Problem with TLS 1.1 client connecting to TLS 1.0 server

Roland Dreier roland at digitalvampire.org
Thu Aug 27 00:22:14 CEST 2009


I found what appears to be a small bug in how gnutls handles the case
where a TLS 1.1 client connects to a server that only supports TLS
1.0.  My particular case is using empathy, an IM client built on
telepathy-gabble, which in turn uses libloudmouth and finally uses
gnutls to talk to a jabber/XMPP server.  This setup defaults to trying
TLS 1.1, and in my case I'm using the client to talk to Webex Connect,
where there server seems to support only TLS 1.0.

So looking at the trace, I see a client hello sent with version 03 02,
and the server responds with a hello with version 03 01.  gnutls then
falls back to TLS 1.0 and future messages have version 03 01, but the
handshake fails after gnutls sends the client finished message -- the
server responds with a bad record MAC alert.

After a bunch of tracing through, I found the code in
_gnutls_gen_rsa_client_kx() in auth_rsa.c:

  ver = _gnutls_get_adv_version (session);

  if (session->internals.rsa_pms_version[0] == 0)
    {
      session->key->key.data[0] = _gnutls_version_get_major (ver);
      session->key->key.data[1] = _gnutls_version_get_minor (ver);

and when a client starts a TLS 1.1 session but falls back to TLS 1.0,
_gnutls_get_adv_version() still returns TLS 1.1, so the client uses
minor version 2 here, even though it is in the process of negotiating
a TLS 1.0 (minor 1) connection.

If I add a hack to overwrite session->key->key.data[1] with 1 after
the assignment of the minor, then the connection goes through OK.

So it seems that _gnutls_gen_rsa_client_kx() should be using the
active version here, but I'm not sure what the correct real fix within
the gnutls design is.  Can someone provide guidance on how to fix this?

Thanks,
  Roland





More information about the Gnutls-devel mailing list