Bug#338006: [Pkg-openssl-devel] Bug#338006: Doesn't seem to fix the
problems with Nessus
Kurt Roeckx
kurt at roeckx.be
Sun Feb 12 13:17:11 UTC 2006
On Sat, Feb 11, 2006 at 10:35:07PM +0100, Javier Fernández-Sanguino Peña wrote:
>
> The latest OpenSSL version (0.9.8-6) does not seem to fix the problem with
> Nessus, actually, it makes it work since now the workaround of using a
> restricted set of ciphers no longer works either:
Are you sure the server has been restarted since the upgrade of
libssl0.9.8?
> If you try to connect the Nessus client with the server you get this:
> [26753] SSL_connect: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
> handshake failure
> nessus : SSL error
>
> And using the standard OpenSSL client:
>
> $ openssl s_client -connect localhost:1241 -ssl3 -CAfile \
> /var/lib/nessus/CA/cacert.pem -bugs -no_ssl2
> CONNECTED(00000003)
> 26745:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
> failure:s3_pkt.c:1057:SSL alert number 40
> 26745:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
> failure:s3_pkt.c:534:
There are various reasons why this can happen. One reason
is that the client only uses ssl3 (as you did with -ssl3)
and that the server doesn't allow ssl3 connections. I can
perfectly connect to it witout problems if I drop the
-ssl3 from the s_client parameters.
The server has this code in it:
#define SSL_VER_DEF_NAME "TLSv1"
#define SSL_VER_DEF_METH TLSv1_server_method
[...]
if (strcasecmp(ssl_ver, "SSLv2") == 0)
ssl_mt = SSLv2_server_method();
else if (strcasecmp(ssl_ver, "SSLv3") == 0)
ssl_mt = SSLv3_server_method();
else if (strcasecmp(ssl_ver, "SSLv23") == 0)
ssl_mt = SSLv23_server_method();
else if (strcasecmp(ssl_ver, "TLSv1") == 0)
ssl_mt = TLSv1_server_method();
else
{
fprintf(stderr, "Unknown SSL version \"%s\"\nSwitching to default
" SSL_VER_DEF_NAME "\n", ssl_ver);
ssl_ver = SSL_VER_DEF_NAME;
ssl_mt = SSL_VER_DEF_METH();
}
So it looks normal to me that if you use -ssl3 that it doesn't work.
(The client has the same code.)
Can you reproduce your problem using a combination of s_server and
s_client? I've been trying to reproduce other problems, but I can't.
> So it seems that the fix introduced a different behaviour [1], but it's still
> broken.
>
> Should be easy to reproduce, just install Nessus, make a certificate and try
> to connect to the Nessus server...
So I "just installed" nessus and nessusd, it seems to
connect without problems, it even asks me to validate the
certificate, but for some reason I can't log in.
I get:
[Sun Feb 12 14:13:15 2006][7916] Client requested protocol version 12.
[Sun Feb 12 14:13:15 2006][7916] bad login attempt from 127.0.0.1
So it seems to me the ssl part is working perfectly.
Kurt
More information about the Pkg-openssl-devel
mailing list