Re: LibreSSL 2.2 fails to connect to webdav.yandex.com
On Tuesday 09 June 2015, Alexey Ivanov wrote: On Jun 6, 2015, at 5:31 AM, Joel Sing j...@sing.id.au wrote: On Saturday 06 June 2015, 1edhaz+9sj4olxjt6...@guerrillamail.com wrote: Hello, LibreSSL 2.2 (openbsd-current) fails to connect to https://webdav.yandex.com. OpenSSL 1.0.1m from OpenBSD packages does succeed. Yandex is the largest search engine in Russia. The webdav.yandex.com site is for accessing their file-hosting service. System info: $ uname -a OpenBSD roger.my.domain 5.7 GENERIC.MP#1039 amd64 $ dmesg | head -n 1 OpenBSD 5.7-current (GENERIC.MP) #1039: Wed Jun 3 12:09:31 MDT 2015 [snip] The issue is due to the remote end not being RFC compliant and failing to complete a TLS handshake when it does not recognise TLS signature algorithms (sigalgs) that are being advertised by the client. In this case the new signature algorithms are related to GOST - almost the definition of irony... GOST… lol indeed =) If you want to verify this for yourself, you can comment out the GOST related entries in the tls12_sigalgs array in t1_lib.c. HTTPS connections to www.yandex.com work without issue, so it would seemingly be the particular HTTP server that is being used for this service - I would recommend contacting Yandex and reporting the issue to them. He just did - Yandex is heavy BSD user, so many people there are reading tech@ and freebsd-hackers@. Some brave souls even subscribed to trolls@^Wmisc@! Back to the problem itself, as far as I know they are aware of it. In the meantime, while they are busy solving it on their side, you may want to limit ciphersuites client is using by calling `SSL_CTX_set_cipher_list` before `SSL_do_handshake`. Except that would not have made any difference - currently the list of signature algorithms is static and not dependent on the cipher suites selected. PS. Anyway, next time you probably want to report libressl-related problems to recently announced libre...@openbsd.org [1]. [1] http://comments.gmane.org/gmane.os.openbsd.tech/42319 -- Action without study is fatal. Study without action is futile. -- Mary Ritter Beard
Re: LibreSSL 2.2 fails to connect to webdav.yandex.com
On Jun 13, 2015, at 4:00 PM, Joel Sing j...@sing.id.au wrote: On Tuesday 09 June 2015, Alexey Ivanov wrote: On Jun 6, 2015, at 5:31 AM, Joel Sing j...@sing.id.au wrote: On Saturday 06 June 2015, 1edhaz+9sj4olxjt6...@guerrillamail.com wrote: Hello, LibreSSL 2.2 (openbsd-current) fails to connect to https://webdav.yandex.com. OpenSSL 1.0.1m from OpenBSD packages does succeed. Yandex is the largest search engine in Russia. The webdav.yandex.com site is for accessing their file-hosting service. System info: $ uname -a OpenBSD roger.my.domain 5.7 GENERIC.MP#1039 amd64 $ dmesg | head -n 1 OpenBSD 5.7-current (GENERIC.MP) #1039: Wed Jun 3 12:09:31 MDT 2015 [snip] The issue is due to the remote end not being RFC compliant and failing to complete a TLS handshake when it does not recognise TLS signature algorithms (sigalgs) that are being advertised by the client. In this case the new signature algorithms are related to GOST - almost the definition of irony... GOST… lol indeed =) If you want to verify this for yourself, you can comment out the GOST related entries in the tls12_sigalgs array in t1_lib.c. HTTPS connections to www.yandex.com work without issue, so it would seemingly be the particular HTTP server that is being used for this service - I would recommend contacting Yandex and reporting the issue to them. He just did - Yandex is heavy BSD user, so many people there are reading tech@ and freebsd-hackers@. Some brave souls even subscribed to trolls@^Wmisc@! Back to the problem itself, as far as I know they are aware of it. In the meantime, while they are busy solving it on their side, you may want to limit ciphersuites client is using by calling `SSL_CTX_set_cipher_list` before `SSL_do_handshake`. Except that would not have made any difference - currently the list of signature algorithms is static and not dependent on the cipher suites selected. You are right indeed, my bad. The only other quick workaround that I can think of is to use TLS1.1 instead (if that’s acceptable from security standpoint): 훌 ~ echo -n | /usr/local/Cellar/libressl/2.1.6/bin/openssl s_client -connect webdav.yandex.ru:443 -tls1_1 | fgrep DONE DONE PS. Anyway, next time you probably want to report libressl-related problems to recently announced libre...