Re^3: Net::SSLeay and secure renegotiation

> Net::SSLeay::CTX_set_options($ctx,$Net::SSLeay::ssl_version = 2) ..
[download]

This line makes no sense for me. Could you explain what you are trying to do here?

Apart from that TLS_EMPTY_RENEGOTIATION_INFO_SCSV will not be set by calling renegotiate. Instead this pseudo cipher is included in the initial handshake (ClientHello) and signals to the server that secure renegotiation is supported.
Could you explain what you are actually trying to achieve by attempting to set TLS_EMPTY_RENEGOTIATION_INFO_SCSV?

Comment on Re^3: Net::SSLeay and secure renegotiation Download Code

Replies are listed 'Best First'.
Re^4: Net::SSLeay and secure renegotiation by iThunder (Beadle) on Dec 11, 2016 at 23:45 UTC
With that line, i am forcing SSLv2 to be wrapper for client hello I need to test server behavior when TLS_EMPTY_RENEGOTIATION_INFO_SCSV is set/included in client hello.	[reply]
Re^5: Net::SSLeay and secure renegotiation by noxxi (Pilgrim) on Dec 12, 2016 at 07:29 UTC
> With that line, i am forcing SSLv2 to be wrapper for client I very much doubt this will work. While you set ssl_version you do it after creating the context. Also ssl_version is only looked at if you use sslcat or https_cat (i.e. users of new_x_ctx) which you don't do. Which means that setting ssl_version does nothing in the code. The rest of this line calls CTX_set_options with the option "2" which is not even a defined SSL_OP. Also, setting ssl_version to 2 in the cases were it actually does something will not force if SSLv2 wrapper but force use of SSL 2.0. This one is mostly disabled fully in current versions of openssl and SSL 2.0 does not support renegotiation anyway. SSLv2 wrapper would be instead mean that you want to have a SSLv23 context which is actually the default. > I need to test server behavior when TLS_EMPTY_RENEGOTIATION_INFO_SCSV is set/included in client hello. This should be included by default in the initial ClientHello and a short test with IO::Socket::SSL shows that it actually is.	[reply]
Re^6: Net::SSLeay and secure renegotiation by iThunder (Beadle) on Dec 13, 2016 at 04:49 UTC
Well for some reason, its not appearing in my client hello. Below is my code. With SSL_cipher_list set to ALL, i can see 38 cipher suites being sent but not the "TLS_EMPTY_RENEGOTIATION_INFO_SCSV". What OS and openssl version are you using? `#!/usr/bin/perl use IO::Socket::SSL; use IO::Socket qw(:DEFAULT :crlf); $/ = CRLF; $\| = 1; use warnings; my $client = IO::Socket::SSL->new(PeerHost => "1.1.1.115", PeerPort => + "443", SSL_verify_mode => SSL_VERIFY_NONE, SSL_cipher_list => 'ALL') +; $msg1 = "GET /index.html HTTP/1.1".$/; $msg2 = "Host: windows".$/; $msg3 = "User-Agent: curl/7.18.1 (i386-redhat-linux-gnu) libcurl/7 +.18.1 NSS/3.12 Beta 3 zlib/1.2.3 libidn/0.6.14".$/; print $client $msg1,$msg2,$msg3.CRLF; shutdown($client,2);` [download]	[reply] [d/l]
Re^7: Net::SSLeay and secure renegotiation by noxxi (Pilgrim) on Dec 13, 2016 at 06:32 UTC
Re^8: Net::SSLeay and secure renegotiation by iThunder (Beadle) on Dec 13, 2016 at 16:50 UTC
Some notes below your chosen depth have not been shown here
Re^4: Net::SSLeay and secure renegotiation by afoken (Chancellor) on Dec 16, 2016 at 20:37 UTC
`Net::SSLeay::CTX_set_options($ctx,$Net::SSLeay::ssl_version = 2)` If that's not a copy and paste error that should read `Net::SSLeay::CTX_set_options($ctx,$Net::SSLeay::ssl_version => 2)`, this is what will happen: `$Net::SSLeay::ssl_version = 2; # oops! Net::SSLeay::CTX_set_options($ctx, 2);` [download] Alexander -- Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)	[reply] [d/l] [select]


Syntactic Confectionery Delight
	PerlMonks