[Pkg-openssl-devel] broken backwards compatibility in Jessie: libssl1.0.0 (1.0.1k-3+deb8u1) doesn't allow SSLv3

Mon Jul 6 07:44:44 UTC 2015

Dear maintainers, 

I came across the problem when SSLv3 simply does not work with the
current stable libssl1.0.0 (1.0.1k-3+deb8u1) in Debian Jessie (amd64). 

Please find the logs below, let me know if you need more details. I
think it should be pretty self-explanatory. 

root at debian:~/nginx-debug# nginx -p ~/nginx-debug -c nginx.conf
2015/07/06 03:28:39 [debug] 22474#0: epoll add event: fd:6 op:1
ev:00002001 

root at debian:~/nginx-debug# openssl s_client -connect localhost:4443
-ssl3
...
SSL-Session:
 Protocol : SSLv3
 Cipher : 0000
... 

2015/07/06 03:28:41 [debug] 22474#0: accept on 0.0.0.0:4443, ready: 0
2015/07/06 03:28:41 [debug] 22474#0: posix_memalign:
0000000001D45A10:256 @16
2015/07/06 03:28:41 [debug] 22474#0: *1 accept: 127.0.0.1 fd:3
2015/07/06 03:28:41 [debug] 22474#0: posix_memalign:
0000000001D210B0:256 @16
2015/07/06 03:28:41 [debug] 22474#0: *1 event timer add: 3:
60000:1436167781415
2015/07/06 03:28:41 [debug] 22474#0: *1 reusable connection: 1
2015/07/06 03:28:41 [debug] 22474#0: *1 epoll add event: fd:3 op:1
ev:80002001
2015/07/06 03:28:41 [debug] 22474#0: *1 http check ssl handshake
2015/07/06 03:28:41 [debug] 22474#0: *1 http recv(): 1
2015/07/06 03:28:41 [debug] 22474#0: *1 https ssl handshake: 0x16
2015/07/06 03:28:41 [debug] 22474#0: *1 SSL_do_handshake: -1
2015/07/06 03:28:41 [debug] 22474#0: *1 SSL_GET_ERROR: 1
2015/07/06 03:28:41 [crit] 22474#0: *1 SSL_DO_HANDSHAKE() FAILED (SSL:
error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol)
while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:4443
2015/07/06 03:28:41 [debug] 22474#0: *1 close http connection: 3
2015/07/06 03:28:41 [debug] 22474#0: *1 SSL_shutdown: 1
2015/07/06 03:28:41 [debug] 22474#0: *1 event timer del: 3:
1436167781415
2015/07/06 03:28:41 [debug] 22474#0: *1 reusable connection: 0
2015/07/06 03:28:41 [debug] 22474#0: *1 free: 0000000001D45A10, unused:
16
2015/07/06 03:28:41 [debug] 22474#0: *1 free: 0000000001D210B0, unused:
136

root at debian:~/nginx-debug# dpkg -l libssl1.0.0
ii libssl1.0.0:amd64 1.0.1k-3+deb8u1 amd64 Secure Sockets Layer toolkit
- shared libraries

DOWNGRADING TO WHEEZY STABLE LIBSSL1.0.0 _ (OR IT IS ALSO WORKING WHEN
NGINX IS BUILD FROM SOURCE --WITH-OPENSSL=../OPENSSL-1.0.1K  FOR
EXAMPLE, WHOLE LINE I WAS USING: ROOT at WWW:~/NGINX-1.6.2# ./CONFIGURE
--WITHOUT-HTTP_REWRITE_MODULE --WITHOUT-HTTP_GZIP_MODULE
--WITH-HTTP_SSL_MODULE --WITH-OPENSSL=../OPENSSL-1.0.1K --WITH-IPV6
--WITH-DEBUG)_ 

root at debian:~/nginx-debug# dpkg -i
downgrade/libssl1.0.0_1.0.1e-2+deb7u17_amd64.deb
root at debian:~/nginx-debug# dpkg -l libssl1.0.0
ii LIBSSL1.0.0:amd64 1.0.1E-2+DEB7U17 amd64 SSL shared libraries

