Debian Bug report logs - #683159
[openssl] can't connect to hosts which allow only SSLv3

version graph

Package: openssl; Maintainer for openssl is Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>; Source for openssl is src:openssl.

Reported by: Olivier Bonvalet <ob.reportbug@daevel.fr>

Date: Sun, 29 Jul 2012 10:09:02 UTC

Severity: important

Found in versions openssl/1.0.1c-3, openssl/1.0.1f-1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#683159; Package openssl. (Sun, 29 Jul 2012 10:09:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Olivier Bonvalet <ob.reportbug@daevel.fr>:
New Bug report received and forwarded. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Sun, 29 Jul 2012 10:09:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Olivier Bonvalet <ob.reportbug@daevel.fr>
To: submit@bugs.debian.org
Subject: [openssl] can't connect to hosts which allow only SSLv3
Date: Sun, 29 Jul 2012 12:02:41 +0200
Package: openssl
Version: 1.0.1c-3
Severity: important

--- Please enter the report below this line. ---

I can't connect to hosts which allow only SSLv3 :

$ openssl s_client -connect www.ovh.com:443
CONNECTED(00000003)
139991546484392:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 320 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---


but by specifiying "ssl3" on command line, it works :

$ openssl s_client -connect www.ovh.com:443 -ssl3
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/serialNumber=424761419/1.3.6.1.4.1.311.60.2.1.3=FR/1.3.6.1.4.1.311.60.2.1.2=Nord/1.3.6.1.4.1.311.60.2.1.1=ROUBAIX/businessCategory=Private Organization/C=FR/postalCode=59100/ST=NORD/L=ROUBAIX/street=2 rue Kellermann/O=OVH/OU=0002 424761419/OU=Comodo EV SSL/CN=www.ovh.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Extended Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Extended Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
[...]
---
SSL handshake has read 5379 bytes and written 491 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : AES256-SHA
    Session-ID: 8635E8662D8A62507C15E8371C4E8121F317A17F15D749FE40112EA5FC022455
    Session-ID-ctx:
    Master-Key: D5035A130786444B3B08C7E522EA0805B80B461803F32554B1ABF98B9172ECBE98E9252C4A6840F8500C9913CAE85281
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1343556050
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---




Note that *gnutls* is also affected, but browsers like Lynx, Iceweasel, Chromium or Empathy doesn't have any trouble.




--- System information. ---
Architecture: amd64
Kernel: Linux 3.2.0-3-amd64

Debian Release: wheezy/sid
500 unstable apt.daevel.fr
1 experimental apt.daevel.fr

--- Package information. ---
Depends (Version) | Installed
============================-+-=============
libc6 (>= 2.7) | 2.13-35
libssl1.0.0 (>= 1.0.1) | 1.0.1c-3
zlib1g (>= 1:1.1.4) | 1:1.2.7.dfsg-13


Package's Recommends field is empty.

Suggests (Version) | Installed
==============================-+-===========
ca-certificates | 20120623



Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#683159; Package openssl. (Sun, 29 Jul 2012 10:36:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Sun, 29 Jul 2012 10:36:02 GMT) Full text and rfc822 format available.

Message #10 received at 683159@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Olivier Bonvalet <ob.reportbug@daevel.fr>, 683159@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#683159: [openssl] can't connect to hosts which allow only SSLv3
Date: Sun, 29 Jul 2012 12:27:27 +0200
On Sun, Jul 29, 2012 at 12:02:41PM +0200, Olivier Bonvalet wrote:
> Package: openssl
> Version: 1.0.1c-3
> Severity: important
> 
> --- Please enter the report below this line. ---
> 
> I can't connect to hosts which allow only SSLv3 :
> 
> $ openssl s_client -connect www.ovh.com:443

This also works:
openssl s_client -no_tls1_1 -connect www.ovh.com:443
[...]
    Protocol  : TLSv1

> Note that *gnutls* is also affected, but browsers like Lynx, Iceweasel, Chromium or Empathy doesn't have any trouble.

Yes, the site you're talking to is broken.  Nothing we can do
about that other than disable TLS > 1.1, or retry with it
disabled.


Kurt




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#683159; Package openssl. (Sun, 29 Jul 2012 12:06:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Olivier Bonvalet <ob.reportbug@daevel.fr>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Sun, 29 Jul 2012 12:06:06 GMT) Full text and rfc822 format available.

Message #15 received at 683159@bugs.debian.org (full text, mbox):

From: Olivier Bonvalet <ob.reportbug@daevel.fr>
To: Kurt Roeckx <kurt@roeckx.be>
Cc: 683159@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#683159: [openssl] can't connect to hosts which allow only SSLv3
Date: Sun, 29 Jul 2012 13:58:09 +0200
On 29/07/2012 12:27, Kurt Roeckx wrote:
> On Sun, Jul 29, 2012 at 12:02:41PM +0200, Olivier Bonvalet wrote:
>> Package: openssl
>> Version: 1.0.1c-3
>> Severity: important
>>
>> --- Please enter the report below this line. ---
>>
>> I can't connect to hosts which allow only SSLv3 :
>>
>> $ openssl s_client -connect www.ovh.com:443
> This also works:
> openssl s_client -no_tls1_1 -connect www.ovh.com:443
> [...]
>     Protocol  : TLSv1
>
>> Note that *gnutls* is also affected, but browsers like Lynx, Iceweasel, Chromium or Empathy doesn't have any trouble.
> Yes, the site you're talking to is broken.  Nothing we can do
> about that other than disable TLS > 1.1, or retry with it
> disabled.
>
>
> Kurt
>
>

Thanks for the clarification Kurt. Just a question : why is it working from Debian Squeeze ? Is it because in Debian Squeeze TLS > 1.1 is not compatible ?

Olivier



Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#683159; Package openssl. (Sun, 29 Jul 2012 12:21:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Sun, 29 Jul 2012 12:21:07 GMT) Full text and rfc822 format available.

Message #20 received at 683159@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Olivier Bonvalet <ob.reportbug@daevel.fr>
Cc: 683159@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#683159: [openssl] can't connect to hosts which allow only SSLv3
Date: Sun, 29 Jul 2012 14:17:20 +0200
On Sun, Jul 29, 2012 at 01:58:09PM +0200, Olivier Bonvalet wrote:
> On 29/07/2012 12:27, Kurt Roeckx wrote:
> > On Sun, Jul 29, 2012 at 12:02:41PM +0200, Olivier Bonvalet wrote:
> >> Package: openssl
> >> Version: 1.0.1c-3
> >> Severity: important
> >>
> >> --- Please enter the report below this line. ---
> >>
> >> I can't connect to hosts which allow only SSLv3 :
> >>
> >> $ openssl s_client -connect www.ovh.com:443
> > This also works:
> > openssl s_client -no_tls1_1 -connect www.ovh.com:443
> > [...]
> >     Protocol  : TLSv1
> >
> >> Note that *gnutls* is also affected, but browsers like Lynx, Iceweasel, Chromium or Empathy doesn't have any trouble.
> > Yes, the site you're talking to is broken.  Nothing we can do
> > about that other than disable TLS > 1.1, or retry with it
> > disabled.
> >
> >
> > Kurt
> >
> >
> 
> Thanks for the clarification Kurt. Just a question : why is it working from Debian Squeeze ? Is it because in Debian Squeeze TLS > 1.1 is not compatible ?

openssl only support TLS 1.1 since version 1.0.1, and squeeze has
a 0.9.8 version.


Kurt




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#683159; Package openssl. (Sun, 29 Jul 2012 12:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Olivier Bonvalet <ob.reportbug@daevel.fr>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Sun, 29 Jul 2012 12:27:03 GMT) Full text and rfc822 format available.

Message #25 received at 683159@bugs.debian.org (full text, mbox):

From: Olivier Bonvalet <ob.reportbug@daevel.fr>
To: Kurt Roeckx <kurt@roeckx.be>
Cc: 683159@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#683159: [openssl] can't connect to hosts which allow only SSLv3
Date: Sun, 29 Jul 2012 14:25:55 +0200
Ok, thanks again Kurt.

Sorry for the noise.

Olivier



Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#683159; Package openssl. (Wed, 03 Oct 2012 19:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jim Paris <jim@jtan.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Wed, 03 Oct 2012 19:39:03 GMT) Full text and rfc822 format available.

