FS#13882 - [openssl] Connection failed

Attached to Project: Arch Linux
Opened by Rene (hit) - Thursday, 19 March 2009, 22:42 GMT
Last edited by Pierre Schmitz (Pierre) - Monday, 13 July 2009, 00:55 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Pierre Schmitz (Pierre)
Eric Belanger (Snowman)
Architecture All
Severity Medium
Priority Normal
Reported Version 2009.02
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Name : openssl
Version : 0.9.8j-1

Name : xchat
Version : 2.8.6-3

Connection failed. Error: (336151568) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

Happens when trying to connect to SSL enabled server with Xchat
This task depends upon

Closed by  Pierre Schmitz (Pierre)
Monday, 13 July 2009, 00:55 GMT
Reason for closing:  Fixed
Additional comments about closing:  or at least a workaround was added to deal with broken servers.
Comment by Giacomo Rizzo (alt-os) - Saturday, 28 March 2009, 14:11 GMT
I can confirm that, with openssl 0.9.8k-1.
The fact that pidgin is connecting without any problem to the same IRC server would male me prepend for an xchat bug...
Comment by Giacomo Rizzo (alt-os) - Thursday, 02 April 2009, 10:09 GMT
Is an OpenSSL bug:
SSLv2 works, SSLv3 doesn't.

[alt-os@shamash ~]$ openssl s_client -ssl3 -host crypto.azzurra.org -port 9999
CONNECTED(00000003)
9072:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1060:SSL alert number 40
9072:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:
[alt-os@shamash ~]$ openssl s_client -ssl2 -host crypto.azzurra.org -port 9999
CONNECTED(00000003)
depth=0 /C=IT/ST=Italia/L=Roma/O=Azzurra IRC Network/OU=tin.it IRC server/CN=tin.azzurra.org/CN=irc.azzurra.tin.it
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=IT/ST=Italia/L=Roma/O=Azzurra IRC Network/OU=tin.it IRC server/CN=tin.azzurra.org/CN=irc.azzurra.tin.it
verify error:num=10:certificate has expired
notAfter=Apr 15 13:07:04 2008 GMT
verify return:1
depth=0 /C=IT/ST=Italia/L=Roma/O=Azzurra IRC Network/OU=tin.it IRC server/CN=tin.azzurra.org/CN=irc.azzurra.tin.it
notAfter=Apr 15 13:07:04 2008 GMT
verify return:1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC0TCCAjqgAwIBAgIJAPi/mMlc+hlQMA0GCSqGSIb3DQEBBAUAMIGeMQswCQYD
VQQGEwJJVDEPMA0GA1UECBMGSXRhbGlhMQ0wCwYDVQQHEwRSb21hMRwwGgYDVQQK
ExNBenp1cnJhIElSQyBOZXR3b3JrMRowGAYDVQQLExF0aW4uaXQgSVJDIHNlcnZl
cjEYMBYGA1UEAxMPdGluLmF6enVycmEub3JnMRswGQYDVQQDExJpcmMuYXp6dXJy
YS50aW4uaXQwHhcNMDUwNzIwMTMwNzA0WhcNMDgwNDE1MTMwNzA0WjCBnjELMAkG
A1UEBhMCSVQxDzANBgNVBAgTBkl0YWxpYTENMAsGA1UEBxMEUm9tYTEcMBoGA1UE
ChMTQXp6dXJyYSBJUkMgTmV0d29yazEaMBgGA1UECxMRdGluLml0IElSQyBzZXJ2
ZXIxGDAWBgNVBAMTD3Rpbi5henp1cnJhLm9yZzEbMBkGA1UEAxMSaXJjLmF6enVy
cmEudGluLml0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5CkG2E3Qx7gym
M6XcTam9b8tuyMIsAz3xy1R5znHVp6VPthInXOZzzNLViUHrb62ksaTplumO1vAx
KEPzVKCm5GY7mFyYvClSmjSqRcCFbusIa/1Zlnb3QY1A8nw2CXdp6zF+o+4+JcWt
FRkrSGSGmC7vi+hemt/AbbpOIIBSwQIDAQABoxUwEzARBglghkgBhvhCAQEEBAMC
BkAwDQYJKoZIhvcNAQEEBQADgYEARLveGZ5snCe9XD/jJaLEtPBhpq4OTW/s+s0z
P6u2VQbq8aKzIO8Npag7CQ0ViT9IwBZLV2u8QkGhzQvv5zjvhXM8+Z3MjldBz881
DM7oLZKz8ne7PtrYN2NFWq4egNKsoNNQZDtH9WTfKqr1UglZzErd45Sn0krCP77z
gG/6I8w=
-----END CERTIFICATE-----
subject=/C=IT/ST=Italia/L=Roma/O=Azzurra IRC Network/OU=tin.it IRC server/CN=tin.azzurra.org/CN=irc.azzurra.tin.it
issuer=/C=IT/ST=Italia/L=Roma/O=Azzurra IRC Network/OU=tin.it IRC server/CN=tin.azzurra.org/CN=irc.azzurra.tin.it
---
No client certificate CA names sent
---
Ciphers common between both SSL endpoints:
RC4-MD5 EXP-RC4-MD5 RC2-CBC-MD5
EXP-RC2-CBC-MD5 DES-CBC-MD5 DES-CBC3-MD5
---
SSL handshake has read 858 bytes and written 239 bytes
---
New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv2
Cipher : DES-CBC3-MD5
Session-ID: 6A26436AF7843A429FEBD3C40DDA16F2
Session-ID-ctx:
Master-Key: 03B252F404783CC9E09E7EB9757616639A1538FF6EADCD15
Key-Arg : A32A44026893009A
Start Time: 1238668388
Timeout : 300 (sec)
Verify return code: 10 (certificate has expired)
---
^C
[alt-os@shamash ~]$
Comment by Giacomo Rizzo (alt-os) - Thursday, 02 April 2009, 14:09 GMT
The problem is in the new SSL/TLS extensions, enabled by default since OpenSSL 0.9.8j. Passing the "-no_ticket" option to openssl s_client it works. The option can be disabled compiling with "no-tlsext"
Comment by Pierre Schmitz (Pierre) - Thursday, 28 May 2009, 22:00 GMT
I might be wrong here, but if I got it right its the client (of openssl) which has to handle this; not openssl itself. Did you report this to xchat?
Comment by Giacomo Rizzo (alt-os) - Friday, 29 May 2009, 13:34 GMT
I don't think it should be seen as an xchat upstream bug, since it kicks pidgin too, for example...
Comment by Pierre Schmitz (Pierre) - Tuesday, 02 June 2009, 19:58 GMT
You should report it anyway. It does not really look like a bug in openssl; at least a change in behaviour so that clients (xchat, pidgin) have to be updated.
Comment by Gerardo Exequiel Pozzi (djgera) - Thursday, 18 June 2009, 15:07 GMT
Xchat with SSL works fine here

