On Fri, Sep 13, 2013 at 5:54 PM, Justin Karneges <[email protected]> wrote:
> Okay, it's definitely something at the polarssl level. I was able to > replicate the issue simply with one of polarssl's own tests. I've reported > here: > > https://github.com/polarssl/polarssl/issues/30 > > Could very well be a bug in Chrome, too. But at this point it seems > Mongrel2 itself is in the clear. > Further investigation reveals this is very likely a bug in Chrome, which advertises the TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 ciphersuite but then fails if the server decides to use it. It is even possible that this is a protocol violation, since Chrome only supports TLS 1.1 but this ciphersuite was not introduced until 1.2. Other servers seem to recognize this (for example OpenSSL refuses to use this ciphersuite if TLS 1.1 is negotiated and will instead choose a different ciphersuite), so perhaps there is a PolarSSL improvement to be made here. I've reported it upstream. In the meantime, and in case PolarSSL never implements a workaround, the only option is to explicitly avoid use of the above ciphersuite in Mongrel2. This can be done with the ssl_cipher_suites config option, so no patching is necessary. By default, PolarSSL supports the following ciphersuites, in order: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 If we remove the SHA2+ suites, then we end up with: TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_CAMELLIA_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 This happen to be the exact list of configurable ciphersuites in Mongrel2. In Mongrel2-speak, that list would be this: SSL_EDH_RSA_AES_256_SHA SSL_EDH_RSA_AES_128_SHA SSL_EDH_RSA_CAMELLIA_256_SHA SSL_EDH_RSA_CAMELLIA_128_SHA SSL_EDH_RSA_DES_168_SHA SSL_RSA_AES_256_SHA SSL_RSA_CAMELLIA_256_SHA SSL_RSA_AES_128_SHA SSL_RSA_CAMELLIA_128_SHA SSL_RSA_DES_168_SHA SSL_RSA_RC4_128_SHA SSL_RSA_RC4_128_MD5 In option form, that becomes: "ssl_ciphers": "SSL_EDH_RSA_AES_256_SHA SSL_EDH_RSA_AES_128_SHA SSL_EDH_RSA_CAMELLIA_256_SHA SSL_EDH_RSA_CAMELLIA_128_SHA SSL_EDH_RSA_DES_168_SHA SSL_RSA_AES_256_SHA SSL_RSA_CAMELLIA_256_SHA SSL_RSA_AES_128_SHA SSL_RSA_CAMELLIA_128_SHA SSL_RSA_DES_168_SHA SSL_RSA_RC4_128_SHA SSL_RSA_RC4_128_MD5" (that's all one line, with ciphersuites separated by spaces) So, there you go. Justin
