Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 7 Mar 2013 07:37:53 GMT
From:      Johannes Meixner <xmj@chaot.net>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   misc/176722: OpenSSL 1.0.1e fails to fallback to TLS1 if the server doesn't allow for anything else
Message-ID:  <201303070737.r277brU2076712@red.freebsd.org>
Resent-Message-ID: <201303070740.r277e18I007456@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         176722
>Category:       misc
>Synopsis:       OpenSSL 1.0.1e fails to fallback to TLS1 if the server doesn't allow for anything else
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Mar 07 07:40:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Johannes Meixner
>Release:        10.0-CURRENT
>Organization:
>Environment:
FreeBSD xmj.local 10.0-CURRENT FreeBSD 10.0-CURRENT #2 r247490M: Fri Mar  1 19:16:27 EET 2013     root@xmj.local:/usr/obj/usr/src/sys/xmj  amd64
>Description:
Error first described by Pablo Almeida on 
https://bugs.launchpad.net/openssl/+bug/965371/

--
when trying to `openssl s_client -showcerts -connect coremis-cas.myocean.eu:443'  OpenSSL1.0.1e (11 Feb 13 from ports) doesn't fall back (as it does for 0.9.8x 10 May 2012) to TLS1
and, instead of showing certs, gives


CONNECTED(00000004)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 319 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---


However, when forcing s_client to use -tls1, the result is as expected, returning the site's certificates. 

Why doesn't openssl notice it can't any other method but TLS1 -- and fall back to that one, as in previous versions?
>How-To-Repeat:
Run `openssl s_client -showcerts -connect coremis-cas.myocean.eu:443' on OpenSSL 1.0.1e

versus

openssl s_client -showcerts -tls1 -connect coremis-cas.myocean.eu:443
>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201303070737.r277brU2076712>