FS#30280 - [ddclient] Update over ssl fails

Attached to Project: Community Packages
Opened by Phillip Wood (phil) - Wednesday, 13 June 2012, 13:38 GMT
Last edited by Jonathan Steel (jsteel) - Wednesday, 23 January 2013, 20:41 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Jonathan Steel (jsteel)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
Recently ddclient has been giving me this error

WARNING: cannot connect to dynupdate.no-ip.com:443 socket: IO::Socket::SSL: SSL connect attempt failed because of handshake problems error:00000000:lib(0):func(0):reason(0) IO::Socket::INET configuration failed error:00000000:lib(0):func(0):reason(0)
FAILED: updating philandanna.no-ip.org: Could not connect to dynupdate.no-ip.com.


Additional info:
* package version(s)
ddclient 3.8.1-3
perl-net-ssleay 1.48-2
perl-io-socket-ssl 1.66-1

* config and/or log files etc.
/etc/ddclient/ddclient.conf

daemon=300 # check every 300 seconds
syslog=yes # log update msgs to syslog
mail=root # mail all msgs to root
mail-failure=root # mail failed update msgs to root
pid=/var/run/ddclient.pid # record PID in file.
ssl=yes # use ssl-support. Works with
# ssl-library
use=web
protocol=noip, login=xxxxxxx, password=xxxxx philandanna.no-ip.org
This task depends upon

Closed by  Jonathan Steel (jsteel)
Wednesday, 23 January 2013, 20:41 GMT
Reason for closing:  Works for me
Comment by Chris Brannon (cmb) - Thursday, 14 June 2012, 13:34 GMT
Interestingly enough, I can't connect to dynupdate.no-ip.com using
gnutls-cli or openssl s_client, either.
I'm sending along my typescript.
It looks to be no-ip's problem, rather than mine.
s_client claims that they aren't sending a peer certificate.
   typescript (0.6 KiB)
Comment by Chris Brannon (cmb) - Thursday, 14 June 2012, 14:00 GMT
If I force s_client to use TLSv1, everything works fine.
So here's my suggested temporary workaround, if you're feeling brave today.
Edit /usr/sbin/ddclient with your favorite text editor.
Go to line 1864. You'll find a right parenthesis.
It's the closing paren on the IO::Socket::SSL->new call.
Add this line just before that closing paren:

SSL_version => 'TLSv1',

And you should be good to go, at least for now.
I'm not sure how to turn this into a patch for ddclient. For that matter,
I'm not even sure that ddclient is the proper thing to patch.
Maybe this can be fixed in IO::Socket::SSL.

But please try my suggestion, and tell me if it works for you.
It did for me; I created a no-ip account to test.
Comment by Phillip Wood (phil) - Friday, 15 June 2012, 10:13 GMT
Thanks for getting back so quickly Chris, that fix works for me, I'm not sure what the best long term solution is though.
Comment by Romain D. (Artefact2) - Wednesday, 11 July 2012, 07:02 GMT
I am having the same issue as well:

WARNING: cannot connect to www.ovh.com:443 socket: IO::Socket::SSL: SSL connect attempt failed because of handshake problems error:00000000:lib(0):func(0):reason(0) IO::Socket::INET configuration failed error:00000000:lib(0):func(0):reason(0)
FAILED: updating silmeria.artefact2.com: Could not connect to www.ovh.com.

The workaround Chris gave worked for me as well. I'm not sure where the issue comes from (OVH side, or my side?).
Comment by Chris Brannon (cmb) - Wednesday, 11 July 2012, 10:22 GMT
Honestly, from what I can tell, these are both server-side bugs.
Try connecting to ovh like this:

openssl s_client -connect 'www.ovh.com:443'

The SSL handshake will fail.
Same happens with
gnutls-cli -p 443 www.ovh.com

But this works:
openssl s_client -tls1 -connect 'www.ovh.com:443'

I'll hold this bug open for now.
Debian has a similar bug against ddclient. I want to see what they do.
Comment by Jonathan Steel (jsteel) - Thursday, 17 January 2013, 18:15 GMT
noip and ssl works for me. I think the problem is you have specified philandanna.no-ip.org and not mx=philandanna.no-ip.org. Please try adding mx=

Loading...