root at debian:~/nginx-debug# nginx -p ~/nginx-debug -c nginx.conf
2015/07/06 03:29:35 [debug] 22514#0: epoll add event: fd:6 op:1
ev:00002001

root at debian:~/nginx-debug# nginx -p ~/nginx-debug -c nginx.conf
2015/07/06 03:30:30 [debug] 22518#0: epoll add event: fd:6 op:1
ev:00002001 

root at debian:~/nginx-debug# openssl s_client -connect localhost:4443
-ssl3
...
SSL-Session:
 Protocol : SSLv3
 Cipher : ECDHE-RSA-AES256-SHA
... 

2015/07/06 03:30:33 [debug] 22518#0: accept on 0.0.0.0:4443, ready: 0
2015/07/06 03:30:33 [debug] 22518#0: posix_memalign:
0000000002516A90:256 @16
2015/07/06 03:30:33 [debug] 22518#0: *1 accept: 127.0.0.1 fd:3
2015/07/06 03:30:33 [debug] 22518#0: posix_memalign:
00000000024F2130:256 @16
2015/07/06 03:30:33 [debug] 22518#0: *1 event timer add: 3:
60000:1436167893670
2015/07/06 03:30:33 [debug] 22518#0: *1 reusable connection: 1
2015/07/06 03:30:33 [debug] 22518#0: *1 epoll add event: fd:3 op:1
ev:80002001
2015/07/06 03:30:33 [debug] 22518#0: *1 http check ssl handshake
2015/07/06 03:30:33 [debug] 22518#0: *1 http recv(): 1
2015/07/06 03:30:33 [debug] 22518#0: *1 https ssl handshake: 0x16
2015/07/06 03:30:33 [debug] 22518#0: *1 SSL_do_handshake: -1
2015/07/06 03:30:33 [debug] 22518#0: *1 SSL_GET_ERROR: 2
2015/07/06 03:30:33 [debug] 22518#0: *1 reusable connection: 0
2015/07/06 03:30:33 [debug] 22518#0: *1 SSL handshake handler: 0
2015/07/06 03:30:33 [debug] 22518#0: *1 SSL_do_handshake: 1
2015/07/06 03:30:33 [debug] 22518#0: *1 SSL: SSLV3, cipher:
"ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1"
2015/07/06 03:30:33 [debug] 22518#0: *1 reusable connection: 1
2015/07/06 03:30:33 [debug] 22518#0: *1 http wait request handler
2015/07/06 03:30:33 [debug] 22518#0: *1 malloc: 00000000024FA040:1024
2015/07/06 03:30:33 [debug] 22518#0: *1 SSL_read: -1
2015/07/06 03:30:33 [debug] 22518#0: *1 SSL_get_error: 2
2015/07/06 03:30:33 [debug] 22518#0: *1 free: 00000000024FA040

root at debian:~/nginx-debug# cat nginx.conf
daemon off;
worker_processes 1;

events {
 worker_connections 1024;
}

http {

ssl_protocols SSLV3 TLSv1.2;

ssl_certificate /root/nginx-debug/cert.pem;
ssl_certificate_key /root/nginx-debug/cert.key;

server {
 listen 4443 ssl;

 error_log stderr debug;

 location / {
 root html;
 index index.html index.htm;
 }
 }
} 

root at debian:~/nginx-debug# ls -lad cert.* logs nginx.conf
-rw------- 1 root root 1704 Jul 6 02:43 cert.key
-rw-r--r-- 1 root root 1428 Jul 6 02:43 cert.pem
drwxr-xr-x 2 root root 4096 Jul 6 03:19 logs
-rw-r--r-- 1 root root 665 Jul 6 02:43 nginx.conf

Please let me know if you are planning to fix this. There are particular
outdated apps that are still using SSLv3 and it would be wonderful to
have it for the backwards compatibility. (current stable Jessie's Nginx
by default does Not use SSLv3). 

-- 
kind regards
ANDREY ARAPOV 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20150706/789b672b/attachment.html>