Fixes for the following claims:
1) Certificate Message with no certs
OpenSSL implementation sends the Certificate message during SSL
handshake, however as per the specification, these have been omitted.
-- RFC 2712 --
CertificateRequest, and the ServerKeyExchange shown in Figure 1
will be omitted since authentication and the establishment of a
master secret will be done using the client's Kerberos credentials
for the TLS server. The client's certificate will be omitted for
the same reason.
-- RFC 2712 --
3) Pre-master secret Protocol version
The pre-master secret generated by OpenSSL does not have the correct
client version.
RFC 2712 says, if the Kerberos option is selected, the pre-master
secret structure is the same as that used in the RSA case.
TLS specification defines pre-master secret as:
struct {
ProtocolVersion client_version;
opaque random[46];
} PreMasterSecret;
where client_version is the latest protocol version supported by the
client
The pre-master secret generated by OpenSSL does not have the correct
client version. The implementation does not update the first 2 bytes
of random secret for Kerberos Cipher suites. At the server-end, the
client version from the pre-master secret is not validated.
PR: 1336
This commit is contained in:
Richard Levitte
@@ -1902,8 +1902,10 @@ int ssl3_send_client_key_exchange(SSL *s)
|
||||
n+=2;
|
||||
}
|
||||
|
||||
if (RAND_bytes(tmp_buf,sizeof tmp_buf) <= 0)
|
||||
goto err;
|
||||
tmp_buf[0]=s->client_version>>8;
|
||||
tmp_buf[1]=s->client_version&0xff;
|
||||
if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
|
||||
goto err;
|
||||
|
||||
/* 20010420 VRS. Tried it this way; failed.
|
||||
** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
|
||||
|
||||
Reference in New Issue
Block a user