Date: Thu, 10 Oct 1996 18:00:26 +0100 (BST) From: jez@netcraft.co.uk (Jeremy Prior) To: FreeBSD-gnats-submit@freebsd.org Cc: mhp@netcraft.co.uk (Mike Prettejohn) Subject: ports/1753: SSLeay-0.6.4 inoperability with MS IIS Message-ID: <199610101700.SAA23552@ns0.netcraft.co.uk> Resent-Message-ID: <199610101710.KAA03002@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 1753
>Category: ports
>Synopsis: SSLeay doesn't work against Microsoft secure web sites
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports
>State: open
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Oct 10 10:10:01 PDT 1996
>Last-Modified:
>Originator: Jeremy Prior
>Organization:
Jeremy Prior <jez@netcraft.co.uk>
Netcraft, Rockfield House, Granville Road, Bath, BA1 9BQ, England
Tel: +44-1225-447500 Fax: +44-1225-448600
>Release: FreeBSD 2.1.5-STABLE i386
>Environment:
Both FreeBSD-2.1.5-STABLE and FreeBSD-2.2-CURRENT exhibit this
problem. However, it *is* specific to FreeBSD - It works correctly
under Linux/Irix/Solaris/...
>Description:
Whilst trying to connect to Microsoft IIS sites using SSLeay-0.6.4,
the library will hang after determining the X509 cert.
It does this with programs linked against the SSL library, and with
the ssleay app that comes with it (see below).
This is quite specific to the combination of (FreeBSD,Microsoft IIS)
- it works when run from or against Linux, Irix or Solaris.
>How-To-Repeat:
This succeeds:
% ssleay s_client -port 443 -host www-secure.cdrom.com < /dev/null
This hangs:
% ssleay s_client -port 443 -host www.microsoft.com < /dev/null
>Fix:
Sorry, I don't have a fix, but I have gone some way down the path
of diagnosis.
If you invoke ssleay with the -state option, you'll see that it
wedges between states SSL_ST_GET_SERVER_VERIFY_A and SSL_ST_OK:
% ssleay s_client -port 443 -host www.microsoft.com -state
CONNECTED
SSL_connect:SCH_A
SSL_connect:GSH_A
depth=0 /C=US/SP=Washington/O=Microsoft/CN=www.microsoft.com
issuer= /C=US/O=RSA Data Security, Inc./OU=Secure Server
Certification Authority
SSL_connect:SCMKA
SSL_connect:CSENC
SSL_connect:SCF_A
SSL_connect:GSV_A
According to ktrace, ssleay is blocking indefinitely on a recvfrom.
Gdb gives the following stack trace:
#0 0x80b0135 in recvfrom ()
#1 0x808390a in recv.so ()
#2 0x2e6b2 in sock_read (b=0x62140,
out=0x71000 "\200!Zd\216\2002$S_-BMi\220/e+\0051RN\214\204\020q
3W\220\e'\017ov\206w\r\001\001\002\005", outl=2) at bss_sock.c:190
#3 0x2d91a in BIO_read (b=0x62140,
out=0x71000 "\200!Zd\216\2002$S_-BMi\220/e+\0051RN\214\204\020q
3W\220\e'\017ov\206w\r\001\001\002\005", outl=2) at bio_lib.c:128
#4 0x1ee9d in read_n (s=0x66000, n=2, max=2, extend=0) at ssl_pkt.c:253
#5 0x1eabf in SSL_read (s=0x66000,
buf=0x83000 "1RN\214\204\020q
3W\220\e'\017ov~>\0238t)\024+'>rb\2179q\031O\035KX\e\032m]L/8=\205wny&Hq4\030t\213?99[C\tzj^K\031qpI\211D`s\220\216\023A\020\203\t\037<", len=1) at
ssl_pkt.c:105
#6 0x1e770 in get_server_finished (s=0x66000) at ssl_clnt.c:796
#7 0x1d886 in SSL_connect (s=0x66000) at ssl_clnt.c:198
#8 0x13fe5 in s_client_main (argc=0, argv=0xefbfd760) at s_client.c:277
#9 0x1cdb in do_cmd (prog=0x63180, argc=6, argv=0xefbfd760) at ssleay.c:236
#10 0x19e7 in main (Argc=7, Argv=0xefbfd75c) at ssleay.c:155
In some preliminary correspondence with Mark Murray (Hi Mark!), he
thought that the problem may be due to the fact that FreeBSD has
it's own message digest library which SSLeay takes advantage of, but
I've compiled a version of ssleay without it (only dynamically links
against libc), and it still fails.
I'm not sure how useful tcpdump output is, but I've got some for
successful and unsuccessful attempts which I'm willing to upload
to freefall upon request. Likewise, my ssleay configure script
and binaries.
[Impassionate plea: This is a *real* show-stopper for us! I was
planning on updating our web server survey to handle https as well
as http servers, (see http://www.netcraft.com/cgi-bin/Survey/whats)
but there's no point if I can't resolve this problem. I've got as
far as I can with my current level of expertise, but can't progress
any further without delving into the SSL protocol and SSLeay code.
I am, however, willing to donate some time, machine resources, and
even _money_, if I can get this resolved in a timely manner. Help!!]
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610101700.SAA23552>