Hello Kurt,
Is there any news on this issue ? I have reports of the same problem
from other debian users, and only debian users.
After upgrade of the remote (netbsd) box, the problem still occurs.
The issue is also still present in current sid version.
We need to apply the ubuntu patch to connect (attached), wich seem to
disable TLS_1.2 client altogether. I think this is enough, the second
part of the patch may not be needed.
Is there any way I can help fix this ?
Cheers,
--
Clement Hermann (nodens)
- "L'air pur ? c'est pas en RL, ça ? c'est pas hors charte ?"
Jean in L'Histoire des Pingouins, http://tnemeth.free.fr/fmbl/linuxsf/
Vous trouverez ma clef publique sur le serveur public pgp.mit.edu.
Please find my public key on the public keyserver pgp.mit.edu.
Description: Work around TLS 1.2 failures for some broken servers that
"hang" if a client hello record length exceeds 255 bytes.
.
1. Set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50. This will truncate
the number of ciphers sent in the client hello.
2. Set OPENSSL_NO_TLS1_2_CLIENT to disable TLS 1.2 client support
entirely.
Also, check TLS_get_client_version() rather than TLS1_get_versions() to avoid
improper truncation of client hello cipher lists. This change has been
forwarded upstream in rt #2881.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/965371
Bug-Debian: http://bugs.debian.org/665452
Bug: http://rt.openssl.org/Ticket/Display.html?id=2771
Bug: http://rt.openssl.org/Ticket/Display.html?id=2881
Forwarded: not-needed
Last-Update: 2012-10-04
Index: openssl-1.0.1c/Configure
===================================================================
--- openssl-1.0.1c.orig/Configure 2012-10-03 23:59:05.235548667 -0700
+++ openssl-1.0.1c/Configure 2012-10-04 10:34:23.076454592 -0700
@@ -106,7 +106,7 @@
my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED";
# There are no separate CFLAGS/CPPFLAGS/LDFLAGS, set everything in CFLAGS
-my $debian_cflags = `dpkg-buildflags --get CFLAGS` . `dpkg-buildflags --get CPPFLAGS` . `dpkg-buildflags --get LDFLAGS` . "-Wa,--noexecstack -Wall";
+my $debian_cflags = `dpkg-buildflags --get CFLAGS` . `dpkg-buildflags --get CPPFLAGS` . `dpkg-buildflags --get LDFLAGS` . "-Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50";
$debian_cflags =~ s/\n/ /g;
my $strict_warnings = 0;
Index: openssl-1.0.1c/ssl/s23_clnt.c
===================================================================
--- openssl-1.0.1c.orig/ssl/s23_clnt.c 2012-10-03 23:46:22.967530550 -0700
+++ openssl-1.0.1c/ssl/s23_clnt.c 2012-10-04 10:33:13.820452946 -0700
@@ -491,7 +491,7 @@
* as hack workaround chop number of supported ciphers
* to keep it well below this if we use TLS v1.2
*/
- if (TLS1_get_version(s) >= TLS1_2_VERSION
+ if (TLS1_get_client_version(s) >= TLS1_2_VERSION
&& i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
#endif
