Bug 1267220 - Interleaved Application Data with Handshake data in renegotiated handshakes cause connection abort [rhel-7]
Interleaved Application Data with Handshake data in renegotiated handshakes c...
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openssl (Show other bugs)
7.2
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE Security Team
:
Depends On: 1267218
Blocks: 1203710 1295396
  Show dependency treegraph
 
Reported: 2015-09-29 07:32 EDT by Hubert Kario
Modified: 2016-03-08 11:14 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1267218
Environment:
Last Closed: 2016-02-09 05:56:00 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Hubert Kario 2015-09-29 07:32:35 EDT
Description of problem:
When a server receives a client initiated renegotiation and interleaved Application Data with Handshake messages in any of the subsequent handshakes, the connection is aborted with "unexpected record" error on the server side.

This causes applications like PostgreSQL JDBC driver to be incompatible with PostgreSQL.

Version-Release number of selected component (if applicable):
openssl-1.0.1e-42.el7_1.9.x86_64

How reproducible:
Always

Steps to Reproduce:
1. openssl req -x509 -newkey rsa -keyout localhost.key -out localhost.crt\
-nodes -batch
2. openssl s_server -key localhost.key -cert\
localhost.crt

In another terminal:

3. pip install --pre tlslite-ng
4. git clone https://github.com/tomato42/tlsfuzzer.git

5. cd tlsfuzzer
6. PYTHONPATH=. python scripts/test-openssl-3712.py

Actual results:
140492755036064:error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record:s3_pkt.c:1421:

Expected results:
Test pass

Additional info:
https://rt.openssl.org/Ticket/Display.html?id=3712&user=guest&pass=guest
Comment 1 Tomas Mraz 2016-01-11 09:13:52 EST
Upstream is really reluctant to fix this behavior and I am not too confident of the change either.
Comment 3 RHEL Product and Program Management 2016-02-09 05:56:00 EST
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.

Note You need to log in before you can comment on or make changes to this bug.