Bug#683159: [openssl] can't connect to hosts which allow only SSLv3
As of 1.0.2g-1 I can connect to both sites mentionied in this bug report. Further SSLv2 and SSLv3 is removed from openssl. Therefore I see no problem here I think that this bug could be closed. Sebastian
Bug#683159: [openssl] can't connect to hosts which allow only SSLv3
Package: libssl1.0.0 Version: 1.0.1f-1 Followup-For: Bug #683159 Dear Maintainer, *** Please consider answering these questions, where appropriate *** * What led up to the situation? * What exactly did you do (or not do) that was effective (or ineffective)? * What was the outcome of this action? * What outcome did you expect instead? *** End of the template - remove these lines *** -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.10-2-amd64 (SMP w/2 CPU cores) Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libssl1.0.0 depends on: ii debconf [debconf-2.0] 1.5.52 ii libc6 2.17-97 ii multiarch-support 2.17-97 libssl1.0.0 recommends no packages. libssl1.0.0 suggests no packages. -- debconf information: libssl1.0.0/restart-failed: libssl1.0.0/restart-services: -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#683159: [openssl] can't connect to hosts which allow only SSLv3
Package: openssl Version: 1.0.1c-3 Severity: important --- Please enter the report below this line. --- I can't connect to hosts which allow only SSLv3 : $ openssl s_client -connect www.ovh.com:443 CONNECTED(0003) 139991546484392:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 320 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- but by specifiying ssl3 on command line, it works : $ openssl s_client -connect www.ovh.com:443 -ssl3 CONNECTED(0003) depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/serialNumber=424761419/1.3.6.1.4.1.311.60.2.1.3=FR/1.3.6.1.4.1.311.60.2.1.2=Nord/1.3.6.1.4.1.311.60.2.1.1=ROUBAIX/businessCategory=Private Organization/C=FR/postalCode=59100/ST=NORD/L=ROUBAIX/street=2 rue Kellermann/O=OVH/OU=0002 424761419/OU=Comodo EV SSL/CN=www.ovh.com i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Extended Validation Secure Server CA 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Extended Validation Secure Server CA i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- [...] --- SSL handshake has read 5379 bytes and written 491 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher: AES256-SHA Session-ID: 8635E8662D8A62507C15E8371C4E8121F317A17F15D749FE40112EA5FC022455 Session-ID-ctx: Master-Key: D5035A130786444B3B08C7E522EA0805B80B461803F32554B1ABF98B9172ECBE98E9252C4A6840F8500C9913CAE85281 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1343556050 Timeout : 7200 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- Note that *gnutls* is also affected, but browsers like Lynx, Iceweasel, Chromium or Empathy doesn't have any trouble. --- System information. --- Architecture: amd64 Kernel: Linux 3.2.0-3-amd64 Debian Release: wheezy/sid 500 unstable apt.daevel.fr 1 experimental apt.daevel.fr --- Package information. --- Depends (Version) | Installed -+-= libc6 (= 2.7) | 2.13-35 libssl1.0.0 (= 1.0.1) | 1.0.1c-3 zlib1g (= 1:1.1.4) | 1:1.2.7.dfsg-13 Package's Recommends field is empty. Suggests (Version) | Installed ==-+-=== ca-certificates | 20120623 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#683159: [Pkg-openssl-devel] Bug#683159: [openssl] can't connect to hosts which allow only SSLv3
On Sun, Jul 29, 2012 at 12:02:41PM +0200, Olivier Bonvalet wrote: Package: openssl Version: 1.0.1c-3 Severity: important --- Please enter the report below this line. --- I can't connect to hosts which allow only SSLv3 : $ openssl s_client -connect www.ovh.com:443 This also works: openssl s_client -no_tls1_1 -connect www.ovh.com:443 [...] Protocol : TLSv1 Note that *gnutls* is also affected, but browsers like Lynx, Iceweasel, Chromium or Empathy doesn't have any trouble. Yes, the site you're talking to is broken. Nothing we can do about that other than disable TLS 1.1, or retry with it disabled. Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#683159: [Pkg-openssl-devel] Bug#683159: [openssl] can't connect to hosts which allow only SSLv3
On 29/07/2012 12:27, Kurt Roeckx wrote: On Sun, Jul 29, 2012 at 12:02:41PM +0200, Olivier Bonvalet wrote: Package: openssl Version: 1.0.1c-3 Severity: important --- Please enter the report below this line. --- I can't connect to hosts which allow only SSLv3 : $ openssl s_client -connect www.ovh.com:443 This also works: openssl s_client -no_tls1_1 -connect www.ovh.com:443 [...] Protocol : TLSv1 Note that *gnutls* is also affected, but browsers like Lynx, Iceweasel, Chromium or Empathy doesn't have any trouble. Yes, the site you're talking to is broken. Nothing we can do about that other than disable TLS 1.1, or retry with it disabled. Kurt Thanks for the clarification Kurt. Just a question : why is it working from Debian Squeeze ? Is it because in Debian Squeeze TLS 1.1 is not compatible ? Olivier -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#683159: [Pkg-openssl-devel] Bug#683159: [openssl] can't connect to hosts which allow only SSLv3
On Sun, Jul 29, 2012 at 01:58:09PM +0200, Olivier Bonvalet wrote: On 29/07/2012 12:27, Kurt Roeckx wrote: On Sun, Jul 29, 2012 at 12:02:41PM +0200, Olivier Bonvalet wrote: Package: openssl Version: 1.0.1c-3 Severity: important --- Please enter the report below this line. --- I can't connect to hosts which allow only SSLv3 : $ openssl s_client -connect www.ovh.com:443 This also works: openssl s_client -no_tls1_1 -connect www.ovh.com:443 [...] Protocol : TLSv1 Note that *gnutls* is also affected, but browsers like Lynx, Iceweasel, Chromium or Empathy doesn't have any trouble. Yes, the site you're talking to is broken. Nothing we can do about that other than disable TLS 1.1, or retry with it disabled. Kurt Thanks for the clarification Kurt. Just a question : why is it working from Debian Squeeze ? Is it because in Debian Squeeze TLS 1.1 is not compatible ? openssl only support TLS 1.1 since version 1.0.1, and squeeze has a 0.9.8 version. Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#683159: [Pkg-openssl-devel] Bug#683159: [openssl] can't connect to hosts which allow only SSLv3
Ok, thanks again Kurt. Sorry for the noise. Olivier -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
