Mbed TLS is now part of TrustedFirmware.org.

SSLv3 Appendix E support?

Feb 17, 2013 09:46
Yawning Angel

So I have been trying to test my nginx PolarSSL module, and have been running into the problem that a lot of the tools available use OpenSSL's SSLv23_method/SSLv23_client_method routines.

Predictably the handshake fails, because PolarSSL does not understand the SSLv2 ClientHello message. Per the SSLv3 spec, "Version 3.0 clients that support version 2.0 servers must send version 2.0 client hello messages [SSL-2]. Version 3.0 servers should accept either client hello format.".

Appendix E documents the "SSLv3 ClientHello encapsulated in a v2 Hello" and would be needed to be spec compliant (and more importantly for interoperability purposes).

While it's true that SSLv2 has long past the time it should be taken out behind the shed and shot repeatedly, there is a lot of code out there that PolarSSL based servers can't talk to without this.

If it's not something on the immediate road map, I could go and add support for it (as it's rather trivial) assuming a well written patch would be accepted.

Feb 17, 2013 10:40
Yawning Angel

Ah looking over the change logs this was explicitly removed in PolarSSL 1.2.0, so that answers that. I still think that removing support for v2 Client Hello is a bit premature, just because of the nasty surprise potential as there's still a lot of code in the wild that will use this mechanism.

The wording concerning supporting this isn't that different from the SSLv3.0 draft, and the important part is "However, even TLS servers that do not support SSL 2.0 MAY accept version 2.0 CLIENT-HELLO messages.".

Feb 18, 2013 16:15
Paul Bakker


Good point. We will re-add it and make it a configurable define..


Feb 28, 2013 10:40
Paul Bakker

We re-added the SSLv2 Client Hello parsing code to the 1.2.x branch. Are you able to check it out and see if it works correctly?

We don't know specific clients that send out SSLv2 client hello messages. Are there some you know that are easy to use for testing under Debian?

The current code can be found here: https://github.com/polarssl/polarssl/tree/sslv2_readded

Mar 4, 2013 01:13
Yawning Angel

Sorry for the delayed reply, I've been occupied with a few other things of late so I didn't get around to checking this till the weekend. As far as I can tell the new code appears to be working (Code that previously failed works, and I glanced over the a packet capture with wireshark).

Test cases that should work on Debian (my development environment is a FreeBSD system), include: * siege (http://www.joedog.org/siege-home/) * "openssl s_client" (By default it will do an Appendix E handshake, at least the version I have).

Thanks for the fix.

Mar 12, 2013 10:30
Paul Bakker

SSLv2 Client Hello support was re-enabled (with defines) with the release of PolarSSL 1.2.6.