Debian Bug report logs - #665452
libssl1.0.0: breaks HTTPS download of some sites (eg. https://sourceforge.net)

version graph

Package: libssl1.0.0; Maintainer for libssl1.0.0 is Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>; Source for libssl1.0.0 is src:openssl.

Reported by: Bastian Kleineidam <calvin@debian.org>

Date: Sat, 24 Mar 2012 11:24:36 UTC

Severity: important

Found in version openssl/1.0.1-2

Fixed in version 1.0.1b-1

Done: Kurt Roeckx <kurt@roeckx.be>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#665452; Package libssl1.0.0. (Sat, 24 Mar 2012 11:24:39 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bastian Kleineidam <calvin@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Sat, 24 Mar 2012 11:24:41 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Bastian Kleineidam <calvin@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libssl1.0.0: breaks HTTPS download of some sites (eg. https://sourceforge.net)
Date: Sat, 24 Mar 2012 12:23:37 +0100
[Message part 1 (text/plain, inline)]
Package: libssl1.0.0
Version: 1.0.1-2
Severity: important

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

installing the newest version breaks curl (and other download tools
using libssl like perl GET) on https://sourceforge.net/
Downgrading to 1.0.0h solves the problem.

Attached are curl --trace outputs with version 1.0.0h and 1.0.1.

Since the SSL error message is not very helpful, I could not match
this problem to any of the existing bugs.
So feel free to ask for more info about this.

Regards,
  Bastian

- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.12rum1 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libssl1.0.0 depends on:
ii  debconf [debconf-2.0]  1.5.42
ii  libc6                  2.13-27
ii  multiarch-support      2.13-27
ii  zlib1g                 1:1.2.6.dfsg-2

libssl1.0.0 recommends no packages.

libssl1.0.0 suggests no packages.

- -- debconf information:
  libssl1.0.0/restart-failed:
  libssl1.0.0/restart-services:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAk9trrQACgkQeBwlBDLsbz5QTwCg0/CiAMF15IWsTSmgQU0Moany
+44AoKJ6cmESgDyoWCPsspfDseAB8UHx
=YMwi
-----END PGP SIGNATURE-----
[curl_sourceforge.net_1.0.0h.log (application/octet-stream, attachment)]
[curl_sourceforge.net_1.0.1.log (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#665452; Package libssl1.0.0. (Sat, 24 Mar 2012 11:42:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Sat, 24 Mar 2012 11:43:40 GMT) Full text and rfc822 format available.

Message #10 received at 665452@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Bastian Kleineidam <calvin@debian.org>, 665452@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#665452: libssl1.0.0: breaks HTTPS download of some sites (eg. https://sourceforge.net)
Date: Sat, 24 Mar 2012 12:39:03 +0100
On Sat, Mar 24, 2012 at 12:23:37PM +0100, Bastian Kleineidam wrote:
> Package: libssl1.0.0
> Version: 1.0.1-2
> Severity: important
> 
> Hi,
> 
> installing the newest version breaks curl (and other download tools
> using libssl like perl GET) on https://sourceforge.net/
> Downgrading to 1.0.0h solves the problem.
> 
> Attached are curl --trace outputs with version 1.0.0h and 1.0.1.
> 
> Since the SSL error message is not very helpful, I could not match
> this problem to any of the existing bugs.
> So feel free to ask for more info about this.

I can reproduce it, and it doesn't make much sense to me at this
time. sourceforge just doesn't seem to reply.

The biggest change in 1.0.1 is that it supports TLS 1.1 and 1.2.
But using s_client with -no_tls1_1 -no_tls1_2 still doesn't get
me a connection. 

On the other hand "gnutls-cli sourceforge.net" does work as
expected.

And forcing an SSL3 or TLS1 connection using s_client also works.

So I think someone at sourceforge will have to take a look at this.


Kurt





Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#665452; Package libssl1.0.0. (Sat, 24 Mar 2012 18:51:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bastian Kleineidam <calvin@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Sat, 24 Mar 2012 18:51:09 GMT) Full text and rfc822 format available.

Message #15 received at 665452@bugs.debian.org (full text, mbox):

From: Bastian Kleineidam <calvin@debian.org>
To: Kurt Roeckx <kurt@roeckx.be>
Cc: 665452@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#665452: libssl1.0.0: breaks HTTPS download of some sites (eg. https://sourceforge.net)
Date: Sat, 24 Mar 2012 19:45:51 +0100
[Message part 1 (text/plain, inline)]
Hello Kurt,

Am Saturday, 24. March 2012, 12:39:03 schrieb Kurt Roeckx:
> And forcing an SSL3 or TLS1 connection using s_client also works.
Can I configure this somehow to be the default for all applications
using libssl?

> On the other hand "gnutls-cli sourceforge.net" does work as
> expected.
Yes, there are some gnutls alternatives. Unfortunately the Perl and
Python https libraries are using libssl. In fact that is when I first
noticed the bug: my custom python script could not login to Sourceforge
anymore.

> So I think someone at sourceforge will have to take a look at this.
This upstream bug seems to be the same problem:
http://rt.openssl.org/Ticket/Display.html?id=2771&user=guest&pass=guest
Unfortunately the developer does not seem to see that as a regression :-/

I guess the best choice for me right now is to keep using v1.0.0h.

