Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#680137: irssi: Can't connect to SSL-enabled server after upgrading libssl
120 views
Skip to first unread message
Clement Hermann (nodens)
Jan 11, 2013, 9:30:01 AM1/11/13
to
Hi,
With some more test and some help from a friend, we made some progress.
It *does* work when adding -no_tls1_1 option to openssl s_client.
It works if the server allows renegociation : I can connect to freenode.
It seems to be #665452 again, or a variant.
Anyway, that explains why it works in ubuntu. The patch
tls12_workarounds.patch (attached) works around it (but I'm not
qualified to tell whether this is an acceptable solution or not).
The patch headers give some more information, I'll copy it here for
readability of the report :
-----patch header-----
Description: Work around TLS 1.2 failures for some broken servers that
"hang" if a client hello record length exceeds 255 bytes.
.
1. Set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50. This will truncate
the number of ciphers sent in the client hello.
2. Set OPENSSL_NO_TLS1_2_CLIENT to disable TLS 1.2 client support
entirely.
Also, check TLS_get_client_version() rather than TLS1_get_versions() to avoid
improper truncation of client hello cipher lists. This change has been
forwarded upstream in rt #2881.
Bug-Ubuntu:https://bugs.launchpad.net/bugs/965371
Bug-Debian:http://bugs.debian.org/665452
Bug:http://rt.openssl.org/Ticket/Display.html?id=2771
Bug:http://rt.openssl.org/Ticket/Display.html?id=2881
Forwarded: not-needed
Last-Update: 2012-10-04
-----End of patch header-----
Cheers.
- --
Clement Hermann (nodens)
- - "L'air pur ? c'est pas en RL, ça ? c'est pas hors charte ?"
Jean in L'Histoire des Pingouins, http://tnemeth.free.fr/fmbl/linuxsf/
Vous trouverez ma clef publique sur le serveur public pgp.mit.edu.
Please find my public key on the public keyserver pgp.mit.edu.
With some more test and some help from a friend, we made some progress.
It *does* work when adding -no_tls1_1 option to openssl s_client.
It works if the server allows renegociation : I can connect to freenode.
It seems to be #665452 again, or a variant.
Anyway, that explains why it works in ubuntu. The patch
tls12_workarounds.patch (attached) works around it (but I'm not
qualified to tell whether this is an acceptable solution or not).
The patch headers give some more information, I'll copy it here for
readability of the report :
-----patch header-----
Description: Work around TLS 1.2 failures for some broken servers that
"hang" if a client hello record length exceeds 255 bytes.
.
1. Set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50. This will truncate
the number of ciphers sent in the client hello.
2. Set OPENSSL_NO_TLS1_2_CLIENT to disable TLS 1.2 client support
entirely.
Also, check TLS_get_client_version() rather than TLS1_get_versions() to avoid
improper truncation of client hello cipher lists. This change has been
forwarded upstream in rt #2881.
Bug-Ubuntu:https://bugs.launchpad.net/bugs/965371
Bug-Debian:http://bugs.debian.org/665452
Bug:http://rt.openssl.org/Ticket/Display.html?id=2771
Bug:http://rt.openssl.org/Ticket/Display.html?id=2881
Forwarded: not-needed
Last-Update: 2012-10-04
-----End of patch header-----
Cheers.
- --
Clement Hermann (nodens)
- - "L'air pur ? c'est pas en RL, ça ? c'est pas hors charte ?"
Jean in L'Histoire des Pingouins, http://tnemeth.free.fr/fmbl/linuxsf/
Vous trouverez ma clef publique sur le serveur public pgp.mit.edu.
Please find my public key on the public keyserver pgp.mit.edu.
John Morrissey
Apr 6, 2013, 2:10:01 PM4/6/13
to
On Fri, Jan 11, 2013 at 03:10:32PM +0100, Clement Hermann (nodens) wrote:
> With some more test and some help from a friend, we made some progress.
>
> It *does* work when adding -no_tls1_1 option to openssl s_client.
>
> It works if the server allows renegociation : I can connect to freenode.
>
> It seems to be #665452 again, or a variant.
>
> Anyway, that explains why it works in ubuntu. The patch
> tls12_workarounds.patch (attached) works around it (but I'm not
> qualified to tell whether this is an acceptable solution or not).
I noticed the same thing with ircd-hybrid (rebuilt per the package's
> With some more test and some help from a friend, we made some progress.
>
> It *does* work when adding -no_tls1_1 option to openssl s_client.
>
> It works if the server allows renegociation : I can connect to freenode.
>
> It seems to be #665452 again, or a variant.
>
> Anyway, that explains why it works in ubuntu. The patch
> tls12_workarounds.patch (attached) works around it (but I'm not
> qualified to tell whether this is an acceptable solution or not).
instructions to enable SSL support) after upgrading to wheezy recently.
wheezy's irssi refused to connect to the ircd, which was running on the
local host and linked to the same version of OpenSSL:
140308295767720:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1355:
After some trial an error, I realized that the cert I had been successfully
using with squeeze's ircd-hybrid was part of the problem. Removing the key
and cert and letting ircd-hybrid's maintainer scripts generate a default key
and cert allowed irssi to connect. AFAICT the only meaningful difference
between the two certs is that the non-working cert was cert format version
3 (0x2), whereas the autogenerated cert is format version 1 (0x0).
