V3.3.2, SSL, FireFox and IE

I've just begun upgrading my mail server to use Cryptlib 3.3.2 (I was
previously using v3.21, IIRC).

I recompiled my binaries using the updated CRYPTLIB.H, but now find
that I cannot connect to any of my server ports using either Internet
Explorer 6 or FireFox v3 (in other words, 95% of the browsers in
existence). When I try, Cryptlib fails when I call

  cryptSetAttribute (... CRYPT_SESSINFO_ACTIVE)

*   When using FireFox v3, I get two connections: the first one fails
    with error -32 and the diagnostic "'Invalid TLS extension list item
    header". The second connection fails with error -13 and the
    diagnostic "Client sent obsolete handshake for the insecure SSLv2
    protocol".

*   When using Internet Explorer 6, I get a single connection which
    fails with error -13 and 'Client sent obsolete handshake for the
    insecure SSLv2 protocol'. Purely incidentally, IE reports to the
    client that there has been "a DNS error", which seems a bit
    misleading.

I should say up front that I do my own socket management, using

   cryptSetAttribute (... CRYPT_SESSINFO_NETWORKSOCKET)

to pass my socket to Cryptlib when I want to start a secure session.
The same, unmodified code works fine when I revert to the older
version of Cryptlib (and recompile my binaries, of course).

While it may be true that FireFox and IE are sending obsolete
handshakes, failing the connection because of that renders SSL
almost totally unusable. I assume there must be some switch to tone
down the aggressiveness cryptlib is displaying, but I couldn't see
anything obvious in the SSL section of the manual.

What am I missing here?

Cheers!

-- David --

------------------ David Harris -+- Pegasus Mail ----------------------
Box 5451, Dunedin, New Zealand | e-mail: David.Harris@...
           Phone: +64 3 453-6880 | Fax: +64 3 453-6612

Definition for the day:
   Philosopher (n): a blind person in a dark room looking for
   a black hat which is not there.




_______________________________________________
Cryptlib mailing list
Cryptlib@... via Mail: cryptlib-request@...
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.

"David Harris" <David.Harris@...> writes:

>When using FireFox v3, I get two connections: the first one fails with error
>-32 and the diagnostic "'Invalid TLS extension list item header".

The cryptlib extension-handling code predates any software that supported TLS
extensions so it wasn't possible to fully test it against anything, so the
code is overly conservative in what it'll accept.  To fix this at line 414 of
session/ssl.c change the '< 1' to '< 0' and at line 561 add 'if( extLen <= 0 )
continue;'.

>The second connection fails with error -13 and the diagnostic "Client sent
>obsolete handshake for the insecure SSLv2 protocol".

That's an FF3 bug, I've filed a bug report... it's complicated by a second bug
in FF3's SSL handshake handling, which I've also reported.  I'll see what the
response is.

>When using Internet Explorer 6, I get a single connection which fails with
>error -13 and 'Client sent obsolete handshake for the insecure SSLv2
>protocol'. Purely incidentally, IE reports to the client that there has been
>"a DNS error", which seems a bit misleading.

This is an artefact of using MSIE 6, try it with MSIE 7.

(Are you expecting people to connect to the mail server using MSIE?  Or are
you just using it for testing?).

Peter.


_______________________________________________
Cryptlib mailing list
Cryptlib@... via Mail: cryptlib-request@...
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.