Regards,
  Bastian
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#665452; Package libssl1.0.0. (Sun, 25 Mar 2012 02:03:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Sun, 25 Mar 2012 02:03:05 GMT) Full text and rfc822 format available.

Message #20 received at 665452@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Bastian Kleineidam <calvin@debian.org>
Cc: 665452@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#665452: libssl1.0.0: breaks HTTPS download of some sites (eg. https://sourceforge.net)
Date: Sun, 25 Mar 2012 04:01:13 +0200
On Sat, Mar 24, 2012 at 07:45:51PM +0100, Bastian Kleineidam wrote:
> Hello Kurt,
> 
> Am Saturday, 24. March 2012, 12:39:03 schrieb Kurt Roeckx:
> > And forcing an SSL3 or TLS1 connection using s_client also works.
> Can I configure this somehow to be the default for all applications
> using libssl?

Not that I know, as far as I know they all need to set this up
themself.

> > On the other hand "gnutls-cli sourceforge.net" does work as
> > expected.
> Yes, there are some gnutls alternatives. Unfortunately the Perl and
> Python https libraries are using libssl. In fact that is when I first
> noticed the bug: my custom python script could not login to Sourceforge
> anymore.
> 
> > So I think someone at sourceforge will have to take a look at this.
> This upstream bug seems to be the same problem:
> http://rt.openssl.org/Ticket/Display.html?id=2771&user=guest&pass=guest
> Unfortunately the developer does not seem to see that as a regression :-/

That bug report mentions owa.mit.edu, which also responds with:
Server: BigIP


Kurt





Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#665452; Package libssl1.0.0. (Tue, 27 Mar 2012 08:51:21 GMT) Full text and rfc822 format available.

Acknowledgement sent to Louis-David Mitterrand <ldm@apartia.fr>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Tue, 27 Mar 2012 08:51:26 GMT) Full text and rfc822 format available.

Message #25 received at 665452@bugs.debian.org (full text, mbox):

From: Louis-David Mitterrand <ldm@apartia.fr>
To: Debian Bug Tracking System <665452@bugs.debian.org>
Subject: openssl: 'upgrade' also breaks https://www.paypal.com
Date: Tue, 27 Mar 2012 10:42:18 +0200
Package: openssl
Version: 1.0.1-2
Followup-For: Bug #665452

I can no longer contact paypal on its ssl port with that 'upgrade' with
perl, wget, w3m, etc. (all clients using openssl).

Going back to 1.0.0h fixes it.

Dear Maintainer,
*** Please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
     ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?

*** End of the template - remove these lines ***


-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (499, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.3.0-1-pyrrhus (SMP w/4 CPU cores)
Locale: LANG=en_CA, LC_CTYPE=fr_FR@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssl depends on:
ii  libc6        2.13-27
ii  libssl1.0.0  1.0.1-2
ii  zlib1g       1:1.2.6.dfsg-2

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates  20120212

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#665452; Package libssl1.0.0. (Tue, 27 Mar 2012 19:42:12 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Tue, 27 Mar 2012 19:42:12 GMT) Full text and rfc822 format available.

Message #30 received at 665452@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Louis-David Mitterrand <ldm@apartia.fr>, 665452@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#665452: openssl: 'upgrade' also breaks https://www.paypal.com
Date: Tue, 27 Mar 2012 21:39:50 +0200
On Tue, Mar 27, 2012 at 10:42:18AM +0200, Louis-David Mitterrand wrote:
> Package: openssl
> Version: 1.0.1-2
> Followup-For: Bug #665452
> 
> I can no longer contact paypal on its ssl port with that 'upgrade' with
> perl, wget, w3m, etc. (all clients using openssl).

This seems to be a different issue that has the same effect.

> Going back to 1.0.0h fixes it.
> 
> Dear Maintainer,
> *** Please consider answering these questions, where appropriate ***
> 
>    * What led up to the situation?
>    * What exactly did you do (or not do) that was effective (or
>      ineffective)?
>    * What was the outcome of this action?
>    * What outcome did you expect instead?
> 
> *** End of the template - remove these lines ***

Why are you asking me those questions?

Anyway, there seems to be 3 different problems:
- Servers that report BigIP as server.  They don't reply to
  ClientHello requests that are bigger than 255 bytes.  Examples
  include sourceforge.net and owa.mit.edu.
- Servers that don't tolerate verion numbers they don't support
  while they are supposed to negiotate a lower version.  Examples
  include boekhuis.nl
- paypal which currently isn't clear what the problem really is,
  it seems to support TLS1.2, but reacts weird to 1.1.

All problems can be worked around by disabling the TLS
1.1 and 1.2 protocols.

The first can also be worked around by disabling ciphersuites that
are send, so you get a smaller ClientHello.  It can also be triggered
by the 1.0.0h version by adding extra options like -servername.

Due to a bug fixed upstream disabling TLS 1.1 and 1.2 might
currently not fix the first issue, but that should get fixed
in the next version.

In any case you should contact affected sites or venders about
this issue, else we're never going to get those protocols
deployed.


Kurt





Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#665452; Package libssl1.0.0. (Tue, 27 Mar 2012 19:54:13 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Tue, 27 Mar 2012 19:54:13 GMT) Full text and rfc822 format available.

