Your message dated Tue, 27 Nov 2018 22:58:28 +0100
with message-id <[email protected]>
and subject line Re: [Pkg-openssl-devel] Bug#680137: libssl1.0.0: handshake
failure (wrong cipher) since 1.0.1 (1.0.0h works)
has caused the Debian Bug report #680137,
regarding libssl1.0.0: handshake failure (wrong cipher) since 1.0.1 (1.0.0h
works)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
680137: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=680137
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libssl1.0.0
Version: 1.0.1c-3
Severity: normal
Hi,
I've been having trouble connecting to a SSL-enabled ircd (ircd-hybrid-7.2.3nb3
IRC server with many options, on netbsd 6.0_beta2). I use irssi, but did all my
tests with openssl s_client to be sure.
The connexion works with libssl1.0.0h, but every later version fails with the
error "wrong cipher". What's funny is that if I force the cipher that would
have been chosen with 1.0.0h when using 1.0.1, I can connect.
Also, FWIW, it is working on ubuntu 12.4 (openssl 1.0.1).
Here are some logs. They are anonymized, as this is a private IRC server.
******************************************************************************
******************* working : 1.0.0h (from snapshot.debian.org) **************
******************************************************************************
openssl s_client -connect irc.example.net:994
CONNECTED(00000003)
depth=0 C = DE, ST = Example State, L = Example City, O = Example, OU =
Administration, CN = irc.example.net, emailAddress = [email protected]
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = DE, ST = Example State, L = Example City, O = Example, OU =
Administration, CN = irc.example.net, emailAddress = [email protected]
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = DE, ST = Example State, L = Example City, O = Example, OU =
Administration, CN = irc.example.net, emailAddress = [email protected]
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=DE/ST=Example State/L=Example
City/O=Example/OU=Administration/CN=irc.example.net/[email protected]
i:/C=DE/ST=Example State/L=Example
City/O=Example/OU=Administration/CN=Example Root
CA/[email protected]
---
Server certificate
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
subject=/C=DE/ST=Example State/L=Example
City/O=Example/OU=Administration/CN=irc.example.net/[email protected]
issuer=/C=DE/ST=Example State/L=Example
City/O=Example/OU=Administration/CN=Example Root
CA/[email protected]
---
No client certificate CA names sent
---
SSL handshake has read 1205 bytes and written 351 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : AES256-SHA
Session-ID: EA1227FD3AF94737B103C92D43B0B2C6E290374FECEAC0A8B268C9CD7EBFC22E
Session-ID-ctx:
Master-Key:
BB7067003E1899F894A3979EBE0704F9F82F240E560339BE136CFF3DCDC204FCFA716D34B4B2996C4E9A63AE623BEB67
Key-Arg : None
PSK identity: None
PSK identity hint: None
Start Time: 1341348684
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
:irc.example.net NOTICE AUTH :*** Looking up your hostname...
