Joe, In message <_A3779@delegate-en.ML_> on 06/26/07(04:27:49) you "Joe Moore" <pvyhabdyi-mxhgu44xf33w.ml@delegate.org> wrote: |I am not able to connect when I force ssl version3 or tls version 1. I |have tried with a delegated executable that I compiled as well as with |the binary download from ftp.delegate.org. | |The client tries and then times out after minutes. | |Here is the log of the unsuccessful connection when specifying |STLS="fcl,sslway -ssl3". | |>From /var/spool/delegate-nobody/log/stdout.log: | |605:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version |number:s3_pkt.c:299: I think this message (from the SSLway process id 605) is not a part of the session logged as follows (with the SSLway process id 613). |from /var/spool/delegate-nobody/log/23: ... |06/25 12:48:39.08 [612] 1+0: SSL Hello?5 [80 76 1 3 1] |06/25 12:48:39.08 [612] 1+0: ## STLS ## IMPLICIT SSL ON 50,50,-1,19 |06/25 12:48:39.08 [613] 1+0: -- Fork(FCL): 612 -> 613 |06/25 12:48:39.08 [612] 1+0: 0.008 CFI_SYNC ready=2 [53/S] |06/25 12:48:39.08 [612] 1+0: 0.008 CFI_SYNC ready=1 [57/W] |06/25 12:48:40.08 [612] 1+0: waiting CFI_SYNC from sslway (300)... |06/25 12:53:40.08 [612] 1+0: 301.008 CFI_SYNC ready=0 [FFFFFFFE] |06/25 12:53:40.08 [612] 1+0: ERROR: SSL/cl disconnected |06/25 12:53:40.08 [612] 1+0: disconnected [50] |-@[10.0.8.102]10.0.8.102:3132 (301.020s)(0) |06/25 12:53:41.12 [612] 1+0: CFI process remaining (1/1) Running DeleGate with SSLway with "-vd" option instead of "-vs" will show us more information to see the reason of the problem. I saw that "SSLv2 only" HTTP-DeleGate, invoked as follows, was blocked with (SSLv3 only) Firefox like shown in your log above. delegated -P9080 -v SERVER=https STLS="fcl,sslway -ssl2" Using gdb, I saw the SSLway process is blocking trying to send some message onto the socket on which the SSL_accept() negotioation is failed. #0 0x9000ed04 in read () #1 0x0141e220 in sock_read () #2 0x0141aed4 in BIO_read () #3 0x0139cae8 in read_n () #4 0x0139ce3c in ssl2_read_internal () #5 0x013994d0 in ssl2_accept () #6 0x0139d1a0 in ssl2_write () #7 0x001a003c in ssl_printf(void*, int, char const*, ...) () #8 0x001a06d8 in ssl_acc(void*, int) () #9 0x001a57b8 in sslway_mainX(int, char**, int, int, int) () Thus disabling ssl_prrintf() in the ssl_acc() solved the blocking. But just rejecting the negotiation of a certain version of SSL might disalbe whole SSL versions. Thus it will be necessary to specify "-no_ssl2" instead of "-ssl3" to disable SSLv2 usage while accepting the negotiaion in SSLv2. I implemented "-no_ssl2" option as enclosed and uploaded version of sslway.c to "ftp://ftp.delegate.org/pub/DeleGate/tmp/sslway.c" Cheers, Yutaka -- 9 9 Yutaka Sato <pfqcabdyi-mxhgu44xf33w.ml@delegate.org> http://delegate.org/y.sato/ ( ~ ) National Institute of Advanced Industrial Science and Technology _< >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan Do the more with the less -- B. Fuller *** ../delegate9.5.6/filters/sslway.c Sun Mar 18 23:30:10 2007 --- filters/sslway.c Tue Jun 26 23:58:31 2007 *************** *** 144,149 **** --- 144,154 ---- #define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02 #define SSL_VERIFY_CLIENT_ONCE 0x04 + #define SSL_CTRL_OPTIONS 32 + #define SSL_OP_NO_SSLv2 0x01000000 + #define SSL_OP_NO_SSLv3 0x02000000 + #define SSL_OP_NO_TLSv1 0x04000000 + typedef void SSL_CTX; typedef void SSL_METHOD; typedef void SSL; *************** *** 719,725 **** --- 724,733 ---- if( SSL_accept(accSSL) < 0 ){ ERROR("accept failed"); ERR_print_errors_fp(stderr); + /* + 9.5.7 don't try writing to the non-established connection ssl_printf(accSSL,0,"SSLway: accept failed\n"); + */ if( SSL_fatalCB ){ (*SSL_fatalCB)("ssl_acc() failed\n"); } *************** *** 770,775 **** --- 778,784 ---- int x_verify; int x_peeraddr; int x_sslver; + int x_sslnover; } SSLContext; static const char sv_cert_default[] = "server-cert.pem"; *************** *** 803,808 **** --- 812,818 ---- #define cl_nego_FTPDATA sslctx[XACC].x_nego_FTPDATA #define cl_addr sslctx[XACC].x_peeraddr #define cl_sslver sslctx[XACC].x_sslver + #define cl_sslnover sslctx[XACC].x_sslnover #define cl_Cert sslctx[XCON].x_certkey #define cl_Ncert sslctx[XCON].x_certkey.v_Ncert *************** *** 818,823 **** --- 828,834 ---- #define sv_nego_FTPDATA sslctx[XCON].x_nego_FTPDATA #define sv_addr sslctx[XCON].x_peeraddr #define sv_sslver sslctx[XCON].x_sslver + #define sv_sslnover sslctx[XCON].x_sslnover #define ST_OPT 1 #define ST_FORCE 2 *************** *** 828,833 **** --- 839,845 ---- { SSL_CTX *ctx; SSL_METHOD *meth; int sslver; + int sslnover; SSL_library_init(); SSL_load_error_strings(); *************** *** 866,871 **** --- 878,894 ---- else meth = SSLv23_client_method(); } ctx = SSL_CTX_new(meth); + + if( ctx ) + if( sslnover = serv ? cl_sslnover : sv_sslnover ){ + int opts = 0; + switch( sslnover ){ + case 1: opts |= SSL_OP_NO_SSLv2; break; + case 2: opts |= SSL_OP_NO_SSLv3; break; + case 3: opts |= SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3; break; + } + SSL_CTX_ctrl(ctx,SSL_CTRL_OPTIONS,opts,NULL); + } return ctx; } static void passfilename(PCStr(keyfile),PVStr(passfile)) *************** *** 1277,1282 **** --- 1300,1309 ---- ERROR("## no session to be saved"); goto CEXIT; } + if( shp->ssl_version == 2 ){ + DEBUG("## don't cache the session of SSL2"); + goto CEXIT; + } len = i2d_SSL_SESSION(sess,NULL); if( len == 0 ){ *************** *** 2187,2192 **** --- 2214,2226 ---- if( strncmp(arg,"-vt",3) == 0 ){ }else if( strncmp(arg,"-vs",3) == 0 ){ + }else + if( strneq(arg,"-no_ssl",7) ){ + int sslnover = 0; + if( streq(arg+7,"2") ) sslnover = 1; else + if( streq(arg+7,"3") ) sslnover = 2; else + if( streq(arg+7,"23")) sslnover = 3; + sv_sslnover = cl_sslnover = sslnover; }else if( strneq(arg,"-ssl",4) ){ int sslver = 0;
V