Message #35 received at 665452@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Louis-David Mitterrand <ldm@apartia.fr>, 665452@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#665452: Bug#665452: openssl: 'upgrade' also breaks https://www.paypal.com
Date: Tue, 27 Mar 2012 21:52:57 +0200
On Tue, Mar 27, 2012 at 09:39:50PM +0200, Kurt Roeckx wrote:
> 
> Anyway, there seems to be 3 different problems:
> - Servers that report BigIP as server.  They don't reply to
>   ClientHello requests that are bigger than 255 bytes.  Examples
>   include sourceforge.net and owa.mit.edu.
> - Servers that don't tolerate verion numbers they don't support
>   while they are supposed to negiotate a lower version.  Examples
>   include boekhuis.nl
> - paypal which currently isn't clear what the problem really is,
>   it seems to support TLS1.2, but reacts weird to 1.1.

So paypal really also seems to be the first case type, but acting
a little weird.


Kurt





Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#665452; Package libssl1.0.0. (Wed, 28 Mar 2012 07:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Louis-David Mitterrand <ldm@apartia.fr>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Wed, 28 Mar 2012 07:06:03 GMT) Full text and rfc822 format available.

Message #40 received at 665452@bugs.debian.org (full text, mbox):

From: Louis-David Mitterrand <ldm@apartia.fr>
To: Kurt Roeckx <kurt@roeckx.be>
Cc: 665452@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#665452: Bug#665452: openssl: 'upgrade' also breaks https://www.paypal.com
Date: Wed, 28 Mar 2012 09:03:01 +0200
On Tue, Mar 27, 2012 at 09:52:57PM +0200, Kurt Roeckx wrote:
> On Tue, Mar 27, 2012 at 09:39:50PM +0200, Kurt Roeckx wrote:
> > 
> > Anyway, there seems to be 3 different problems:
> > - Servers that report BigIP as server.  They don't reply to
> >   ClientHello requests that are bigger than 255 bytes.  Examples
> >   include sourceforge.net and owa.mit.edu.
> > - Servers that don't tolerate verion numbers they don't support
> >   while they are supposed to negiotate a lower version.  Examples
> >   include boekhuis.nl
> > - paypal which currently isn't clear what the problem really is,
> >   it seems to support TLS1.2, but reacts weird to 1.1.
> 
> So paypal really also seems to be the first case type, but acting
> a little weird.

Just to add some context to the paypal problem: many scripting languages
use openssl and so this breaks the paypal payment API for any website
using these languages (in my case perl).




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#665452; Package libssl1.0.0. (Thu, 29 Mar 2012 11:45:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Thu, 29 Mar 2012 11:45:02 GMT) Full text and rfc822 format available.

Message #45 received at 665452@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@ubuntu.com>
To: Kurt Roeckx <kurt@roeckx.be>, 665452@bugs.debian.org
Cc: Louis-David Mitterrand <ldm@apartia.fr>
Subject: Re: Bug#665452: [Pkg-openssl-devel] Bug#665452: openssl: 'upgrade' also breaks https://www.paypal.com
Date: Thu, 29 Mar 2012 12:41:01 +0100
On Tue, Mar 27, 2012 at 09:39:50PM +0200, Kurt Roeckx wrote:
> Anyway, there seems to be 3 different problems:
> - Servers that report BigIP as server.  They don't reply to
>   ClientHello requests that are bigger than 255 bytes.  Examples
>   include sourceforge.net and owa.mit.edu.
> - Servers that don't tolerate verion numbers they don't support
>   while they are supposed to negiotate a lower version.  Examples
>   include boekhuis.nl
> - paypal which currently isn't clear what the problem really is,
>   it seems to support TLS1.2, but reacts weird to 1.1.

There are some more examples in this Ubuntu bug:

  https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/965371

I'm not sure which category www.mediafire.com falls into.

-- 
Colin Watson                                       [cjwatson@ubuntu.com]




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#665452; Package libssl1.0.0. (Thu, 29 Mar 2012 19:45:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Thu, 29 Mar 2012 19:45:04 GMT) Full text and rfc822 format available.

Message #50 received at 665452@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Colin Watson <cjwatson@ubuntu.com>
Cc: 665452@bugs.debian.org, Louis-David Mitterrand <ldm@apartia.fr>
Subject: Re: Bug#665452: [Pkg-openssl-devel] Bug#665452: openssl: 'upgrade' also breaks https://www.paypal.com
Date: Thu, 29 Mar 2012 21:43:17 +0200
On Thu, Mar 29, 2012 at 12:41:01PM +0100, Colin Watson wrote:
> On Tue, Mar 27, 2012 at 09:39:50PM +0200, Kurt Roeckx wrote:
> > Anyway, there seems to be 3 different problems:
> > - Servers that report BigIP as server.  They don't reply to
> >   ClientHello requests that are bigger than 255 bytes.  Examples
> >   include sourceforge.net and owa.mit.edu.
> > - Servers that don't tolerate verion numbers they don't support
> >   while they are supposed to negiotate a lower version.  Examples
> >   include boekhuis.nl
> > - paypal which currently isn't clear what the problem really is,
> >   it seems to support TLS1.2, but reacts weird to 1.1.
> 
> There are some more examples in this Ubuntu bug:
> 
>   https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/965371
> 
> I'm not sure which category www.mediafire.com falls into.

The second case.  This can also be tested on https://www.ssllabs.com/ssldb/

And facebook seems to fall in the first case.  I'm guessing this is some kind
of firewall issue.


