> On Jun 6, 2015, at 5:31 AM, Joel Sing <j...@sing.id.au> wrote: > > On Saturday 06 June 2015, 1edhaz+9sj4olxjt6...@guerrillamail.com wrote: >> Hello, >> >> LibreSSL 2.2 (openbsd-current) fails to connect to >> https://webdav.yandex.com. >> >> OpenSSL 1.0.1m from OpenBSD packages does succeed. >> >> Yandex is the largest search engine in Russia. The webdav.yandex.com >> site is for accessing their file-hosting service. >> >> System info: >> >> $ uname -a >> OpenBSD roger.my.domain 5.7 GENERIC.MP#1039 amd64 >> $ dmesg | head -n 1 >> OpenBSD 5.7-current (GENERIC.MP) #1039: Wed Jun 3 12:09:31 MDT 2015 >> > [snip] > > The issue is due to the remote end not being RFC compliant and failing to > complete a TLS handshake when it does not recognise TLS signature algorithms > (sigalgs) that are being advertised by the client. In this case the new > signature algorithms are related to GOST - almost the definition of irony... > GOST… lol indeed =)
> If you want to verify this for yourself, you can comment out the GOST related > entries in the tls12_sigalgs array in t1_lib.c. HTTPS connections to > www.yandex.com work without issue, so it would seemingly be the particular > HTTP server that is being used for this service - I would recommend > contacting Yandex and reporting the issue to them. He just did - Yandex is heavy BSD user, so many people there are reading tech@ and freebsd-hackers@. Some brave souls even subscribed to trolls@^Wmisc@! Back to the problem itself, as far as I know they are aware of it. In the meantime, while they are busy solving it on their side, you may want to limit ciphersuites client is using by calling `SSL_CTX_set_cipher_list` before `SSL_do_handshake`. PS. Anyway, next time you probably want to report libressl-related problems to recently announced libre...@openbsd.org [1]. [1] http://comments.gmane.org/gmane.os.openbsd.tech/42319 > -- > > "Action without study is fatal. Study without action is futile." > -- Mary Ritter Beard >
signature.asc
Description: Message signed with OpenPGP using GPGMail