Date: Thu, 7 Mar 2013 07:37:53 GMT From: Johannes Meixner <xmj@chaot.net> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/176722: OpenSSL 1.0.1e fails to fallback to TLS1 if the server doesn't allow for anything else Message-ID: <201303070737.r277brU2076712@red.freebsd.org> Resent-Message-ID: <201303070740.r277e18I007456@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 176722 >Category: misc >Synopsis: OpenSSL 1.0.1e fails to fallback to TLS1 if the server doesn't allow for anything else >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Mar 07 07:40:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Johannes Meixner >Release: 10.0-CURRENT >Organization: >Environment: FreeBSD xmj.local 10.0-CURRENT FreeBSD 10.0-CURRENT #2 r247490M: Fri Mar 1 19:16:27 EET 2013 root@xmj.local:/usr/obj/usr/src/sys/xmj amd64 >Description: Error first described by Pablo Almeida on https://bugs.launchpad.net/openssl/+bug/965371/ -- when trying to `openssl s_client -showcerts -connect coremis-cas.myocean.eu:443' OpenSSL1.0.1e (11 Feb 13 from ports) doesn't fall back (as it does for 0.9.8x 10 May 2012) to TLS1 and, instead of showing certs, gives CONNECTED(00000004) --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 319 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- However, when forcing s_client to use -tls1, the result is as expected, returning the site's certificates. Why doesn't openssl notice it can't any other method but TLS1 -- and fall back to that one, as in previous versions? >How-To-Repeat: Run `openssl s_client -showcerts -connect coremis-cas.myocean.eu:443' on OpenSSL 1.0.1e versus openssl s_client -showcerts -tls1 -connect coremis-cas.myocean.eu:443 >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201303070737.r277brU2076712>