Hello server messages TLS1

Modification:

> JSSE SSL (JDK1.5) server seems not compliant with

> TLS1 norm regarding the syntax of Hello server

> messages.

> JSSE SSL server sends the messages Hello server +

> Certificate + hello server done encapsulated in a

> common record layer header Type=handshake.

> 0x16, 0x03, 0x01, len, <hello hsk msg>, <certif hsk

> msg>, <hello done hsk msg>

>

> While openssl server sends 3 different handshake

> messages.

> 0x16, 0x03, 0x01, len1, <hello hsk msg>, 0x16, 0x03,

> 0x01, len2, <certif hsk msg>, 0x16, 0x03, 0x01, len3,

> <hello done hsk msg>

>

> Which one is wrong, openssl or JSSE ?

obremonda at 2007-7-13 2:39:28 >

Neither of them is wrong; there is nothing in RFC2246 which requires handshake records to be sent in distinct record-layer messages, and of course JSSE and OpenSSL do interoperate.

I know this is an older thread by now, but I have a Java applet client that is choking during the TLS handshake, and I think it might be because of issues between OpenSSL and JSSE. When I call SSLSocket.startHandshake() my Java client sends its client hello message, then the server sends the server hello, the certificate, the client cert request, and the server hello done. The client throws an exception when it receives this data, and complains about an "unsupported record version unknown-11.0"; 0x11 is the ID of the handshake protocol message. If I remove client authentication in the server's code by passing SSL_VERIFY_NONE to SSL_CTX_set_verify() , then the server only sends the server hello, the cert, and the hello done. In this case, the client complains about "record version unknown-14.0"; 0x14 is the id of the server hello done message.

It would seem to me that JSSE is expecting the SSL/TLS server to send multiple record-layer messages during the server hello, and is becoming confused by extra data after the server's certificate. Any thoughts?

orzechowskida at 2007-7-13 2:39:28 >