Welcome! Log In Create A New Profile

Advanced

Problem with TLS handshake in some browsers when OCSP stapling enabled

kyprizel
December 12, 2013 03:00AM
Hi,
we got a problem with OCSP stapling.

During the handshake some browsers send TLS extension "certificate status"
with more than 5 bytes in it.
In Nginx error_log it looks like:

[crit] 8721#0: *35 SSL_do_handshake() failed (SSL: error:0D0680A8:asn1
encoding routines:ASN1_CHECK_TLEN:wrong tag error:0D08303A:asn1 enco
ding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error error:1408A0E3:SSL
routines:SSL3_GET_CLIENT_HELLO:parse tlsext) while SSL handshaking, client:

If we disable OCSP stapling - everything works fine. Looks like the problem
is on the browser side and in OpenSSL tls ext parsing function. But can we
make it just ignore the incorrect (?) tls extension than dropping SSL
hanshake?

Here is a list of user-agents which we were able to get on the same IPs
after disabling OCSP stapling.

Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.16
Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.16
Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.16
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/31.0.1650.63 Safari/537.36

PoC reproducing the problem attached.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Problem with TLS handshake in some browsers when OCSP stapling enabled

kyprizel December 12, 2013 03:00AM

Re: Problem with TLS handshake in some browsers when OCSP stapling enabled

Maxim Dounin December 12, 2013 10:26AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 104
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready