[Pkg-openssl-devel] Bug#934453: curl: SSL routines:tls12_check_peer_sigalg:wrong signature type

Johannes Schauer josch at debian.org
Mon Aug 12 09:42:06 BST 2019


Hi,

On Mon, 12 Aug 2019 10:01:03 +0200 Johannes Schauer <josch at debian.org> wrote:
> On Sun, 11 Aug 2019 09:42:21 +0200 Johannes 'josch' Schauer <josch at debian.org> wrote:
> > steps to reproduce:
> > 
> >     $ sudo debootstrap --include=curl,ca-certificates unstable debian-unstable
> >     [...]
> >     $ sudo chroot debian-unstable curl -vvv https://www.daserste.de
> >     *   Trying 8.248.97.252:443...
> >     * TCP_NODELAY set
> >     * Connected to www.daserste.de (8.248.97.252) port 443 (#0)
> >     * ALPN, offering h2
> >     * ALPN, offering http/1.1
> >     * successfully set certificate verify locations:
> >     *   CAfile: none
> >       CApath: /etc/ssl/certs
> >     * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> >     * TLSv1.3 (IN), TLS handshake, Server hello (2):
> >     * TLSv1.2 (IN), TLS handshake, Certificate (11):
> >     * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
> >     * TLSv1.2 (OUT), TLS alert, handshake failure (552):
> >     * error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type
> >     * Closing connection 0
> >     curl: (35) error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type
> > 
> > This also happens with other domains. I hope this is actually a curl
> > issue and not my own stupidity but this problem only occurs with curl
> > and not wget or firefox and the domain from above has an A+ rating on
> > ssllabs.com, so I guess it is properly configured.
> 
> I now figured out that this problem is actually due to openssl and not due to
> curl. I bisected Debian unstable from snapshot.d.o to figure out that the last
> working snapshot is 20180822T014239Z and the first that shows this problem is
> 20180822T060826Z. When I diff the output of `dpkg -l` on both chroots then I
> get:
> 
> 82c82
> < ii  libssl1.1:amd64           1.1.0h-4                     amd64        Secure Sockets Layer toolkit - shared libraries
> ---
> > ii  libssl1.1:amd64           1.1.1~~pre9-1                amd64        Secure Sockets Layer toolkit - shared libraries
> 95c95
> < ii  openssl                   1.1.0h-4                     amd64        Secure Sockets Layer toolkit - cryptographic utility
> ---
> > ii  openssl                   1.1.1~~pre9-1                amd64        Secure Sockets Layer toolkit - cryptographic utility

thanks to juliank on #debian-devel I found out that this issue seems to be a
duplicate of #912759?

If so, what should I write to the server admins of daserste.de? I'm not quite
knowledgable about the topic and with the Qualys SSL Labs Server test reporting
an A+ for the server, I don't know what argument to make that they are wrong.

Thanks!

cheers, josch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-openssl-devel/attachments/20190812/3825c447/attachment.sig>


More information about the Pkg-openssl-devel mailing list