in reply to Re: Net::SSLeay and secure renegotiation
in thread Net::SSLeay and secure renegotiation

#!/usr/bin/perl -w
use Socket;
use strict;
use Net::SSLeay qw(die_now die_if_ssl_error copy_session_id);
Net::SSLeay::load_error_strings();
Net::SSLeay::SSLeay_add_ssl_algorithms();
Net::SSLeay::randomize();

my ($res,$got);

my $msg = "GET / HTTP/1.0";
my $dest_ip = 1.1.1.115;
my $dest_serv_params = sockaddr_in( 443, $dest_ip );
socket( S, &AF_INET, &SOCK_STREAM, 0 ) or die "socket: $!";
connect( S, $dest_serv_params ) or die "connect: $!";
my $ctx = Net::SSLeay::CTX_new() or die_now("Cannot create SSL_CTX $!"
+);
Net::SSLeay::CTX_set_options($ctx,$Net::SSLeay::ssl_version = 2) and d
+ie_if_ssl_error("ssl ctx set options");
Net::SSLeay::CTX_set_cipher_list($ctx,'ALL');
my $ssl1 = Net::SSLeay::new($ctx) or die_now("Cannot create SSL #1 $!"
+);
Net::SSLeay::set_fd( $ssl1, fileno(S) );
Net::SSLeay::renegotiate($ssl1);
$res = Net::SSLeay::connect($ssl1) and die_if_ssl_error("ssl connect")
+;
$res = Net::SSLeay::write( $ssl1, $msg . "\n\n" );
die_if_ssl_error("ssl write");
$got = Net::SSLeay::read($ssl1);
die_if_ssl_error("ssl read");
print $got;
close S;

[download]

Replies are listed 'Best First'.
Re^3: Net::SSLeay and secure renegotiation
by noxxi (Pilgrim) on Dec 11, 2016 at 20:48 UTC 
    > Net::SSLeay::CTX_set_options($ctx,$Net::SSLeay::ssl_version = 2) ..

    [download]

    This line makes no sense for me. Could you explain what you are trying to do here?

    Apart from that TLS_EMPTY_RENEGOTIATION_INFO_SCSV will not be set by calling renegotiate. Instead this pseudo cipher is included in the initial handshake (ClientHello) and signals to the server that secure renegotiation is supported.
    Could you explain what you are actually trying to achieve by attempting to set TLS_EMPTY_RENEGOTIATION_INFO_SCSV?

[reply]
[d/l]

      With that line, i am forcing SSLv2 to be wrapper for client hello

      I need to test server behavior when TLS_EMPTY_RENEGOTIATION_INFO_SCSV is set/included in client hello.
[reply]

        > With that line, i am forcing SSLv2 to be wrapper for client

        I very much doubt this will work. While you set ssl_version you do it after creating the context. Also ssl_version is only looked at if you use sslcat or https_cat (i.e. users of new_x_ctx) which you don't do. Which means that setting ssl_version does nothing in the code. The rest of this line calls CTX_set_options with the option "2" which is not even a defined SSL_OP.
        Also, setting ssl_version to 2 in the cases were it actually does something will not force if SSLv2 wrapper but force use of SSL 2.0. This one is mostly disabled fully in current versions of openssl and SSL 2.0 does not support renegotiation anyway. SSLv2 wrapper would be instead mean that you want to have a SSLv23 context which is actually the default.

        > I need to test server behavior when TLS_EMPTY_RENEGOTIATION_INFO_SCSV is set/included in client hello.

        This should be included by default in the initial ClientHello and a short test with IO::Socket::SSL shows that it actually is.

[reply]
      Net::SSLeay::CTX_set_options($ctx,$Net::SSLeay::ssl_version = 2)

      If that's not a copy and paste error that should read Net::SSLeay::CTX_set_options($ctx,$Net::SSLeay::ssl_version => 2), this is what will happen:

      $Net::SSLeay::ssl_version = 2; # oops!
Net::SSLeay::CTX_set_options($ctx, 2);

      [download]

      Alexander

      --
      Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom