[Pkg-openssl-devel] Bug#683159: [openssl] can't connect to hosts which allow only SSLv3

Olivier Bonvalet ob.reportbug at daevel.fr
Sun Jul 29 10:02:41 UTC 2012 

Package: openssl
Version: 1.0.1c-3
Severity: important

--- Please enter the report below this line. ---

I can't connect to hosts which allow only SSLv3 :

$ openssl s_client -connect www.ovh.com:443
CONNECTED(00000003)
139991546484392:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 320 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---


but by specifiying "ssl3" on command line, it works :

$ openssl s_client -connect www.ovh.com:443 -ssl3
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/serialNumber=424761419/1.3.6.1.4.1.311.60.2.1.3=FR/1.3.6.1.4.1.311.60.2.1.2=Nord/1.3.6.1.4.1.311.60.2.1.1=ROUBAIX/businessCategory=Private Organization/C=FR/postalCode=59100/ST=NORD/L=ROUBAIX/street=2 rue Kellermann/O=OVH/OU=0002 424761419/OU=Comodo EV SSL/CN=www.ovh.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Extended Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Extended Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
[...]
---
SSL handshake has read 5379 bytes and written 491 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : AES256-SHA
    Session-ID: 8635E8662D8A62507C15E8371C4E8121F317A17F15D749FE40112EA5FC022455
    Session-ID-ctx:
    Master-Key: D5035A130786444B3B08C7E522EA0805B80B461803F32554B1ABF98B9172ECBE98E9252C4A6840F8500C9913CAE85281
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1343556050
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---




Note that *gnutls* is also affected, but browsers like Lynx, Iceweasel, Chromium or Empathy doesn't have any trouble.




--- System information. ---
Architecture: amd64
Kernel: Linux 3.2.0-3-amd64

Debian Release: wheezy/sid
500 unstable apt.daevel.fr
1 experimental apt.daevel.fr

--- Package information. ---
Depends (Version) | Installed
============================-+-=============
libc6 (>= 2.7) | 2.13-35
libssl1.0.0 (>= 1.0.1) | 1.0.1c-3
zlib1g (>= 1:1.1.4) | 1:1.2.7.dfsg-13


Package's Recommends field is empty.

Suggests (Version) | Installed
==============================-+-===========
ca-certificates | 20120623

More information about the Pkg-openssl-devel mailing list