[Pkg-openssl-devel] Bug#680137: irssi: Can't connect to SSL-enabled server after upgrading libssl

[John Morrissey]

On Fri, Jan 11, 2013 at 03:10:32PM +0100, Clement Hermann (nodens) wrote:
> With some more test and some help from a friend, we made some progress.
> 
> It *does* work when adding -no_tls1_1 option to openssl s_client.
> 
> It works if the server allows renegociation : I can connect to freenode.
> 
> It seems to be #665452 again, or a variant.
> 
> Anyway, that explains why it works in ubuntu. The patch
> tls12_workarounds.patch (attached) works around it (but I'm not
> qualified to tell whether this is an acceptable solution or not).

I noticed the same thing with ircd-hybrid (rebuilt per the package's
instructions to enable SSL support) after upgrading to wheezy recently.

wheezy's irssi refused to connect to the ircd, which was running on the
local host and linked to the same version of OpenSSL:

  140308295767720:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1355:

After some trial an error, I realized that the cert I had been successfully
using with squeeze's ircd-hybrid was part of the problem. Removing the key
and cert and letting ircd-hybrid's maintainer scripts generate a default key
and cert allowed irssi to connect. AFAICT the only meaningful difference
between the two certs is that the non-working cert was cert format version
3 (0x2), whereas the autogenerated cert is format version 1 (0x0).

Also, patching wheezy's openssl 1.0.1e-2 with Ubuntu's
tls12_workarounds.patch allows the previous cert to work again.

john
-- 
John Morrissey          _o            /\         ----  __o
jwm at horde.net        _-< \_          /  \       ----  <  \,
www.horde.net/    __(_)/_(_)________/    \_______(_) /_(_)__