Bug#338006: [Pkg-openssl-devel] Bug#338006: Doesn't seem to fix the problems with Nessus

Kurt Roeckx kurt at roeckx.be
Sun Feb 12 13:17:11 UTC 2006 

On Sat, Feb 11, 2006 at 10:35:07PM +0100, Javier Fernández-Sanguino Peña wrote:
> 
> The latest OpenSSL version (0.9.8-6) does not seem to fix the problem with
> Nessus, actually, it makes it work since now the workaround of using a
> restricted set of ciphers no longer works either:

Are you sure the server has been restarted since the upgrade of
libssl0.9.8?

> If you try to connect the Nessus client with the server you get this:
> [26753] SSL_connect: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
> handshake failure
> nessus : SSL error
> 
> And using the standard OpenSSL client:
> 
> $ openssl s_client -connect localhost:1241 -ssl3 -CAfile \
> 	/var/lib/nessus/CA/cacert.pem -bugs -no_ssl2
> CONNECTED(00000003)
> 26745:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
> failure:s3_pkt.c:1057:SSL alert number 40
> 26745:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
> failure:s3_pkt.c:534:

There are various reasons why this can happen.  One reason
is that the client only uses ssl3 (as you did with -ssl3)
and that the server doesn't allow ssl3 connections.  I can
perfectly connect to it witout problems if I drop the
-ssl3 from the s_client parameters.

The server has this code in it:
#define SSL_VER_DEF_NAME        "TLSv1"
#define SSL_VER_DEF_METH        TLSv1_server_method
[...]
          if (strcasecmp(ssl_ver, "SSLv2") == 0)
            ssl_mt = SSLv2_server_method();
          else if (strcasecmp(ssl_ver, "SSLv3") == 0)
            ssl_mt = SSLv3_server_method();
          else if (strcasecmp(ssl_ver, "SSLv23") == 0)
            ssl_mt = SSLv23_server_method();
          else if (strcasecmp(ssl_ver, "TLSv1") == 0)
            ssl_mt = TLSv1_server_method();
          else
            {
              fprintf(stderr, "Unknown SSL version \"%s\"\nSwitching to default
" SSL_VER_DEF_NAME "\n", ssl_ver);
              ssl_ver = SSL_VER_DEF_NAME;
              ssl_mt = SSL_VER_DEF_METH();
            }

So it looks normal to me that if you use -ssl3 that it doesn't work.

(The client has the same code.)

Can you reproduce your problem using a combination of s_server and
s_client?  I've been trying to reproduce other problems, but I can't.

> So it seems that the fix introduced a different behaviour [1], but it's still
> broken.
> 
> Should be easy to reproduce, just install Nessus, make a certificate and try
> to connect to the Nessus server...

So I "just installed" nessus and nessusd, it seems to
connect without problems, it even asks me to validate the
certificate, but for some reason I can't log in.

I get:
[Sun Feb 12 14:13:15 2006][7916] Client requested protocol version 12.
[Sun Feb 12 14:13:15 2006][7916] bad login attempt from 127.0.0.1

So it seems to me the ssl part is working perfectly.


Kurt

More information about the Pkg-openssl-devel mailing list