Workaround for SSL bug

Question

There seems to be a bug in the SSL implementation of an https server I'm connecting to; the problem initially arose in my application, but I've since been debugging / reproducing it with the openssl commandline utility, so I'm fairly certain it has nothing to do with my application at this point.

If I connect to the remote server with no options other than -connect, OpenSSL sends an SSLv2 CLIENT-HELLO, the server responds with a TLSv1 ServerHello, and everything proceeds normally.

If I connect with -ssl3, OpenSSL sends an SSLv3 ClientHello, the server responds with an SSLv3 ServerHello, and again everything is fine.

However, if I connect with -no_ssl2 or -tls1, OpenSSL sends a TLSv1 ClientHello, and the server responds with "TLS 1.0 Alert [length 0002], fatal unexpected_message", which is the original problem I was seeing in my application.

There are a number of possible workarounds that suggest themselves at this point, but I'm ideally looking for something generic, rather than special-casing this particular server, so I'm hoping there's some kind of "standard" workaround for this.

Answer 1

It seems the problem was actually caused by the RFC 5077 session ticket extension; disabling this (by passing -no_ticket to openssl, for example) allowed the TLSv1 ClientHello to succeed with the remote server. Since I have no particular need for this extension in my application, this workaround seems like the most appropriate way to proceed.

A little research suggests that the problem may just be empty session ticket extensions, but I didn't bother trying to figure out whether this particular server had problems with non-empty ones.