3

There is a project that uses extensively JSSE.

Depending on a configuration parameter the SSLContext is initialized for SSLv3. Meaning that if the parameter is not set it is SSLv3, otherwise it is TLS.

I noticed some handshake failures occasionally and traced it: If the client negotiated TLS and the server replied with SSLv3, the handshake failed

Why does this happen? I thought that TLS and SSLv3 are pretty much interchangeable. Are they not? If I change server side to always reply TLS is there a chance I will break something?

Paŭlo Ebermann
  • 73,284
  • 20
  • 146
  • 210
Cratylus
  • 52,998
  • 69
  • 209
  • 339

2 Answers2

3

TLS 1.0 is, internally, SSL 3.1. A client and a server may accept to use either or both; during the handshake, the client sends the highest protocol version it knows of, and the server should select the highest version that it supports that is not always newer than the one sent by the client.

My guess is that when you configure your client to use TLS, then the client understands it as "use only TLS 1.0": the client sends "3.1", and if the server is configured to respond with "3.0", then the client will quite logically reject the connection.

What you should do is find a way to configure the server to accept both 3.0 and 3.1, and thus use whatever protocol version was announced by the client. Alternatively, configure the client to declare that it knows 3.1, but such that it also accepts a "downgrade" to 3.0 if the server says so.

Thomas Pornin
  • 72,986
  • 14
  • 147
  • 189
  • So SSL3.1 and 3.0 are not compatible.Is this (usually) configuration i.e. to configure the server to accept both 3.0 and 3.1 or custom code will be required? – Cratylus Mar 29 '11 at 20:30
  • SSL 3.0 and 3.1 are not exactly the same protocol, but they share enough structure that the first client message can work for both, and the server can then decide. This is normally a matter of configuration. Internally, this should end up calling `SSLServerSocket.setEnabledProtocols()` which accepts an array of strings, allowing for the specification of several protocols (e.g. `"SSLv3"` _and_ `"TLSv1"`). – Thomas Pornin Mar 29 '11 at 22:03
1

You don't say what you are trying to achieve by varying the protocol parameter. SSLv3 and TLS1.0 are very similar but nevertheless distinct protocols. The protocol negotiation mechanism introduced in SSLv3 is also used in subsequent protocols. The bottom line is that in SSLContext.getInstance("proto"); you should set proto to the earliest version of the SSL protocol you are willing to support. After that, the peers will negotiate to use the newest version of the protocol they both support.

President James K. Polk
  • 40,516
  • 21
  • 95
  • 125
  • The varying protocol parameter is used as a stricter authentication indication.It is used in other parts as well (e.g. to use more secure number generators etc). My question here is why does the negotiation fails between a server configured for TLS and a client implementation that initializes the SSLContext with SSLv3? – Cratylus Mar 26 '11 at 21:42