This is a big question. Firefox2 has turned on a number of SSL3/TLS extensions which require and SSL3 hello. I suspect that for some reason you don't really have SSL2 turned off (and old profile?). We know that we are sending SSL3 hello's because we can connect to sites that require them.Question ====== Why is Firefox a ClientHelloV2, although SSL v2 is disabled in Firefox 2?
bob
Is there any work-around in Firefox, e.g. by making Firefox to start a
new SSL session everytime it accesses a server?
I am pretty stuck on solving our problem. Can you give me any advice,
how to further investigate this problem?
Logs =====
From what I can see in the logs of ssltap, Firefox is sending some
data, which might be something like a partial handshake (?).
--> [
alloclen = 63 bytes
(63 bytes of 63)
[Wed Jan 09 12:18:41 2008] [ssl2] ClientHelloV2 {
version = {0x03, 0x00}
cipher-specs-length = 36 (0x24)
sid-length = 0 (0x00)
challenge-length = 16 (0x10)
cipher-suites = {
(0x000039) TLS/DHE-RSA/AES256-CBC/SHA
(0x000038) TLS/DHE-DSS/AES256-CBC/SHA
(0x000035) TLS/RSA/AES256-CBC/SHA
(0x000033) TLS/DHE-RSA/AES128-CBC/SHA
(0x000032) TLS/DHE-DSS/AES128-CBC/SHA
(0x000004) SSL3/RSA/RC4-128/MD5
(0x000005) SSL3/RSA/RC4-128/SHA
(0x00002f) TLS/RSA/AES128-CBC/SHA
(0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
(0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
(0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
(0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
}
session-id = { }
challenge = { 0xa954 0x2122 0x3e82 0xb993 0xd72f 0xea54 0x779f
0x958c }
}
]
The server responds with:
<-- [
(1161 bytes of 1156)
SSLRecord { [Wed Jan 09 12:18:41 2008]
0: 16 03 00 04 84 |....ä
type = 22 (handshake)
version = { 3,0 }
length = 1156 (0x484)
handshake {
0: 02 00 00 46 |...F
type = 2 (server_hello)
length = 70 (0x000046)
ServerHello {
server_version = {3, 0}
random = {...}
0: 47 84 ad 91 a1 f6 cb e5 f8 e2 f0 46 60 4b dd 48 | Gä¡æí.╦.°.F`K.H
10: 13 a8 93 96 d2 4f 2b d8 2d fe 49 2f 22 e5 29 5e | .¿ôûÊO+Ï-.I/".)^
session ID = {
length = 32
contents = {..}
0: 47 84 ad 91 84 b7 ef 62 92 fb 03 d7 8a 41 ae 82 | Gä¡æäÀ´bƹ.Î.A«.
10: d5 57 a3 e0 24 cc b5 2e b2 c7 29 3d 3a 37 a6 11 | ıWúÓ$╠Á.▓Ã)=:7ª.
}
cipher_suite = (0x0032) TLS/DHE-DSS/AES128-CBC/SHA
}
0: 0b 00 02 f6 |....
type = 11 (certificate)
length = 758 (0x0002f6)
CertificateChain {
chainlength = 755 (0x02f3)
Certificate {
size = 752 (0x02f0)
data = { saved in file 'cert.001' }
}
}
0: 0c 00 01 38 |...8
type = 12 (server_key_exchange)
length = 312 (0x000138)
0: 0e 00 00 00 |....
type = 14 (server_hello_done)
length = 0 (0x000000)
}
}
]
Then FF responds with a handshake failure:
--> [
(7 bytes of 2)
SSLRecord { [Wed Jan 09 12:18:41 2008]
0: 15 03 00 00 02 |.....
type = 21 (alert)
version = { 3,0 }
length = 2 (0x2)
fatal: handshake failure
0: 02 28 |.(
}
]
Thanks,
-Stefan
[1] http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