Name : xchat
Version : 2.8.6-3
Name : openssl
Version : 0.9.8k-2


* Looking up irc.oftc.net
* Connecting to irc.geo.oftc.net (85.214.36.108) port 9999...
* * Certification info:
* Subject:
* CN=reticulum.oftc.net
* Issuer:
* O=Open and Free Technology Community
* OU=certification authority for irc
* CN=irc.ca.oftc.net
* emailAddress=support@oftc.net
* Public key algorithm: rsaEncryption (2048 bits)
* Sign algorithm sha1WithRSAEncryption
* Valid since Jul 22 11:25:49 2008 GMT to Jul 22 11:25:49 2009 GMT
* * Cipher info:
* Version: TLSv1/SSLv3, cipher AES256-SHA (256 bits)
* Connected. Now logging in...
...
* *** Connected securely via SSLv3 AES256-SHA-256
* Welcome to the OFTC Internet Relay Chat Network djgera
Comment by Mick Howe (Cheifchimp) - Thursday, 09 July 2009, 04:01 GMT
this bug is also affecting:

gyachi-1.1.71 & 1.2.1
openfire-3.6.3
NFS connections from my laptop running debian lenny and my archlinux server and desktop boxen
Comment by Gerardo Exequiel Pozzi (djgera) - Thursday, 09 July 2009, 07:08 GMT
mmmm, question for people that have problem: What procesor are the machines? Pentium III or below? I detected that there are some rutines in the code @ libcrypto.so that are SSE2. Anyway this will be fail with SIGILL, but maybe...

check with:
grep sse2 /proc/cpuinfo

Opening a bug report apart, for this  FS#15454 
Comment by Giacomo Rizzo (alt-os) - Thursday, 09 July 2009, 07:49 GMT
When the bug was submitted, I was running a 32bit core2duo processor.
At the moment, running a 64bit installation, the problem is still presenting.

Checking the host that Gerardo is suggesting (irc.geo.oftc.net) it's actually working fine: not with crypto.azzurra.org instead.
Comment by Gerardo Exequiel Pozzi (djgera) - Thursday, 09 July 2009, 08:21 GMT
@alt-os: OK, discarding it (sse2)

As you said in previous comments, passing -no_ticket solves the problem. Searching on the web I encountered this [#1], seems that is a problem when connection with servers that have and old/not fixed openssl version.

@Cheifchimp: You have a problem between your Debian and Arch Linux ? Or I understand bad ? In case of true, what is the openssl version that you have on the Debian machine?

[#1] http://www.nabble.com/openssl-0.9.8j-ssl3-connect-problem-td21453577.html
Comment by Pierre Schmitz (Pierre) - Thursday, 09 July 2009, 10:57 GMT
Even though this seems to be a server problem I might add a simple fix to the next openssl version. Please confirm if your problems are fixed with openssl 0.9.8k-3
Comment by Mick Howe (Cheifchimp) - Thursday, 09 July 2009, 23:22 GMT
I am experiencing this on:
Intel(R) Core(TM)2 Duo CPU E4600 @ 2.40GHz 64bit on desktop
fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good pni dtes64 monitor ds_cpl est tm2 ssse3 cx16 xtpr pdcm lahf_lm

Intel(R) Xeon(TM) CPU 2.80GHz (dual 32bit processors)
fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe pebs bts cid xtpr
Comment by Mick Howe (Cheifchimp) - Thursday, 09 July 2009, 23:34 GMT
"@Cheifchimp: You have a problem between your Debian and Arch Linux ? Or I understand bad ?"
Yes, when I try to mount a directory hosted from my server or desktop running Arch on my laptop running debian lenny 5.0.2.

openssl-0.9.8g-15+lenny1
Comment by Mick Howe (Cheifchimp) - Monday, 13 July 2009, 00:33 GMT
I installed openssl k3 and gyachi is working

thankyou thankyou thankyou

Loading...