On Saturday 06 June 2015, 1edhaz+9sj4olxjt6...@guerrillamail.com wrote:
> Hello,
>
> LibreSSL 2.2 (openbsd-current) fails to connect to
> https://webdav.yandex.com.
>
> OpenSSL 1.0.1m from OpenBSD packages does succeed.
>
> Yandex is the largest search engine in Russia. The webdav.yandex.com
> site is for accessing their file-hosting service.
>
> System info:
>
> $ uname -a
> OpenBSD roger.my.domain 5.7 GENERIC.MP#1039 amd64
> $ dmesg | head -n 1
> OpenBSD 5.7-current (GENERIC.MP) #1039: Wed Jun 3 12:09:31 MDT 2015
>
[snip]
The issue is due to the remote end not being RFC compliant and failing to
complete a TLS handshake when it does not recognise TLS signature algorithms
(sigalgs) that are being advertised by the client. In this case the new
signature algorithms are related to GOST - almost the definition of irony...
If you want to verify this for yourself, you can comment out the GOST related
entries in the tls12_sigalgs array in t1_lib.c. HTTPS connections to
www.yandex.com work without issue, so it would seemingly be the particular
HTTP server that is being used for this service - I would recommend
contacting Yandex and reporting the issue to them.
--
"Action without study is fatal. Study without action is futile."
-- Mary Ritter Beard
