[#MDEV-12190] YASSL isn't able to negotiate TLS version correctly

[MDEV-12190] YASSL isn't able to negotiate TLS version correctly Created: 2017-03-07 Updated: 2019-03-20 Resolved: 2018-03-12
Status:	Closed
Project:	MariaDB Server
Component/s:	SSL
Affects Version/s:	5.5, 10.1, 10.2.4
Fix Version/s:	10.2.6

Type:

Bug

Priority:

Major

Reporter:

Georg Richter

Assignee:

Vladislav Vaintroub

Resolution:

Fixed

Votes:

Labels:

None

Environment:

All platforms

Attachments:

MDEV-12190.patch

Issue Links:

Blocks
blocks	~~MDEV-10332~~	Server 10.2: Add support for OpenSSL 1.1	Closed
Relates
relates to	~~CONC-260~~	Connection through SSL always gives e...	Closed
relates to	~~CONC-393~~	TLSv1.2 ciphers are rejected on Windo...	Closed
relates to	~~CONJ-575~~	test YaSSL correction and permit TLSv...	Closed

Description

According to RFC 4346 Section 7.4.13 "Server Hello" and RFC 5246 Appendix E the Server Hello packet needs to specify the highest supported TLS version, but not higher than what client requests.

YaSSL's highest supported version is TLSv1.1 (=3.2) - if the client requests a higher version, it needs to be downgraded in Server Hello packet to TLSv1.1 instead of interrupting the handshake and closing the connection.

Comments

Comment by Georg Richter [ 2017-05-11 ]

This was fixed together with ~~MDEV-10332~~

Comment by Georg Richter [ 2018-03-05 ]

Not fixed in 5.5 and 10.1

Generated at Thu Feb 08 07:55:49 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-12190] YASSL isn't able to negotiate TLS version correctly Created: 2017-03-07 Updated: 2019-03-20 Resolved: 2018-03-12