Kurt





Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#665452; Package libssl1.0.0. (Sat, 21 Apr 2012 13:10:18 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Sat, 21 Apr 2012 13:10:19 GMT) Full text and rfc822 format available.

Message #55 received at 665452@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Louis-David Mitterrand <ldm@apartia.fr>, 665452@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#665452: openssl: 'upgrade' also breaks https://www.paypal.com
Date: Sat, 21 Apr 2012 14:38:12 +0200
On Tue, Mar 27, 2012 at 10:42:18AM +0200, Louis-David Mitterrand wrote:
> Package: openssl
> Version: 1.0.1-2
> Followup-For: Bug #665452
> 
> I can no longer contact paypal on its ssl port with that 'upgrade' with
> perl, wget, w3m, etc. (all clients using openssl).
> 
> Going back to 1.0.0h fixes it.

The 1.0.1a version fixes the problem with paypal and facebook,
but as far as I know not any of the other sites that were reported
to have a problem.


Kurt





Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#665452; Package libssl1.0.0. (Sat, 21 Apr 2012 13:10:20 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Sat, 21 Apr 2012 13:10:21 GMT) Full text and rfc822 format available.

Message #60 received at 665452@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Bastian Kleineidam <calvin@debian.org>
Cc: 665452@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#665452: Bug#665452: libssl1.0.0: breaks HTTPS download of some sites (eg. https://sourceforge.net)
Date: Sat, 21 Apr 2012 14:48:25 +0200
On Sun, Mar 25, 2012 at 04:01:13AM +0200, Kurt Roeckx wrote:
> 
> That bug report mentions owa.mit.edu, which also responds with:
> Server: BigIP

So Derek Poon reported this:
| We run a site that uses the F5 Networks BIG-IP load balancer, and
| OpenSSL 1.0.1 triggers this bug on the load balancer.  When it
| occurs, the load balancer neither forwards the request to a pool
| member, nor does it respond to the OpenSSL client.  There are
| warning messages in the load balancer's /var/log/ltm file:

| warning tmm[5313]: 012f0002:4: WARN at ../modules/hudproxy/bigproto/pva/pva_frames.c:1234:Received illegal header padding 100 versus 2ff

| Working with F5 Networks tech support, we have determined that
| this is a known issue, which they track as Bug 376483.  It is
| fixed in the recently released BIG-IP LTM 10.2.4 software, though
| it is not mentioned in their release notes, and I confirm that TLS
| 1.2 connections no longer hang after upgrading to 10.2.4.


Kurt





Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#665452; Package libssl1.0.0. (Mon, 23 Apr 2012 19:21:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joar Wandborg <joar@wandborg.se>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Mon, 23 Apr 2012 19:21:03 GMT) Full text and rfc822 format available.

Message #65 received at 665452@bugs.debian.org (full text, mbox):

From: Joar Wandborg <joar@wandborg.se>
To: 665452@bugs.debian.org
Subject: openssl > 1.0.0 breaks python-cloudfiles
Date: Mon, 23 Apr 2012 21:16:34 +0200
I get the following errors in python

(mediagoblin)joar@lina:~/git/mediagoblin$ python
Python 2.7.2+ (default, Oct  4 2011, 20:06:09) 
[GCC 4.6.1] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import cloudfiles
>>> conn = cloudfiles.get_connection(username='blah', api_key='dah')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/joar/git/mediagoblin/local/lib/python2.7/site-packages/cloudfiles/__init__.py", line 98, in get_connection
    return Connection(*args, **kwargs)
  File "/home/joar/git/mediagoblin/local/lib/python2.7/site-packages/cloudfiles/connection.py", line 86, in __init__
    self._authenticate()
  File "/home/joar/git/mediagoblin/local/lib/python2.7/site-packages/cloudfiles/connection.py", line 92, in _authenticate
    (url, self.cdn_url, self.token) = self.auth.authenticate()
  File "/home/joar/git/mediagoblin/local/lib/python2.7/site-packages/cloudfiles/authentication.py", line 67, in authenticate
    conn.request('GET', '/' + self.uri, headers=self.headers)
  File "/usr/lib/python2.7/httplib.py", line 958, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 992, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 954, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 814, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 776, in send
    self.connect()
  File "/usr/lib/python2.7/httplib.py", line 1161, in connect
    self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file)
  File "/usr/lib/python2.7/ssl.py", line 372, in wrap_socket
    ciphers=ciphers)
  File "/usr/lib/python2.7/ssl.py", line 134, in __init__
    self.do_handshake()
  File "/usr/lib/python2.7/ssl.py", line 296, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [Errno 1] _ssl.c:503: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
>>> cloudfiles.__version__
'1.7.9.3'




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#665452; Package libssl1.0.0. (Mon, 23 Apr 2012 21:13:23 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Mon, 23 Apr 2012 21:13:25 GMT) Full text and rfc822 format available.

