X

Blogs about Deep Learning, Machine Learning, AI, NLP, Security, Oracle Traffic Director,Oracle iPlanet WebServer

  • February 28, 2011

What's New in NSS 3.12.6 - SSL3 & TLS Renegotiation Indication Extension - NSS flags NSS_REQUIRE_SAFE_RENEGOTIATION and NSS_SSL_ENABLE_RENEGOTIATION

What's New in NSS 3.12.6 - SSL3 & TLS Renegotiation Indication
Extension - NSS flags NSS_REQUIRE_SAFE_RENEGOTIATION and
NSS_SSL_ENABLE_RENEGOTIATION

I tried my hands on various TLS renegotiation scenarios by setting these two
flags NSS_REQUIRE_SAFE_RENEGOTIATION and NSS_SSL_ENABLE_RENEGOTIATION
using sample SSL Server built with NSS 3.12.6 (and test case requires
renegotiation).

As per NSS
3.12.6 release notes
for NSS 3.12.6 (or above) the default values
are

  • NSS_SSL_ENABLE_RENEGOTIATION = SSL_RENEGOTIATE_REQUIRES_XTN and
  • NSS_SSL_REQUIRE_SAFE_NEGOTIATION = PR_FALSE.

Sent requests using test tool tstclnt of NSS 3.12.6, NSS 3.12.4 and 3.12.5 with these
flags set in server :

Note that in NSS 3.12.5 (in this renegotiation is disabled) so re-negotiations fail in all cases as expected.


Server has flag
NSS_SSL_ENABLE_RENEGOTIATION =

Server has flag NSS_REQUIRE_SAFE_RENEGOTIATION
=

Controls whether safe renegotiation indication is required for initial handshake. If TRUE, a connection will be dropped at initial handshake if the peer server or client does not support safe renegotiation.

Client version NSS 3.12.6 or above - client supports safe renegotiation
client version NSS 3.12.4 - older clients - client doesn't support safe renegotiation
client version NSS 3.12.5 - renegotiation disabled - client doesn't support safe renegotiation


SSL_RENEGOTIATE_NEVER (0)
Never allow renegotiation
TRUE
FAILURE -
SSL_ERROR_RENEGOTIATION_NOT_ALLOWED
FAILURE -
SSL_ERROR_HANDSHAKE_NOT_COMPLETED
FAILURE - SSL_ERROR_HANDSHAKE_NOT_COMPLETED
FALSE
FAILURE -
SSL_ERROR_RENEGOTIATION_NOT_ALLOWED 
FAILURE
-
SSL_ERROR_RENEGOTIATION_NOT_ALLOWED
FAILURE - SSL_ERROR_RENEGOTIATION_NOT_ALLOWED
SSL_RENEGOTIATE_UNRESTRICTED
(1)

Server and client are allowed to renegotiate without any
restrictions.
TRUE
SUCCESS FAILURE -
SSL_ERROR_HANDSHAKE_NOT_COMPLETED
FAILURE - SSL_ERROR_HANDSHAKE_NOT_COMPLETED
FALSE
SUCCESS SUCCESS FAILURE
-

PR_END_OF_FILE
SSL_RENEGOTIATE_REQUIRES_XTN
(2)
(Default in NSS 3.12.6 or above)
Only allows renegotiation if the peer's hello bears the TLS renegotiation_info extension. This is the safe renegotiation.
TRUE
SUCCESS FAILURE -
SSL_ERROR_HANDSHAKE_NOT_COMPLETED
FAILURE - SSL_ERROR_HANDSHAKE_NOT_COMPLETED
FALSE

(Default in NSS 3.12.6 or above)
SUCCESS FAILURE
- SSL_ERROR_RENEGOTIATION_NOT_ALLOWED
FAILURE
-
PR_END_OF_FILE

SSL_RENEGOTIATE_TRANSITIONAL
(3)

Disallows unsafe renegotiation in server sockets only, but allows
clients to continue to renegotiate with vulnerable servers.

TRUE
SUCCESS FAILURE -
SSL_ERROR_HANDSHAKE_NOT_COMPLETED
FAILURE - SSL_ERROR_HANDSHAKE_NOT_COMPLETED
FALSE
SUCCESS FAILURE
- SSL_ERROR_RENEGOTIATION_NOT_ALLOWED
FAILURE -
PR_END_OF_FILE



What these error codes mean

Error Error
Number
Error
Text
SSL_ERROR_RENEGOTIATION_NOT_ALLOWED -12176
"Renegotiation
is not allowed on this SSL socket."
SSL_ERROR_HANDSHAKE_NOT_COMPLETED -12202
"Cannot
initiate
another
SSL handshake until current handshake is complete."
PR_END_OF_FILE_ERROR -5938
"Encountered
end of file"

Here is
my Server
program

Here is my Makefile :

all:
rm -rf server server.o
CC -o server -I/export1/NSS_3.12.6/SunOS5.10_OPT.OBJ/include -L/export1/NSS_3.12.6/SunOS5.10_OPT.OBJ/lib -lnspr4 -lplc4 -lplds4 -lnss3 -lssl3 server.cpp

Created Server certificate using certutil as shown below:

$certutil -N -d . 
$certutil -S -n Server-Cert -s "CN=test.com" -x -t "CT,CT,CT" -d .

I sent request using sslreq.txt

GET /test.html HTTP/1.0
end

Here are the sample client and server Error logs , ssltap output in these 4 distinctive results


References

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.