Also, patching wheezy's openssl 1.0.1e-2 with Ubuntu's
tls12_workarounds.patch allows the previous cert to work again.
john
--
John Morrissey _o /\ ---- __o
j...@horde.net _-< \_ / \ ---- < \,
www.horde.net/ __(_)/_(_)________/ \_______(_) /_(_)__
--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Kurt Roeckx
Apr 6, 2013, 3:10:02 PM4/6/13
to
On Sat, Apr 06, 2013 at 01:47:51PM -0400, John Morrissey wrote:
> On Fri, Jan 11, 2013 at 03:10:32PM +0100, Clement Hermann (nodens) wrote:
> > With some more test and some help from a friend, we made some progress.
> >
> > It *does* work when adding -no_tls1_1 option to openssl s_client.
> >
> > It works if the server allows renegociation : I can connect to freenode.
> >
> > It seems to be #665452 again, or a variant.
> >
> > Anyway, that explains why it works in ubuntu. The patch
> > tls12_workarounds.patch (attached) works around it (but I'm not
> > qualified to tell whether this is an acceptable solution or not).
>
> I noticed the same thing with ircd-hybrid (rebuilt per the package's
> instructions to enable SSL support) after upgrading to wheezy recently.
>
> wheezy's irssi refused to connect to the ircd, which was running on the
> local host and linked to the same version of OpenSSL:
>
> 140308295767720:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1355:
Can you reproduce this problem with s_client trying to connect to
> On Fri, Jan 11, 2013 at 03:10:32PM +0100, Clement Hermann (nodens) wrote:
> > With some more test and some help from a friend, we made some progress.
> >
> > It *does* work when adding -no_tls1_1 option to openssl s_client.
> >
> > It works if the server allows renegociation : I can connect to freenode.
> >
> > It seems to be #665452 again, or a variant.
> >
> > Anyway, that explains why it works in ubuntu. The patch
> > tls12_workarounds.patch (attached) works around it (but I'm not
> > qualified to tell whether this is an acceptable solution or not).
>
> I noticed the same thing with ircd-hybrid (rebuilt per the package's
> instructions to enable SSL support) after upgrading to wheezy recently.
>
> wheezy's irssi refused to connect to the ircd, which was running on the
> local host and linked to the same version of OpenSSL:
>
> 140308295767720:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1355:
the irc server?
Looking at the hybrid source, it doesn't seem to contain any
calls to something like OpenSSL_add_all_algorithms(). My
guess would be that adding that call would fix the problem.
Kurt
John Morrissey
Apr 6, 2013, 6:30:01 PM4/6/13
to
On Sat, Apr 06, 2013 at 09:07:50PM +0200, Kurt Roeckx wrote:
> On Sat, Apr 06, 2013 at 01:47:51PM -0400, John Morrissey wrote:
> > On Fri, Jan 11, 2013 at 03:10:32PM +0100, Clement Hermann (nodens) wrote:
> > > With some more test and some help from a friend, we made some progress.
> > >
> > > It *does* work when adding -no_tls1_1 option to openssl s_client.
> > >
> > > It works if the server allows renegociation : I can connect to
> > > freenode.
> > >
> > > It seems to be #665452 again, or a variant.
> > >
> > > Anyway, that explains why it works in ubuntu. The patch
> > > tls12_workarounds.patch (attached) works around it (but I'm not
> > > qualified to tell whether this is an acceptable solution or not).
> >
> > I noticed the same thing with ircd-hybrid (rebuilt per the package's
> > instructions to enable SSL support) after upgrading to wheezy recently.
> >
> > wheezy's irssi refused to connect to the ircd, which was running on the
> > local host and linked to the same version of OpenSSL:
> >
> > 140308295767720:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1355:
>
> Can you reproduce this problem with s_client trying to connect to
> the irc server?
>
> Looking at the hybrid source, it doesn't seem to contain any
> calls to something like OpenSSL_add_all_algorithms(). My
> guess would be that adding that call would fix the problem.
Hm, I tried just now, but couldn't reproduce with s_client. However, the
> On Sat, Apr 06, 2013 at 01:47:51PM -0400, John Morrissey wrote:
> > On Fri, Jan 11, 2013 at 03:10:32PM +0100, Clement Hermann (nodens) wrote:
> > > With some more test and some help from a friend, we made some progress.
> > >
> > > It *does* work when adding -no_tls1_1 option to openssl s_client.
> > >
> > > It works if the server allows renegociation : I can connect to
> > > freenode.
> > >
> > > It seems to be #665452 again, or a variant.
> > >
> > > Anyway, that explains why it works in ubuntu. The patch
> > > tls12_workarounds.patch (attached) works around it (but I'm not
> > > qualified to tell whether this is an acceptable solution or not).
> >
> > I noticed the same thing with ircd-hybrid (rebuilt per the package's
> > instructions to enable SSL support) after upgrading to wheezy recently.