Message #70 received at 665452@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Joar Wandborg <joar@wandborg.se>, 665452@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#665452: openssl > 1.0.0 breaks python-cloudfiles
Date: Mon, 23 Apr 2012 23:10:36 +0200
On Mon, Apr 23, 2012 at 09:16:34PM +0200, Joar Wandborg wrote:
> I get the following errors in python
> 
> (mediagoblin)joar@lina:~/git/mediagoblin$ python
> Python 2.7.2+ (default, Oct  4 2011, 20:06:09) 
> [GCC 4.6.1] on linux2
> Type "help", "copyright", "credits" or "license" for more information.
> >>> import cloudfiles
> >>> conn = cloudfiles.get_connection(username='blah', api_key='dah')
[...]
>   File "/usr/lib/python2.7/ssl.py", line 296, in do_handshake
>     self._sslobj.do_handshake()
> ssl.SSLError: [Errno 1] _ssl.c:503: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol

I'm not sure how this is relavate to the bug report?  I will
clearly need more details other than that it gives you an error,
like what site are you trying to connect to, what protocol do you
want to use?


Kurt





Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#665452; Package libssl1.0.0. (Tue, 24 Apr 2012 20:45:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to ael <law_ence.dev@ntlworld.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Tue, 24 Apr 2012 20:45:06 GMT) Full text and rfc822 format available.

Message #75 received at 665452@bugs.debian.org (full text, mbox):

From: ael <law_ence.dev@ntlworld.com>
To: 665452@bugs.debian.org
Subject: SSL23_GET_SERVER_HELLO:unsupported protocol
Date: Tue, 24 Apr 2012 21:43:04 +0100
I also see this bug via offlineimap (python).

$ openssl s_client -connect imap.ntlworld.com:993

seems to work:

CONNECTED(00000003)
---
[...snip..]

subject=/C=GB/ST=Hampshire/L=Hook/O=Virgin Media Ltd/OU=internet operations/CN=imap.ntlworld.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 4356 bytes and written 634 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : RC4-SHA
    Session-ID: 0FC06C3512C6AD1B71258E9A9E4586D55ECC3E521F8B3F61EB25EAEFA3F6FD11
    Session-ID-ctx: 
    Master-Key: 1AFB7A305271D34AA2BAC7AFF9EE2B0D2EAF336B8B993B732D43216790E351CC4138D986AD5C1C709ED9044E168CA041
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1335278032
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
* OK Virgin Media IMAP4 server ready [ e4c558782NTL ].

=================================================================================


Using offlineimap (version 6.5.3 -- current release; the debian package
is very old):-

$ ./offlineimap.py -a ntl
OfflineIMAP 6.5.3
  Licensed under the GNU GPL v2+ (v2 or any later version)
Account sync ntl:
 *** Processing account ntl
 Establishing connection to imap.ntlworld.com:993
 ERROR: Unknown SSL protocol connecting to host 'imap.ntlworld.com' forrepository 'ntlserv'. OpenSSL responded:
[Errno 1] _ssl.c:503: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
 *** Finished account 'ntl' in 0:00
ERROR: Exceptions occurred during the run!
ERROR: Unknown SSL protocol connecting to host 'imap.ntlworld.com' forrepository 'ntlserv'. OpenSSL responded:
[Errno 1] _ssl.c:503: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol

----------------------------------------------------------------------------------------------

With a little more debugging:
$ ./offlineimap.py --info -a ntl
OfflineIMAP 6.5.3
  Licensed under the GNU GPL v2+ (v2 or any later version)
Remote repository 'ntlserv': type 'Gmail'
Host: imap.ntlworld.com Port: 993 SSL: 1
Establishing connection to imap.ntlworld.com:993
Failed to connect. Reason Unknown SSL protocol connecting to host 'imap.ntlworld.com' forrepository 'ntlserv'. OpenSSL responded:
[Errno 1] _ssl.c:503: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
folderfilter= lambda foldername: foldername not in ['[Gmail]/All Mail','[Gmail]/Bin']

Establishing connection to imap.ntlworld.com:993
Traceback (most recent call last):
  File "./offlineimap.py", line 23, in <module>
    oi.run()
  File "/usr/local/packages/offlineimap/spaetz-offlineimap-f2fe807/offlineimap/init.py", line 46, in run
    self.serverdiagnostics(options)
  File "/usr/local/packages/offlineimap/spaetz-offlineimap-f2fe807/offlineimap/init.py", line 391, in serverdiagnostics
    account.serverdiagnostics()
  File "/usr/local/packages/offlineimap/spaetz-offlineimap-f2fe807/offlineimap/accounts.py", line 176, in serverdiagnostics
    self.ui.serverdiagnostics(remote_repo, 'Remote')
  File "/usr/local/packages/offlineimap/spaetz-offlineimap-f2fe807/offlineimap/ui/UIBase.py", line 397, in serverdiagnostics
    folders = repository.getfolders()
  File "/usr/local/packages/offlineimap/spaetz-offlineimap-f2fe807/offlineimap/repository/IMAP.py", line 268, in getfolders
    imapobj = self.imapserver.acquireconnection()
  File "/usr/local/packages/offlineimap/spaetz-offlineimap-f2fe807/offlineimap/imapserver.py", line 333, in acquireconnection
    raise OfflineImapError(reason, severity)
offlineimap.error.OfflineImapError: Unknown SSL protocol connecting to host 'imap.ntlworld.com' forrepository 'ntlserv'. OpenSSL responded:
[Errno 1] _ssl.c:503: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol

--------------------------------------------------------------------------------------------------

I hope this is of some help. See also bug 666449.

ael





Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#665452; Package libssl1.0.0. (Tue, 24 Apr 2012 22:09:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Tue, 24 Apr 2012 22:09:04 GMT) Full text and rfc822 format available.

