in reply to Re^2: Net::SSLeay and secure renegotiation
in thread Net::SSLeay and secure renegotiation

> Net::SSLeay::CTX_set_options($ctx,$Net::SSLeay::ssl_version = 2) ..

[download]

This line makes no sense for me. Could you explain what you are trying to do here?

Apart from that TLS_EMPTY_RENEGOTIATION_INFO_SCSV will not be set by calling renegotiate. Instead this pseudo cipher is included in the initial handshake (ClientHello) and signals to the server that secure renegotiation is supported.
Could you explain what you are actually trying to achieve by attempting to set TLS_EMPTY_RENEGOTIATION_INFO_SCSV?

Replies are listed 'Best First'.
Re^4: Net::SSLeay and secure renegotiation
by iThunder (Beadle) on Dec 11, 2016 at 23:45 UTC

    With that line, i am forcing SSLv2 to be wrapper for client hello

    I need to test server behavior when TLS_EMPTY_RENEGOTIATION_INFO_SCSV is set/included in client hello.
[reply]

      > With that line, i am forcing SSLv2 to be wrapper for client

      I very much doubt this will work. While you set ssl_version you do it after creating the context. Also ssl_version is only looked at if you use sslcat or https_cat (i.e. users of new_x_ctx) which you don't do. Which means that setting ssl_version does nothing in the code. The rest of this line calls CTX_set_options with the option "2" which is not even a defined SSL_OP.
      Also, setting ssl_version to 2 in the cases were it actually does something will not force if SSLv2 wrapper but force use of SSL 2.0. This one is mostly disabled fully in current versions of openssl and SSL 2.0 does not support renegotiation anyway. SSLv2 wrapper would be instead mean that you want to have a SSLv23 context which is actually the default.

      > I need to test server behavior when TLS_EMPTY_RENEGOTIATION_INFO_SCSV is set/included in client hello.

      This should be included by default in the initial ClientHello and a short test with IO::Socket::SSL shows that it actually is.

[reply]

        Well for some reason, its not appearing in my client hello. Below is my code. With SSL_cipher_list set to ALL, i can see 38 cipher suites being sent but not the "TLS_EMPTY_RENEGOTIATION_INFO_SCSV". What OS and openssl version are you using? 

        #!/usr/bin/perl

 use IO::Socket::SSL;
 use IO::Socket qw(:DEFAULT :crlf);
 $/ = CRLF;
 $| = 1;
use warnings;
my $client = IO::Socket::SSL->new(PeerHost => "1.1.1.115", PeerPort =>
+ "443", SSL_verify_mode => SSL_VERIFY_NONE, SSL_cipher_list => 'ALL')
+;

    $msg1 = "GET /index.html HTTP/1.1".$/;
    $msg2 = "Host: windows".$/;
    $msg3 = "User-Agent: curl/7.18.1 (i386-redhat-linux-gnu) libcurl/7
+.18.1 NSS/3.12 Beta 3 zlib/1.2.3 libidn/0.6.14".$/;


    print $client $msg1,$msg2,$msg3.CRLF;

    shutdown($client,2);

        [download]
[reply]
[d/l]
Re^4: Net::SSLeay and secure renegotiation
by afoken (Chancellor) on Dec 16, 2016 at 20:37 UTC
    Net::SSLeay::CTX_set_options($ctx,$Net::SSLeay::ssl_version = 2)

    If that's not a copy and paste error that should read Net::SSLeay::CTX_set_options($ctx,$Net::SSLeay::ssl_version => 2), this is what will happen:

    $Net::SSLeay::ssl_version = 2; # oops!
Net::SSLeay::CTX_set_options($ctx, 2);

    [download]

    Alexander

    --
    Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom