Hi, I'm on Mac running OS X 10.8.3 and have 2 versions of openssl installed:
Default: OpenSSL 0.9.8r 8 Feb 2011 Homebrew: OpenSSL 1.0.1e 11 Feb 2013 My most recent version of ruby (1.9.3-p429) is linked with Homebrew's openssl and that's when I noticed I began having connection problems to a particular website. Using 0.9.8r and running the following command: openssl s_client -connect secure.networkmerchants.com:443 I get: CONNECTED(00000003) depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Illinois/businessCategory=Private Organization/serialNumber=61786708/C=US/ST=Illinois/L=Schaumburg/O=Network Merchants, Inc./OU=E-Commerce/OU=Terms of use at www.verisign.com/rpa (c)05/CN=secure.networkmerchants.com i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIGRDCCBSygAwIBAgIQU7qHQ3XVIaI9AqOwrVHOTTANBgkqhkiG9w0BAQUFADCB vjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE4MDYGA1UEAxMv VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBTR0MgQ0Ew HhcNMTEwNTE2MDAwMDAwWhcNMTMwNjA3MjM1OTU5WjCCASkxEzARBgsrBgEEAYI3 PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhQISWxsaW5vaXMxHTAbBgNVBA8TFFBy aXZhdGUgT3JnYW5pemF0aW9uMREwDwYDVQQFEwg2MTc4NjcwODELMAkGA1UEBhMC VVMxETAPBgNVBAgUCElsbGlub2lzMRMwEQYDVQQHFApTY2hhdW1idXJnMSAwHgYD VQQKFBdOZXR3b3JrIE1lcmNoYW50cywgSW5jLjETMBEGA1UECxQKRS1Db21tZXJj ZTEzMDEGA1UECxQqVGVybXMgb2YgdXNlIGF0IHd3dy52ZXJpc2lnbi5jb20vcnBh IChjKTA1MSQwIgYDVQQDFBtzZWN1cmUubmV0d29ya21lcmNoYW50cy5jb20wggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcZgkSQ1dZp9Fh1D973IbDDM+s Y3VuBDBgd+NZ9YDLdX2IiddIngO3bA72VCkFbDqzqGs3Vu6ZYKA858AZapGQQ67+ kdxhvGKhS0oU4LQkcwhQPgSj6lxgwO6WnWWTPeB3pethgAo5dAgJarEWJJ7zBrHH ES8h69Bt0PGXuB75GwiKZdwiRy+DIFDlm5XcopqHKZmbX3zlDtTxqdNbHClTf5os FSUpx2fYrrpOa1N/TGM6nesnCnEQxJsY5LVwKJqd5CqsgtJKjh1d2eZquimtxiEn z+PwQM4bWPTboLCH0egtZBw58cGKMAMzOePOJtlRj4cuXlnRqwHgrVdo2ZSVAgMB AAGjggHOMIIByjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDBEBgNVHSAEPTA7MDkG C2CGSAGG+EUBBxcGMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWdu LmNvbS9jcHMwPgYDVR0fBDcwNTAzoDGgL4YtaHR0cDovL0VWSW50bC1jcmwudmVy aXNpZ24uY29tL0VWSW50bDIwMDYuY3JsMCgGA1UdJQQhMB8GCCsGAQUFBwMBBggr BgEFBQcDAgYJYIZIAYb4QgQBMB8GA1UdIwQYMBaAFE5DyB127zdTek/yWG+U8zji 1b3fMG8GCCsGAQUFBwEBBGMwYTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVy aXNpZ24uY29tMDkGCCsGAQUFBzAChi1odHRwOi8vRVZJbnRsLWFpYS52ZXJpc2ln bi5jb20vRVZJbnRsMjAwNi5jZXIwbgYIKwYBBQUHAQwEYjBgoV6gXDBaMFgwVhYJ aW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUS2u5KJYGDLvQUjibKaxLB4shBRgwJhYk aHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nbzEuZ2lmMA0GCSqGSIb3DQEB BQUAA4IBAQAje/f6HFMBO+YPqbOpsnW4QAIGN4+X0idYL5VEzXWfGK7crahSDwJ2 KSxqH9oCJ0qX3Mr+Mcp73ZMadX8Xk0iDPzO5DPHwrIVXdqn+xbHVUyc43v+SqIxF eWEhak2xfW8wCauKjTACIpbEd6QK4ryEbDBWzPo3vl6wHwB2cVbELkNs8v/BW8Gq QbPH5P/Y22z7v1Ro8O8lwvD1nOPP/CSD27sk8+IbIJ3W/BejRmXfaTDlAVAezJiW emABKFED+WCof6OstvuZz99sThqOBWEJLm4XLPrRfgVDZF3pFqH7EEy9iQRnol+F sKh5Wn8pK2EKQgxumf5dEyUkLk5RTtEw -----END CERTIFICATE----- subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Illinois/businessCategory=Private Organization/serialNumber=61786708/C=US/ST=Illinois/L=Schaumburg/O=Network Merchants, Inc./OU=E-Commerce/OU=Terms of use at www.verisign.com/rpa (c)05/CN=secure.networkmerchants.com issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA --- No client certificate CA names sent --- SSL handshake has read 4574 bytes and written 448 bytes --- New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DES-CBC3-SHA Session-ID: 2391920E06BE003508356E08F2638FA0712B05D8C6EFB2DBD4744CC5E2A9EA72 Session-ID-ctx: Master-Key: 84807A520CA2EE7DB5E0367B6DC4D8D3B6EB8F964CD78C6488BAD8D32E74E8DB974B1F9F48DBF3A13E2CE9442E6CFBE1 Key-Arg : None Start Time: 1369964978 Timeout : 300 (sec) Verify return code: 0 (ok) --- However, using the latest version 1.0.1e, it hangs on and eventually times out after with the following: CONNECTED(00000003) write:errno=54 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 322 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- I noticed there was a recent security bulletin and a fix in regards to CBC ciphers: http://www.openssl.org/news/secadv_20130205.txt I was curious if this security fix introduced a bug that has problems connecting to certain websites using CBC cipher (e.g. secure.networkmerchants.com) or is there something incorrectly configured on this server? Thanks! //Toland (^_^x)