Message #80 received at 665452@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: ael <law_ence.dev@ntlworld.com>, 665452@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#665452: SSL23_GET_SERVER_HELLO:unsupported protocol
Date: Wed, 25 Apr 2012 00:06:58 +0200
On Tue, Apr 24, 2012 at 09:43:04PM +0100, ael wrote:
> I also see this bug via offlineimap (python).
> 
> $ openssl s_client -connect imap.ntlworld.com:993
[...]
>     Protocol  : TLSv1.1

There is a problem with sites that only support TLS v1.1.

The problem is that openssl 1.0.0 turned on a non-existing
option in SSL_OP_ALL, which the 1.0.1 version interpretes as
disabling support for TLS 1.1.



Kurt





Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#665452; Package libssl1.0.0. (Wed, 25 Apr 2012 08:33:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joar Wandborg <joar@wandborg.se>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Wed, 25 Apr 2012 08:33:08 GMT) Full text and rfc822 format available.

Message #85 received at 665452@bugs.debian.org (full text, mbox):

From: Joar Wandborg <joar@wandborg.se>
To: Kurt Roeckx <kurt@roeckx.be>
Cc: 665452@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#665452: openssl > 1.0.0 breaks python-cloudfiles
Date: Wed, 25 Apr 2012 10:30:07 +0200
Hello, to replicate this error: install the python-cloudfiles package (i'm on wheezy), then
run:

#!/usr/bin/env python
import cloudfiles

connection = cloudfiles.get_connection(
    username='fakeusername',
    api_key='f7k34P1k3Y')


/Joar

On Mon, Apr 23, 2012 at 11:10:36PM +0200, Kurt Roeckx wrote:
> On Mon, Apr 23, 2012 at 09:16:34PM +0200, Joar Wandborg wrote:
> > I get the following errors in python
> > 
> > (mediagoblin)joar@lina:~/git/mediagoblin$ python
> > Python 2.7.2+ (default, Oct  4 2011, 20:06:09) 
> > [GCC 4.6.1] on linux2
> > Type "help", "copyright", "credits" or "license" for more information.
> > >>> import cloudfiles
> > >>> conn = cloudfiles.get_connection(username='blah', api_key='dah')
> [...]
> >   File "/usr/lib/python2.7/ssl.py", line 296, in do_handshake
> >     self._sslobj.do_handshake()
> > ssl.SSLError: [Errno 1] _ssl.c:503: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
> 
> I'm not sure how this is relavate to the bug report?  I will
> clearly need more details other than that it gives you an error,
> like what site are you trying to connect to, what protocol do you
> want to use?
> 
> 
> Kurt
> 




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#665452; Package libssl1.0.0. (Wed, 25 Apr 2012 09:42:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joar Wandborg <joar@wandborg.se>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Wed, 25 Apr 2012 09:42:05 GMT) Full text and rfc822 format available.

Message #90 received at 665452@bugs.debian.org (full text, mbox):

From: Joar Wandborg <joar@wandborg.se>
To: Kurt Roeckx <kurt@roeckx.be>
Cc: 665452@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#665452: openssl > 1.0.0 breaks python-cloudfiles
Date: Wed, 25 Apr 2012 11:37:53 +0200
After some wiresharking I've came to the conclusion that it is the host
auth.api.rackspacecloud.com:443 that is requested.

This is the output of a command similar to those mentioned before in this
bug:


joar@lina:~/git/mediagoblin$ openssl s_client -connect auth.api.rackspacecloud.com:443
CONNECTED(00000004)
depth=0 C = US, O = auth.api.rackspacecloud.com, OU = GT47404894, OU = See www.geotrust.com/resources/cps (c)09, OU = Domain Control Validated - QuickSSL(R), CN = auth.api.rackspacecloud.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, O = auth.api.rackspacecloud.com, OU = GT47404894, OU = See www.geotrust.com/resources/cps (c)09, OU = Domain Control Validated - QuickSSL(R), CN = auth.api.rackspacecloud.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = US, O = auth.api.rackspacecloud.com, OU = GT47404894, OU = See www.geotrust.com/resources/cps (c)09, OU = Domain Control Validated - QuickSSL(R), CN = auth.api.rackspacecloud.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/O=auth.api.rackspacecloud.com/OU=GT47404894/OU=See www.geotrust.com/resources/cps (c)09/OU=Domain Control Validated - QuickSSL(R)/CN=auth.api.rackspacecloud.com
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDSDCCArGgAwIBAgIDC+cgMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDkwNzEwMTEzNDU0WhcNMTQwNzExMDI1NzU5
WjCB0jELMAkGA1UEBhMCVVMxJDAiBgNVBAoTG2F1dGguYXBpLnJhY2tzcGFjZWNs
b3VkLmNvbTETMBEGA1UECxMKR1Q0NzQwNDg5NDExMC8GA1UECxMoU2VlIHd3dy5n
ZW90cnVzdC5jb20vcmVzb3VyY2VzL2NwcyAoYykwOTEvMC0GA1UECxMmRG9tYWlu
IENvbnRyb2wgVmFsaWRhdGVkIC0gUXVpY2tTU0woUikxJDAiBgNVBAMTG2F1dGgu
YXBpLnJhY2tzcGFjZWNsb3VkLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEA3RHT8usNdod+LpWCuGUPlHirMrqfbbpDdn5YJWEsnnCoH7JX0g0fLZXRsidF
XkE4wktgUeOLblbQN7pOXj/cEiiRwD9cUsUDKnkzBshTOVN91UGq36KUuC5PsmzO
T4Mx7747AdNRYA2G1oFZCgQDL9NGLp+ravl1gi2TAGwyyAsCAwEAAaOBrjCBqzAO
BgNVHQ8BAf8EBAMCBPAwHQYDVR0OBBYEFO+L8KgBgmIm8XOp1vHP12Y00sraMDoG
A1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9jcmwuZ2VvdHJ1c3QuY29tL2NybHMvc2Vj
dXJlY2EuY3JsMB8GA1UdIwQYMBaAFEjmaPkr0rKV10fYIyAQTzOYkJ/UMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQUFAAOBgQAgiQGt
u3sNBuEvxwFAUgDkEgXNz5gBH+Y1szcmpp2OxW1NWHYT31Fif/tB7d9qT8ssjr9G
uWC3sPqR/logqqE1zRWQIixaNvhX3bTUIPcxBTqVG+/HZRYJznhbWe5KCZ6Q9PpM
Q1p/YaYUhpmG6ROHfpBXugtpe6/dlTGgeQb4QA==
-----END CERTIFICATE-----
subject=/C=US/O=auth.api.rackspacecloud.com/OU=GT47404894/OU=See www.geotrust.com/resources/cps (c)09/OU=Domain Control Validated - QuickSSL(R)/CN=auth.api.rackspacecloud.com
issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 1001 bytes and written 506 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : RC4-SHA
    Session-ID: D1E0F026A4954B03CAC3790825543A153CD06AE39C0571C6347756CACD12CE74
    Session-ID-ctx: 
    Master-Key: A1584B09A7125A765DB851C46E842090697CB5556FFB1733F35B493ED309586AB94577B3F237C5F66AC479F1236A5B6A
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1335346375
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
read:errno=0