@openbsd.org [1]. [1] http://comments.gmane.org/gmane.os.openbsd.tech/42319 -- Action without study is fatal. Study without action is futile. -- Mary Ritter Beard signature.asc Description: Message signed with OpenPGP using GPGMail
Re: LibreSSL 2.2 fails to connect to webdav.yandex.com
On Jun 6, 2015, at 5:31 AM, Joel Sing j...@sing.id.au wrote: On Saturday 06 June 2015, 1edhaz+9sj4olxjt6...@guerrillamail.com wrote: Hello, LibreSSL 2.2 (openbsd-current) fails to connect to https://webdav.yandex.com. OpenSSL 1.0.1m from OpenBSD packages does succeed. Yandex is the largest search engine in Russia. The webdav.yandex.com site is for accessing their file-hosting service. System info: $ uname -a OpenBSD roger.my.domain 5.7 GENERIC.MP#1039 amd64 $ dmesg | head -n 1 OpenBSD 5.7-current (GENERIC.MP) #1039: Wed Jun 3 12:09:31 MDT 2015 [snip] The issue is due to the remote end not being RFC compliant and failing to complete a TLS handshake when it does not recognise TLS signature algorithms (sigalgs) that are being advertised by the client. In this case the new signature algorithms are related to GOST - almost the definition of irony... GOST… lol indeed =) If you want to verify this for yourself, you can comment out the GOST related entries in the tls12_sigalgs array in t1_lib.c. HTTPS connections to www.yandex.com work without issue, so it would seemingly be the particular HTTP server that is being used for this service - I would recommend contacting Yandex and reporting the issue to them. He just did - Yandex is heavy BSD user, so many people there are reading tech@ and freebsd-hackers@. Some brave souls even subscribed to trolls@^Wmisc@! Back to the problem itself, as far as I know they are aware of it. In the meantime, while they are busy solving it on their side, you may want to limit ciphersuites client is using by calling `SSL_CTX_set_cipher_list` before `SSL_do_handshake`. PS. Anyway, next time you probably want to report libressl-related problems to recently announced libre...@openbsd.org [1]. [1] http://comments.gmane.org/gmane.os.openbsd.tech/42319 -- Action without study is fatal. Study without action is futile. -- Mary Ritter Beard signature.asc Description: Message signed with OpenPGP using GPGMail
Re: LibreSSL 2.2 fails to connect to webdav.yandex.com
On Saturday 06 June 2015, 1edhaz+9sj4olxjt6...@guerrillamail.com wrote: Hello, LibreSSL 2.2 (openbsd-current) fails to connect to https://webdav.yandex.com. OpenSSL 1.0.1m from OpenBSD packages does succeed. Yandex is the largest search engine in Russia. The webdav.yandex.com site is for accessing their file-hosting service. System info: $ uname -a OpenBSD roger.my.domain 5.7 GENERIC.MP#1039 amd64 $ dmesg | head -n 1 OpenBSD 5.7-current (GENERIC.MP) #1039: Wed Jun 3 12:09:31 MDT 2015 [snip] The issue is due to the remote end not being RFC compliant and failing to complete a TLS handshake when it does not recognise TLS signature algorithms (sigalgs) that are being advertised by the client. In this case the new signature algorithms are related to GOST - almost the definition of irony... If you want to verify this for yourself, you can comment out the GOST related entries in the tls12_sigalgs array in t1_lib.c. HTTPS connections to www.yandex.com work without issue, so it would seemingly be the particular HTTP server that is being used for this service - I would recommend contacting Yandex and reporting the issue to them. -- Action without study is fatal. Study without action is futile. -- Mary Ritter Beard