> >
> > wheezy's irssi refused to connect to the ircd, which was running on the
> > local host and linked to the same version of OpenSSL:
> >
> > 140308295767720:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1355:
>
> Can you reproduce this problem with s_client trying to connect to
> the irc server?
>
> Looking at the hybrid source, it doesn't seem to contain any
> calls to something like OpenSSL_add_all_algorithms(). My
> guess would be that adding that call would fix the problem.
issue was still reproducible with irssi+openssl 1.0.1e.
john
--
John Morrissey _o /\ ---- __o
j...@horde.net _-< \_ / \ ---- < \,
www.horde.net/ __(_)/_(_)________/ \_______(_) /_(_)__
Kurt Roeckx
Apr 6, 2013, 6:50:02 PM4/6/13
to
On Sat, Apr 06, 2013 at 06:25:42PM -0400, John Morrissey wrote:
> On Sat, Apr 06, 2013 at 09:07:50PM +0200, Kurt Roeckx wrote:
> > On Sat, Apr 06, 2013 at 01:47:51PM -0400, John Morrissey wrote:
> > > On Fri, Jan 11, 2013 at 03:10:32PM +0100, Clement Hermann (nodens) wrote:
> > > > With some more test and some help from a friend, we made some progress.
> > > >
> > > > It *does* work when adding -no_tls1_1 option to openssl s_client.
> > > >
> > > > It works if the server allows renegociation : I can connect to
> > > > freenode.
> > > >
> > > > It seems to be #665452 again, or a variant.
> > > >
> > > > Anyway, that explains why it works in ubuntu. The patch
> > > > tls12_workarounds.patch (attached) works around it (but I'm not
> > > > qualified to tell whether this is an acceptable solution or not).
> > >
> > > I noticed the same thing with ircd-hybrid (rebuilt per the package's
> > > instructions to enable SSL support) after upgrading to wheezy recently.
> > >
> > > wheezy's irssi refused to connect to the ircd, which was running on the
> > > local host and linked to the same version of OpenSSL:
> > >
> > > 140308295767720:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1355:
> >
> > Can you reproduce this problem with s_client trying to connect to
> > the irc server?
> >
> > Looking at the hybrid source, it doesn't seem to contain any
> > calls to something like OpenSSL_add_all_algorithms(). My
> > guess would be that adding that call would fix the problem.
>
> Hm, I tried just now, but couldn't reproduce with s_client. However, the
> issue was still reproducible with irssi+openssl 1.0.1e.
I tried conneting with irssi to something and that gave me a
> On Sat, Apr 06, 2013 at 09:07:50PM +0200, Kurt Roeckx wrote:
> > On Sat, Apr 06, 2013 at 01:47:51PM -0400, John Morrissey wrote:
> > > On Fri, Jan 11, 2013 at 03:10:32PM +0100, Clement Hermann (nodens) wrote:
> > > > With some more test and some help from a friend, we made some progress.
> > > >
> > > > It *does* work when adding -no_tls1_1 option to openssl s_client.
> > > >
> > > > It works if the server allows renegociation : I can connect to
> > > > freenode.
> > > >
> > > > It seems to be #665452 again, or a variant.
> > > >
> > > > Anyway, that explains why it works in ubuntu. The patch
> > > > tls12_workarounds.patch (attached) works around it (but I'm not
> > > > qualified to tell whether this is an acceptable solution or not).
> > >
> > > I noticed the same thing with ircd-hybrid (rebuilt per the package's
> > > instructions to enable SSL support) after upgrading to wheezy recently.
> > >
> > > wheezy's irssi refused to connect to the ircd, which was running on the
> > > local host and linked to the same version of OpenSSL:
> > >
> > > 140308295767720:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1355:
> >
> > Can you reproduce this problem with s_client trying to connect to
> > the irc server?
> >
> > Looking at the hybrid source, it doesn't seem to contain any
> > calls to something like OpenSSL_add_all_algorithms(). My
> > guess would be that adding that call would fix the problem.
>
> Hm, I tried just now, but couldn't reproduce with s_client. However, the
> issue was still reproducible with irssi+openssl 1.0.1e.
working TLS 1.2 connection. I currently don't see irssi doing
anything wrong.
Do you have a public irc server I can try and connect to?
Kurt
John Morrissey
Apr 6, 2013, 8:50:01 PM4/6/13
to
even with 1.0.1e installed.
When I checked earlier today, I wasn't connecting to the ircd with the right
password. I have a super low reconns interval, so the initial connection
scrolled past, and subsequent connections failed with a handshake error.
I'm guessing that's due to irssi's misbehavior, since when I put gdb on the
ircd, it seemed to be working properly given the input irssi was sending.
I got the 'no shared ciphers' error above by modifying the ircd-hybrid
source to call ERR_print_errors_fp() in ssl_handshake(), so it was
definitely a problem at one point. I'm not sure why I can't reproduce now.
john
--
John Morrissey _o /\ ---- __o
j...@horde.net _-< \_ / \ ---- < \,
www.horde.net/ __(_)/_(_)________/ \_______(_) /_(_)__
0 new messages