[Chilli] CoovaChilli and RadSec

Stelio Gouveia stelio at skyrove.com
Wed Jun 23 08:32:02 UTC 2010


The problem it seems is when Coova-Chilli sends a SSLv2 CLIENT-HELLO
message. RadSecProxy doesn't know what to do with it and fails to establish
a SSL connection as it's listening for TLSv1 CLIENT-HELLO messages.

Now if we replace the SSLv23_client_method with the TLSv1_client_method,
then we can get Coova-Chilli and RadSecProxy sending encrypted packets.

Are there any objections to doing this? Other than the fact that SSLv23
method is no longer supported

See the patch bellow:

--- ssl.c.orginal 2010-06-23 09:53:51.406061947 +0200
+++ ssl.c 2010-06-23 09:54:05.966062034 +0200
@@ -182,7 +182,7 @@
   if (server) {
     env->meth = SSLv23_server_method();
   } else {
-    env->meth = SSLv23_client_method();
+    env->meth = TLSv1_client_method();
   }
   env->ctx = SSL_CTX_new(env->meth);
   SSL_CTX_set_options(env->ctx, SSL_OP_ALL);

- Stelio

On Fri, Jun 18, 2010 at 10:28 AM, Stelio Gouveia <stelio at skyrove.com> wrote:

> Hi Folks
>
> I'm trying to get CoovaChilli (v1.2.3) to encrypt it's packets using RadSec
> and forward them on to RadSecProxy 1.4
>
> On my RadSecProxy side, i get the following:
> Jun 17 15:30:54 2010: tlsservernew: incoming TLS connection from 10.0.0.44
> Jun 17 15:30:54 2010: tlsservernew: SSL: error:1408F10B:SSL
> routines:SSL3_GET_RECORD:wrong version number
> Jun 17 15:30:54 2010: tlsservernew: SSL_accept failed
>
> Some posts i've read suggest this could be down to using the wrong
> TLS_PROTOCOL version on either the client or server. Which version does
> CoovaChilli use?
>
> Has anyone else tried to marry these two pieces of software?
>
> - Stelio
>
> --
> Skyrove Software Engineer,
> Skyrove (Pty) Ltd
> Technology Top 100 Award Winner (2006)
> Mobile: +27 82 34 09 120
> Tel: +27 861 ROVERS (0861 768 377)
> Fax: +27 86 6204077
> Email & Gtalk: stelio at skyrove.com
> Web:   www.skyrove.com
>
> This message contains confidential information. If you are not the intended
> recipient you are notified that disclosing, copying, distributing or taking
> any action in reliance on the contents of this information is strictly
> prohibited. E-mail transmission cannot be guaranteed to be secure or
> error-free as information could be intercepted, corrupted, lost, destroyed,
> arrive late or incomplete, or contain viruses. The sender therefore does not
> accept liability for any errors or omissions in the contents of this
> message.
>



-- 
Regards
Stelio Gouveia
--
Skyrove Software Engineer,
Skyrove (Pty) Ltd
Technology Top 100 Award Winner (2006)
Mobile: +27 82 34 09 120
Tel: +27 861 ROVERS (0861 768 377)
Fax: +27 86 6204077
Email & Gtalk: stelio at skyrove.com
Web:   www.skyrove.com

This message contains confidential information. If you are not the intended
recipient you are notified that disclosing, copying, distributing or taking
any action in reliance on the contents of this information is strictly
prohibited. E-mail transmission cannot be guaranteed to be secure or
error-free as information could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of this
message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20100623/95ed5c52/attachment.htm>


More information about the Chilli mailing list