21:40.18 [623] 0+0: AcceptByMain: start polling(15000)[14]...
06/26 16:21:47.16 [623] 0+0: ## accept([11]:23)=19
06/26 16:21:47.17 [625] 1+0: -- Fork(OnetimeServer): 623 -> 625
06/26 16:21:47.17 [625] 1+0: -- SockHost: [10.0.12.245]
sslproxy01.holidaycompanies.com:23
06/26 16:21:47.17 [625] 1+0: HOSTS[4]=/10.0.8.102
06/26 16:21:47.17 [625] 1+0: SPECIALIST: telnet
06/26 16:21:47.17 [625] 1+0: #### newRoute[USERIDENT] 0/16
06/26 16:21:47.17 [625] 1+0: [0] USERIDENT=://:0-_-{}:{}
06/26 16:21:47.17 [625] 1+0:
dirfopen(/var/spool/delegate-nobody/act/clients/14/10.0.8.102:10.0.8.102
,r+): 0 [-1]
06/26 16:21:47.17 [625] 1+0:
dirfopen(/var/spool/delegate-nobody/act/clients/14/10.0.8.102:10.0.8.102
,w+): 28476060 [11]
06/26 16:21:47.17 [625] 1+0: (0) accepted [20]
-@[10.0.8.102]10.0.8.102:4256 (0.007s)(1)
06/26 16:21:47.17 [625] 1+0:
dirfopen(/var/spool/delegate-nobody/adm/shutout/10.0.8.102,r): 0 [-1]
06/26 16:21:47.17 [625] 1+0:
dirfopen(/var/spool/delegate-nobody/adm/shutout/10.0.8.102,r): 0 [-1]
06/26 16:21:47.17 [625] 1+0: KeepAlive[20] = 8
06/26 16:21:47.17 [625] 1+0: execGeneralist->execSpecialist
06/26 16:21:47.17 [625] 1+0: PATH:
telnet://ss922:23!sslproxy01.holidaycompanies.com:23!10.0.8.102:4256!ano
nymous@0..
.102;1182892907
06/26 16:21:47.17 [623] 1+0:
dirfopen(/var/spool/delegate-nobody/act/restart/_23_,r): 0 [-1]
06/26 16:21:47.17 [625] 1+0: SSL_isrecord? 8 [80 4C  1  3  1]
06/26 16:21:47.17 [625] 1+0: # SSL record head[80 4C  1  3  1] SSL2
8?/78
06/26 16:21:47.17 [625] 1+0: isinSSL ? [80] from client
06/26 16:21:47.17 [625] 1+0: SSL Hello?5 [80 76 1 3 1]
06/26 16:21:47.18 [625] 1+0: PATH_TRANSLATED=
06/26 16:21:47.18 [625] 1+0: gethostbyname(ss922).
06/26 16:21:47.18 [625] 1+0: *** gethostbyname(ss922):
ss922.holidaycompanies.com / 0.00 secs. has_alias:1
06/26 16:21:47.18 [625] 1+0:
HOSTS[5]={ss922.holidaycompanies.com,ss922}/10.192.0.9
06/26 16:21:47.18 [623] 1+0: AcceptByMain: start polling(100)[14]...
06/26 16:21:47.18 [625] 1+0: ## STLS ## IMPLICIT SSL ON 20,20,-1,19
06/26 16:21:47.18 [626] 1+0: -- Fork(FCL): 625 -> 626
06/26 16:21:47.18 [626] 1+0: TCP_NODELAY[11] 0 -> 4
06/26 16:21:47.18 [626] 1+0: TCP_NODELAY[19] 0 -> 4
06/26 16:21:47.18 [626] 1+0: ## SSLway loadSession 0.000114 (0 0) / -1
06/26 16:21:47.18 [625] 1+0: 0.010 CFI_SYNC ready=2 [53/S]
06/26 16:21:47.18 [625] 1+0: 0.010 CFI_SYNC ready=1 [57/W]
06/26 16:21:47.21 [626] 1+0: ## SSLway ## 0.024587 sescache[0] HIT=0
sR=0 cR=1
06/26 16:21:47.21 [625] 1+0: 0.031 CFI_SYNC ready=2 [A]
06/26 16:21:47.22 [625] 1+0: #### newRoute[REACHABLE] 0/16
06/26 16:21:47.22 [625] 1+0: [0] REACHABLE=://:0-_-{}:{}
06/26 16:21:47.22 [625] 1+0: PERMITTED: telnet://ss922
06/26 16:21:47.22 [625] 1+0:
dirfopen(/var/spool/delegate-nobody/act/servers/cc/telnet-anonymous-ss92
2-23-0,r+): 0 [-1]
06/26 16:21:47.22 [625] 1+0: ConnectToServer: DFLT=telnet://ss922:23
REAL=://:0
06/26 16:21:47.22 [625] 1+0: ConnectToServer connect telnet://ss922:23
06/26 16:21:47.27 [625] 1+0: ConnectToServer connected [11]
{10.192.0.9:23 <- 10.0.12.245:60255} [0.046s]
06/26 16:21:47.27 [625] 1+0: KeepAlive[11] = 8
06/26 16:21:47.27 [625] 1+0: willSTLS_SV: ServerFlags=10
06/26 16:21:47.28 [625] 1+0: DC[  1] f1:241 NOP
06/26 16:21:47.28 [625] 1+0: buffer: CS=8192[20>11] SC=8192[11>20]
(Polling)
06/26 16:21:47.28 [623] 1+0: AcceptByMain: start polling(15000)[14]...
06/26 16:21:47.31 [625] 1+0: SC[  2] 01:  1 WILL Echo
06/26 16:21:47.31 [625] 1+0: SC[  5] 03:  3 WILL SuppressGoAhead
06/26 16:21:47.31 [625] 1+0: SC[  8] 18: 24 DO   TerminalType
06/26 16:21:47.31 [625] 1+0: SC[ 11] 1f: 31 DO
NegotiateAboutWindowSize
06/26 16:21:47.46 [625] 1+0: CS[  2] 01:  1 DO   Echo
06/26 16:21:47.46 [625] 1+0: CS[  5] 03:  3 DO   SuppressGoAhead
06/26 16:21:47.46 [625] 1+0: CS[  8] 03:  3 WILL SuppressGoAhead
06/26 16:21:47.46 [625] 1+0: CS Client-Says WILL TerminalType
06/26 16:21:47.46 [625] 1+0: CS[ 11] 18: 24 WILL TerminalType
06/26 16:21:47.46 [625] 1+0: CS[ 14] 1f: 31 WILL
NegotiateAboutWindowSize
06/26 16:21:47.46 [625] 1+0: CS[ 23] f0:240
SB,NegotiateAboutWindowSize,0,P,0,24,IAC,SE
06/26 16:21:47.50 [625] 1+0: SC[  2] 03:  3 DO   SuppressGoAhead
06/26 16:21:47.51 [625] 1+0: SC[  5] f0:240 SB,TerminalType,1,IAC,SE
06/26 16:21:47.55 [625] 1+0: CS[ 10] f0:240
SB,TerminalType,0,vt420,IAC,SE
MiniBSD /var/spool/delegate-nobody/log #