:irc.example.net NOTICE AUTH :*** Checking Ident
:irc.example.net NOTICE AUTH :*** Found your hostname
:irc.example.net NOTICE AUTH :*** No Ident response
******************************************************************************
******************* NOT working : starting with 1.0.1 (debian) ***************
******************************************************************************
~$ openssl s_client -connect irc.example.net:994
CONNECTED(00000003)
140721299515048:error:14092105:SSL routines:SSL3_GET_SERVER_HELLO:wrong cipher
returned:s3_clnt.c:952:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 58 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1341349387
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
******************************************************************************
******************* working : 1.0.1c-3 whith cipher forced ******************
******************************************************************************
~$ openssl s_client -cipher AES256-SHA -connect
irc.example.net:994CONNECTED(00000003)
depth=0 C = DE, ST = Example State, L = Example City, O = Example, OU =
Administration, CN = irc.example.net, emailAddress = [email protected]
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = DE, ST = Example State, L = Example City, O = Example, OU =
Administration, CN = irc.example.net, emailAddress = [email protected]
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = DE, ST = Example State, L = Example City, O = Example, OU =
Administration, CN = irc.example.net, emailAddress = [email protected]
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=DE/ST=Example State/L=Example
City/O=Example/OU=Administration/CN=irc.example.net/[email protected]
i:/C=DE/ST=Example State/L=Example
City/O=Example/OU=Administration/CN=Example Root
CA/[email protected]
---
Server certificate
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
subject=/C=DE/ST=Example State/L=Example
City/O=Example/OU=Administration/CN=irc.example.net/[email protected]
issuer=/C=DE/ST=Example State/L=Example
City/O=Example/OU=Administration/CN=Example Root
CA/[email protected]
---
No client certificate CA names sent
---
SSL handshake has read 1352 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.1
Cipher : AES256-SHA
Session-ID: 6FB46912B3100F36394A4912C1FA5716B48FDA9806DC2EB3917FEA025CC6BC7B
Session-ID-ctx:
Master-Key:
4D2DC550326CA6A26E2B207256A2E2884D3445946882FD175E9AA62976A04B30FCF36A00C0AC48D75AFC5DB09FC65A19
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
0000 - ac 9f a7 8f 29 ff c0 aa-d1 e7 13 1e ef 3e 60 c6 ....)........>`.
0010 - 63 8b 23 66 4e 67 f3 20-d5 93 2e 50 a4 c6 5d 57 c.#fNg. ...P..]W
0020 - 43 ef fc e1 e0 03 f2 ab-95 8b df b3 a5 0c 0a 6f C..............o
0030 - 63 af 2e 5a b1 2d 2b 83-eb c2 3d fe 9f 3b 12 48 c..Z.-+...=..;.H
0040 - b7 52 a3 da 52 25 c7 e6-fd 7e 54 8a 5c a6 e7 8e .R..R%...~T.\...
0050 - 7b f1 0b 22 2d 26 15 93-5b fb eb 12 43 9a 18 61 {.."-&..[...C..a
0060 - 3b a8 a5 ca 41 13 1f 81-30 24 62 6f 91 9f d3 4e ;...A...0$bo...N
0070 - 77 cf 6e ac 89 5c 63 1f-27 f9 bd 55 08 6f 29 79 w.n..\c.'..U.o)y
0080 - 15 89 cc 66 de b5 e2 19-58 4e f7 a3 cd 4e ee 91 ...f....XN...N..
0090 - 9a 1d d3 1e ea 70 7d 93-6e 21 16 a5 e8 a3 73 6b .....p}.n!....sk
Start Time: 1341350230
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
:irc.example.net NOTICE AUTH :*** Looking up your hostname...
:irc.example.net NOTICE AUTH :*** Checking Ident
:irc.example.net NOTICE AUTH :*** Found your hostname
Tell me if you need more information. This is quite an anoying bug, I have to
downgrade to an old, possibly insecure version of openssl to connect to this
ircd.
Cheers,
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libssl1.0.0 depends on:
ii debconf [debconf-2.0] 1.5.44
ii libc6 2.13-34
ii multiarch-support 2.13-34
ii zlib1g 1:1.2.7.dfsg-13
libssl1.0.0 recommends no packages.
libssl1.0.0 suggests no packages.
-- debconf information excluded
--- End Message ---
--- Begin Message ---
On 2014-04-04 12:28:34 [+0200], Clement Hermann (nodens) wrote:
> The server admin fixed the issue by importing this commit in the 1.0.1c
> NetBSD version :
> http://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff;f=ssl/s3_pkt.c;h=dca345865a10a5fae10741e009676731181fc60d;hp=2d569cc1cedc5aa2bb0d0e7f876a22468e77950e;hb=c3b130338760a7e52656fd217d1d4c846e85cdff;hpb=5762f7778da56b9502534fd236007b9a1b0244d9
>
> I think the issue is in the client as well, but fixing it on the server
> side is enough for it to work.
I'm closing since it looks like it never was a problem on the Debian
side from reading through the bug report.
> Cheers,
Sebastian
--- End Message ---
