-
As this issue is more common now (at least a few each day) and I've introduced
C2SIOService.handleMalformedInput(C2SIOService.java:152)
method, I took a look on this issue.This method is responsible for handling data sent after
<starttls/>
by the client, ie. when client sends in a single TCP frame<starttls/>
followed by SSL/TLS handshake packet. After a detailed review, I've found out that all issues/exceptions are reported from line 152 ofC2SIOService.handleMalformedInput()
. This call is done only for handling old SSLv2 Client Hello.Currently, most of the clients do now use SSLv2 Client Hello (nor they use SSLv2 at all), but some old software still may be using this handshake for compatibility reasons. (This handshake may be used to establish even nerver SSLv3 or even TLSv1.3).
It looks like, when in the "plain" or already TLS encrypted connection happens issue with UTF-8 malformation, Tigase checks if that is not a handshake for TLS (initial packet) by checking TLS/SSL packet header. For SSv2 test was very simple and taking into account possible content that is parsed it could cause false positives and cause SSL handshake to be executed (or rather plaintext data was processed by SSLEngine once again causing issue).
To fix that, I've increased logging of data in
extractTlsHandshakeData()
method to allow us check what actually was fed to SSL engine and improved verification of SSLv3 handshake header (checked if length of the header does not exceed 16709 bytes).I think that this fix will be OK. If not, we may want to consider dropping support for SSLv2 Client Hello.
Type |
Bug
|
Priority |
Normal
|
Assignee | |
Version |
tigase-server-8.4.0
|
-
tigase-server-8.4.0 Closed