########################################################################
########################################################################
########

-----Original Message-----
From: Yutaka Sato [mailto:feedback@delegate.org] 
Sent: Tuesday, June 26, 2007 10:38 AM
To: feedback@delegate.org
Cc: Joe Moore; feedback@delegate.org
Subject: Re: [DeleGate-En:3781] Can I force ssl version 3.0 only?

Joe,

In message
<_A3779@delegate-en.ML_> on
06/26/07(04:27:49)
you "Joe Moore" <pvyhabdyi-jfjnzgm6qznr.ml@ml.delegate.org> wrote:
 |I am not able to connect when I force ssl version3 or tls version 1. I
 |have tried with a delegated executable that I compiled as well as with
 |the binary download from ftp.delegate.org.
 |
 |The client tries and then times out after  minutes.
 |
 |Here is the log of the unsuccessful connection when specifying
 |STLS="fcl,sslway -ssl3".
 |
 |>From /var/spool/delegate-nobody/log/stdout.log:
 |
 |605:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
 |number:s3_pkt.c:299:

I think this message (from the SSLway process id 605) is not a part
of the session logged as follows (with the SSLway process id 613).

 |from /var/spool/delegate-nobody/log/23:
...
 |06/25 12:48:39.08 [612] 1+0: SSL Hello?5 [80 76 1 3 1]
 |06/25 12:48:39.08 [612] 1+0: ## STLS ## IMPLICIT SSL ON 50,50,-1,19
 |06/25 12:48:39.08 [613] 1+0: -- Fork(FCL): 612 -> 613
 |06/25 12:48:39.08 [612] 1+0: 0.008 CFI_SYNC ready=2 [53/S]
 |06/25 12:48:39.08 [612] 1+0: 0.008 CFI_SYNC ready=1 [57/W]
 |06/25 12:48:40.08 [612] 1+0: waiting CFI_SYNC from sslway (300)...
 |06/25 12:53:40.08 [612] 1+0: 301.008 CFI_SYNC ready=0 [FFFFFFFE]
 |06/25 12:53:40.08 [612] 1+0: ERROR: SSL/cl disconnected
 |06/25 12:53:40.08 [612] 1+0: disconnected [50]
 |-@[10.0.8.102]10.0.8.102:3132 (301.020s)(0)
 |06/25 12:53:41.12 [612] 1+0: CFI process remaining (1/1)

Running DeleGate with SSLway with "-vd" option instead of "-vs"
will show us more information to see the reason of the problem.

I saw that "SSLv2 only" HTTP-DeleGate, invoked as follows, was blocked
with (SSLv3 only) Firefox like shown in your log above.
  delegated -P9080 -v SERVER=https STLS="fcl,sslway -ssl2"
Using gdb, I saw the SSLway process is blocking trying to send some
message onto the socket on which the SSL_accept() negotioation is
failed.

  #0  0x9000ed04 in read ()
  #1  0x0141e220 in sock_read ()
  #2  0x0141aed4 in BIO_read ()
  #3  0x0139cae8 in read_n ()
  #4  0x0139ce3c in ssl2_read_internal ()
  #5  0x013994d0 in ssl2_accept ()
  #6  0x0139d1a0 in ssl2_write ()
  #7  0x001a003c in ssl_printf(void*, int, char const*, ...) ()
  #8  0x001a06d8 in ssl_acc(void*, int) ()
  #9  0x001a57b8 in sslway_mainX(int, char**, int, int, int) ()

Thus disabling ssl_prrintf() in the ssl_acc() solved the blocking.
But just rejecting the negotiation of a certain version of SSL might
disalbe whole SSL versions.  Thus it will be necessary to specify
"-no_ssl2" instead of "-ssl3" to disable SSLv2 usage while accepting
the negotiaion in SSLv2.
I implemented "-no_ssl2" option as enclosed and uploaded version of
sslway.c to "ftp://ftp.delegate.org/pub/DeleGate/tmp/sslway.c"

Cheers,
Yutaka
--

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V