Message #30 received at 683159@bugs.debian.org (full text, mbox):

From: Jim Paris <jim@jtan.com>
To: 683159@bugs.debian.org
Subject: More details
Date: Wed, 3 Oct 2012 15:30:13 -0400
Upstream bug #2771 discusses this further:
  http://rt.openssl.org/Ticket/Display.html?id=2771&user=guest&pass=guest

-jim




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#683159; Package openssl. (Wed, 03 Oct 2012 19:39:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jim Paris <jim@jtan.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Wed, 03 Oct 2012 19:39:05 GMT) Full text and rfc822 format available.

Message #35 received at 683159@bugs.debian.org (full text, mbox):

From: Jim Paris <jim@jtan.com>
To: 683159@bugs.debian.org
Subject: workaround?
Date: Wed, 3 Oct 2012 15:26:16 -0400
Are there any workarounds for this, like an environment variable that
would tell openssl to use a particular TLS version?  I'm running into
sites that just hang, and openssl doesn't even return an error:

$ openssl s_client -connect my.t-mobile.com:443
CONNECTED(00000003)

.. no further output.  It works with -no_tls1_2 though.

This bug also seems like a duplicate of #678353

-jim



Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#683159; Package openssl. (Wed, 03 Oct 2012 21:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Wed, 03 Oct 2012 21:57:03 GMT) Full text and rfc822 format available.

Message #40 received at 683159@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Jim Paris <jim@jtan.com>, 683159@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#683159: workaround?
Date: Wed, 3 Oct 2012 23:55:34 +0200
On Wed, Oct 03, 2012 at 03:26:16PM -0400, Jim Paris wrote:
> Are there any workarounds for this, like an environment variable that
> would tell openssl to use a particular TLS version?  I'm running into
> sites that just hang, and openssl doesn't even return an error:
> 
> $ openssl s_client -connect my.t-mobile.com:443
> CONNECTED(00000003)
> 
> .. no further output.  It works with -no_tls1_2 though.

This bug is not about timeout issues, try #689529 or something
like that instead.

> This bug also seems like a duplicate of #678353

That bug is also totally unrelated to either of the 2 others.


Kurt




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#683159; Package openssl. (Thu, 03 Jan 2013 13:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Allard Hoeve <allard@byte.nl>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Thu, 03 Jan 2013 13:03:03 GMT) Full text and rfc822 format available.

Message #45 received at 683159@bugs.debian.org (full text, mbox):

From: Allard Hoeve <allard@byte.nl>
To: 683159@bugs.debian.org
Subject: Ubuntu has a couple of patches that "solve" the problem
Date: Thu, 3 Jan 2013 14:01:30 +0100
[Message part 1 (text/plain, inline)]
Hi there,

Ubuntu has released a few patches that alleviate the problem:

https://launchpad.net/ubuntu/+source/openssl/1.0.1c-4ubuntu2


   1. debian/patches/tls12_workarounds.patch


Best,

Allard
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#683159; Package openssl. (Wed, 22 Jan 2014 15:03:21 GMT) Full text and rfc822 format available.

Acknowledgement sent to Juan Ezquerro LLanes <juan@paynopain.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Wed, 22 Jan 2014 15:03:21 GMT) Full text and rfc822 format available.

Message #50 received at 683159@bugs.debian.org (full text, mbox):

From: Juan Ezquerro LLanes <juan@paynopain.com>
To: Debian Bug Tracking System <683159@bugs.debian.org>
Subject: Re: [openssl] can't connect to hosts which allow only SSLv3
Date: Wed, 22 Jan 2014 15:52:09 +0100
Package: libssl1.0.0
Version: 1.0.1f-1
Followup-For: Bug #683159

Dear Maintainer,
*** Please consider answering these questions, where appropriate ***

   * What led up to the situation?

   * What exactly did you do (or not do) that was effective (or
     ineffective)?

   * What was the outcome of this action?

   * What outcome did you expect instead?

*** End of the template - remove these lines ***


-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.10-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libssl1.0.0 depends on:
ii  debconf [debconf-2.0]  1.5.52
ii  libc6                  2.17-97
ii  multiarch-support      2.17-97

libssl1.0.0 recommends no packages.

libssl1.0.0 suggests no packages.

-- debconf information:
  libssl1.0.0/restart-failed:
  libssl1.0.0/restart-services:



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 10:31:33 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.