NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: bin/45639: STARTTLS fails sometimes with builtin OpenSSL



The following reply was made to PR bin/45639; it has been noted by GNATS.

From: Rhialto <rhialto%falu.nl@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: gnats-admin%NetBSD.org@localhost, netbsd-bugs%NetBSD.org@localhost, 
rhialto%falu.nl@localhost
Subject: Re: bin/45639: STARTTLS fails sometimes with builtin OpenSSL
Date: Tue, 22 Nov 2011 01:34:44 +0100

 On Mon 21 Nov 2011 at 23:35:02 +0000, Thomas Klausner wrote:
 >  Could this issue be another one case from the "bad TLS1.1 support"?
 >  
 >  See e.g.
 >  
 > https://bitbucket.org/site/master/issue/2552/problem-checking-out-with-tlsv11
 
 If I understand that reference correctly, using the -tls1 option means
 that TLS1.1 is not used? So, adding -tls1 should make the issue better?
 
 I see exactly the opposite, though, when I use /usr/bin/openssl.
 
 $ /usr/bin/openssl s_client -connect smtp.tele2.nl:25 -starttls smtp -tls1
 CONNECTED(00000003)
 140187688595268:error:14092073:SSL routines:SSL3_GET_SERVER_HELLO:bad packet 
length:/home/builds/ab/netbsd-5-1-RELEASE/src/crypto/dist/openssl/ssl/s3_clnt.c:906:
 ---
 no peer certificate available
 ---
 No client certificate CA names sent
 ---
 SSL handshake has read 374 bytes and written 0 bytes
 ---
 New, (NONE), Cipher is (NONE)
 Compression: NONE
 Expansion: NONE
 SSL-Session:
     Protocol  : TLSv1
     Cipher    : 0000
     Session-ID: 
001215364ECAE3B2A8DF9F2833C113B29988EF39A71891DA611C8F31871848E0
     Session-ID-ctx: 
     Master-Key: 
     Key-Arg   : None
     PSK identity: None
     PSK identity hint: None
     Start Time: 1321919410
     Timeout   : 7200 (sec)
     Verify return code: 0 (ok)
 ---
 $ 
 
 but if I leave out the -tls1 option I get
 
 $ /usr/bin/openssl s_client -connect smtp.tele2.nl:25 -starttls smtp 
 CONNECTED(00000003)
 depth=1 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST 
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
 verify error:num=20:unable to get local issuer certificate
 verify return:0
 ---
 Certificate chain
  0 s:/C=SE/postalCode=164 94/ST=Stockholm/L=Kista/streetAddress=Box 
62/O=Tele2/OU=Network Operations/OU=Issued through Tele2 Sverige AB E-PKI 
Manager/OU=Comodo PremiumSSL Wildcard/CN=*.tele2.nl
    i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST 
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
  1 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST 
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
    i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External 
CA Root
 ---
 Server certificate
 -----BEGIN CERTIFICATE-----
 MIIF8jCCBNqgAwIBAgIRAKxAFqoIeVvY/rKWtrU54HAwDQYJKoZIhvcNAQEFBQAw
 ...
 6AeDm142pfuFbXcYCp+QeavBQFWNT4h1UqXe/1LqUqm7C9cftao=
 -----END CERTIFICATE-----
 subject=/C=SE/postalCode=164 94/ST=Stockholm/L=Kista/streetAddress=Box 
62/O=Tele2/OU=Network Operations/OU=Issued through Tele2 Sverige AB E-PKI 
Manager/OU=Comodo PremiumSSL Wildcard/CN=*.tele2.nl
 issuer=/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST 
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
 ---
 No client certificate CA names sent
 ---
 SSL handshake has read 3146 bytes and written 551 bytes
 ---
 New, TLSv1/SSLv3, Cipher is AES256-SHA
 Server public key is 2048 bit
 Compression: NONE
 Expansion: NONE
 SSL-Session:
     Protocol  : TLSv1
     Cipher    : AES256-SHA
     Session-ID: 
0012B8C04ECAE3D5A33EA027E403C4789222FCBF06BA5DD834BE080F6A27F54C
     Session-ID-ctx: 
     Master-Key: 
CCED98E919799672F48FB37C680B5EE1BA59F5B8ED4B71F5B9D91B0998FE7B497E342F59A498AF08BED8023BF5A507C5
     Key-Arg   : None
     PSK identity: None
     PSK identity hint: None
     Start Time: 1321919445
     Timeout   : 300 (sec)
     Verify return code: 20 (unable to get local issuer certificate)
 ---
 250 EHLO
 help
 214-Commands Supported:
 214-HELO EHLO AUTH HELP QUIT MAIL NOOP RSET RCPT DATA ETRN VRFY ATRN STARTTLS
 214-Copyright (c) 1995-2011, Stalker Software, Inc.
 214- 
 214 End Of Help
 DONE
 
 With /usr/pkg/bin/openssl ... -tls1, it works.
 The postmaster at tele2.nl tried something similar with his version of
 openssl, without -tls1 option, and it worked for him (but he got a
 "Protocol  : SSLv3" connection).
 
 I tried to find out what version netbsd's version of openssl is, but it
 seems to be something like "0.9.9 plus own set of patches". The pkgsrc
 version would then be older, being 0.9.8q nb3.
 
 >   Thomas
 -Olaf.
 -- 
 ___ Olaf 'Rhialto' Seibert  -- There's no point being grown-up if you 
 \X/ rhialto/at/xs4all.nl    -- can't be childish sometimes. -The 4th Doctor
 


Home | Main Index | Thread Index | Old Index