Looks like the TLSv1.1 error you mentioned.

/Joar

On Mon, Apr 23, 2012 at 11:10:36PM +0200, Kurt Roeckx wrote:
> On Mon, Apr 23, 2012 at 09:16:34PM +0200, Joar Wandborg wrote:
> > I get the following errors in python
> > 
> > (mediagoblin)joar@lina:~/git/mediagoblin$ python
> > Python 2.7.2+ (default, Oct  4 2011, 20:06:09) 
> > [GCC 4.6.1] on linux2
> > Type "help", "copyright", "credits" or "license" for more information.
> > >>> import cloudfiles
> > >>> conn = cloudfiles.get_connection(username='blah', api_key='dah')
> [...]
> >   File "/usr/lib/python2.7/ssl.py", line 296, in do_handshake
> >     self._sslobj.do_handshake()
> > ssl.SSLError: [Errno 1] _ssl.c:503: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
> 
> I'm not sure how this is relavate to the bug report?  I will
> clearly need more details other than that it gives you an error,
> like what site are you trying to connect to, what protocol do you
> want to use?
> 
> 
> Kurt
> 




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#665452; Package libssl1.0.0. (Wed, 25 Apr 2012 13:06:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to ael <law_ence.dev@ntlworld.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Wed, 25 Apr 2012 13:06:03 GMT) Full text and rfc822 format available.

Message #95 received at 665452@bugs.debian.org (full text, mbox):

From: ael <law_ence.dev@ntlworld.com>
To: 665452@bugs.debian.org
Subject: SSL_OP_ALL option: status
Date: Wed, 25 Apr 2012 14:02:12 +0100
> The problem is that openssl 1.0.0 turned on a non-existing
> option in SSL_OP_ALL, which the 1.0.1 version interpretes as
> disabling support for TLS 1.1.

Is this to be fixed (upstream?) soon? Or is a debian patch needed?
It is worrying to have to use an old version when several security fixes
have been subsequently applied.

Googleing suggests that they are many and various people hitting the
problem.

ael





Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#665452; Package libssl1.0.0. (Wed, 25 Apr 2012 16:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Wed, 25 Apr 2012 16:45:03 GMT) Full text and rfc822 format available.

Message #100 received at 665452@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Joar Wandborg <joar@wandborg.se>
Cc: 665452@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#665452: openssl > 1.0.0 breaks python-cloudfiles
Date: Wed, 25 Apr 2012 18:41:44 +0200
On Wed, Apr 25, 2012 at 11:37:53AM +0200, Joar Wandborg wrote:
>     Protocol  : TLSv1.1

So that's one of the known issues.


Kurt





Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#665452; Package libssl1.0.0. (Wed, 25 Apr 2012 16:48:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Wed, 25 Apr 2012 16:48:06 GMT) Full text and rfc822 format available.

Message #105 received at 665452@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: ael <law_ence.dev@ntlworld.com>, 665452@bugs.debian.org, "Package Development List for OpenSSL packages." <pkg-openssl-devel@lists.alioth.debian.org>
Subject: Re: [Pkg-openssl-devel] Bug#665452: SSL_OP_ALL option: status
Date: Wed, 25 Apr 2012 18:44:56 +0200
On Wed, Apr 25, 2012 at 02:02:12PM +0100, ael wrote:
> > The problem is that openssl 1.0.0 turned on a non-existing
> > option in SSL_OP_ALL, which the 1.0.1 version interpretes as
> > disabling support for TLS 1.1.
> 
> Is this to be fixed (upstream?) soon? Or is a debian patch needed?
> It is worrying to have to use an old version when several security fixes
> have been subsequently applied.

I've opened a bug report upstream about this:
http://rt.openssl.org/Ticket/Display.html?id=2802&user=guest&pass=guest


Kurt





Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#665452; Package libssl1.0.0. (Fri, 27 Apr 2012 09:09:14 GMT) Full text and rfc822 format available.

Acknowledgement sent to Guo Yixuan <culu.gyx@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Fri, 27 Apr 2012 09:09:32 GMT) Full text and rfc822 format available.

Message #110 received at 665452@bugs.debian.org (full text, mbox):

From: Guo Yixuan <culu.gyx@gmail.com>
To: Kurt Roeckx <kurt@roeckx.be>, 665452@bugs.debian.org, "Package Development List for OpenSSL packages." <pkg-openssl-devel@lists.alioth.debian.org>
Subject: Re: [Pkg-openssl-devel] Bug#665452: SSL_OP_ALL option: status
Date: Fri, 27 Apr 2012 17:01:19 +0800
Should we close this bug?

openssl (1.0.1b-1) unstable; urgency=high

  * New upstream version
    - Remaps SSL_OP_NO_TLSv1_1, so applications linked to 1.0.0
      can talk to servers supporting TLS 1.1 but not TLS 1.2
    - Drop rc4_hmac_md5.patch, applied upstream

 -- Kurt Roeckx <kurt@roeckx.be>  Thu, 26 Apr 2012 23:34:34 +0200


Cheers,
Guo Yixuan




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#665452; Package libssl1.0.0. (Fri, 27 Apr 2012 15:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Scott Barker <scott@mostlylinux.ca>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Fri, 27 Apr 2012 15:18:03 GMT) Full text and rfc822 format available.

Message #115 received at 665452@bugs.debian.org (full text, mbox):

From: Scott Barker <scott@mostlylinux.ca>
To: 665452@bugs.debian.org
Subject: Re: libssl1.0.0: breaks HTTPS download of some sites
Date: Fri, 27 Apr 2012 09:07:06 -0600
[Message part 1 (text/plain, inline)]
For those people experiencing this problem with offlineimap, the attached
patch fixes the problem for me by forcing SSLv3 connections.

-- 
Scott Barker
Linux Consultant
scott@mostlylinux.ca
http://www.mostlylinux.ca
[imaplibutil.py.patch (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#665452; Package libssl1.0.0. (Fri, 27 Apr 2012 16:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Fri, 27 Apr 2012 16:06:03 GMT) Full text and rfc822 format available.

Message #120 received at 665452@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Guo Yixuan <culu.gyx@gmail.com>
Cc: 665452@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#665452: SSL_OP_ALL option: status
Date: Fri, 27 Apr 2012 18:03:52 +0200
On Fri, Apr 27, 2012 at 05:01:19PM +0800, Guo Yixuan wrote:
> Should we close this bug?
> 
> openssl (1.0.1b-1) unstable; urgency=high
> 
>   * New upstream version
>     - Remaps SSL_OP_NO_TLSv1_1, so applications linked to 1.0.0
>       can talk to servers supporting TLS 1.1 but not TLS 1.2

Some bugs should probably be closed, like the one against irssi.
But this one was originally about sourceforge which is still an
issue.


Kurt





Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#665452; Package libssl1.0.0. (Fri, 27 Apr 2012 16:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Fri, 27 Apr 2012 16:18:03 GMT) Full text and rfc822 format available.

Message #125 received at 665452@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Scott Barker <scott@mostlylinux.ca>, 665452@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#665452: libssl1.0.0: breaks HTTPS download of some sites
Date: Fri, 27 Apr 2012 18:15:53 +0200
On Fri, Apr 27, 2012 at 09:07:06AM -0600, Scott Barker wrote:
> For those people experiencing this problem with offlineimap, the attached
> patch fixes the problem for me by forcing SSLv3 connections.

Please note that the issue with sites as imap.ntlworld.com has been
fixed in 1.0.0b-1


Kurt





Reply sent to Kurt Roeckx <kurt@roeckx.be>:
You have taken responsibility. (Sun, 29 Apr 2012 17:33:04 GMT) Full text and rfc822 format available.

Notification sent to Bastian Kleineidam <calvin@debian.org>:
Bug acknowledged by developer. (Sun, 29 Apr 2012 17:33:04 GMT) Full text and rfc822 format available.

Message #130 received at 665452-done@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: 665452-done@bugs.debian.org, 666012-done@bugs.debian.org, 666051-done@bugs.debian.org
Subject: openssl 1.0.1 issues
Date: Sun, 29 Apr 2012 19:32:03 +0200
Version: 1.0.1b-1

Hi,

As far as I know with the 1.0.1b-1 version most of the issues have
been solved.  At least the following sites used to have a problem
and work now:
- paypal.com
- facebook.com
- sourceforge.net
- mediafire.com
- imap.ntlworld.com
- cloudfiles

As far as I know all remaining issues when using 1.0.1b are not
the fault of openssl, but of the other side.  This includes:
- Microsoft products just closing the connection when announcing
  support for TLS 1.1 or higher
- Servers using an old version of BigIP software

If you think there still is a problem in openssl, please file a
new bug.


Kurt





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 15 Jun 2012 07:39:05 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 02:11:12 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.