Date: Thu, 10 Oct 1996 18:00:26 +0100 (BST) From: jez@netcraft.co.uk (Jeremy Prior) To: FreeBSD-gnats-submit@freebsd.org Cc: mhp@netcraft.co.uk (Mike Prettejohn) Subject: ports/1753: SSLeay-0.6.4 inoperability with MS IIS Message-ID: <199610101700.SAA23552@ns0.netcraft.co.uk> Resent-Message-ID: <199610101710.KAA03002@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 1753 >Category: ports >Synopsis: SSLeay doesn't work against Microsoft secure web sites >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Oct 10 10:10:01 PDT 1996 >Last-Modified: >Originator: Jeremy Prior >Organization: Jeremy Prior <jez@netcraft.co.uk> Netcraft, Rockfield House, Granville Road, Bath, BA1 9BQ, England Tel: +44-1225-447500 Fax: +44-1225-448600 >Release: FreeBSD 2.1.5-STABLE i386 >Environment: Both FreeBSD-2.1.5-STABLE and FreeBSD-2.2-CURRENT exhibit this problem. However, it *is* specific to FreeBSD - It works correctly under Linux/Irix/Solaris/... >Description: Whilst trying to connect to Microsoft IIS sites using SSLeay-0.6.4, the library will hang after determining the X509 cert. It does this with programs linked against the SSL library, and with the ssleay app that comes with it (see below). This is quite specific to the combination of (FreeBSD,Microsoft IIS) - it works when run from or against Linux, Irix or Solaris. >How-To-Repeat: This succeeds: % ssleay s_client -port 443 -host www-secure.cdrom.com < /dev/null This hangs: % ssleay s_client -port 443 -host www.microsoft.com < /dev/null >Fix: Sorry, I don't have a fix, but I have gone some way down the path of diagnosis. If you invoke ssleay with the -state option, you'll see that it wedges between states SSL_ST_GET_SERVER_VERIFY_A and SSL_ST_OK: % ssleay s_client -port 443 -host www.microsoft.com -state CONNECTED SSL_connect:SCH_A SSL_connect:GSH_A depth=0 /C=US/SP=Washington/O=Microsoft/CN=www.microsoft.com issuer= /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority SSL_connect:SCMKA SSL_connect:CSENC SSL_connect:SCF_A SSL_connect:GSV_A According to ktrace, ssleay is blocking indefinitely on a recvfrom. Gdb gives the following stack trace: #0 0x80b0135 in recvfrom () #1 0x808390a in recv.so () #2 0x2e6b2 in sock_read (b=0x62140, out=0x71000 "\200!Zd\216\2002$S_-BMi\220/e+\0051RN\214\204\020q 3W\220\e'\017ov\206w\r\001\001\002\005", outl=2) at bss_sock.c:190 #3 0x2d91a in BIO_read (b=0x62140, out=0x71000 "\200!Zd\216\2002$S_-BMi\220/e+\0051RN\214\204\020q 3W\220\e'\017ov\206w\r\001\001\002\005", outl=2) at bio_lib.c:128 #4 0x1ee9d in read_n (s=0x66000, n=2, max=2, extend=0) at ssl_pkt.c:253 #5 0x1eabf in SSL_read (s=0x66000, buf=0x83000 "1RN\214\204\020q 3W\220\e'\017ov~>\0238t)\024+'>rb\2179q\031O\035KX\e\032m]L/8=\205wny&Hq4\030t\213?99[C\tzj^K\031qpI\211D`s\220\216\023A\020\203\t\037<", len=1) at ssl_pkt.c:105 #6 0x1e770 in get_server_finished (s=0x66000) at ssl_clnt.c:796 #7 0x1d886 in SSL_connect (s=0x66000) at ssl_clnt.c:198 #8 0x13fe5 in s_client_main (argc=0, argv=0xefbfd760) at s_client.c:277 #9 0x1cdb in do_cmd (prog=0x63180, argc=6, argv=0xefbfd760) at ssleay.c:236 #10 0x19e7 in main (Argc=7, Argv=0xefbfd75c) at ssleay.c:155 In some preliminary correspondence with Mark Murray (Hi Mark!), he thought that the problem may be due to the fact that FreeBSD has it's own message digest library which SSLeay takes advantage of, but I've compiled a version of ssleay without it (only dynamically links against libc), and it still fails. I'm not sure how useful tcpdump output is, but I've got some for successful and unsuccessful attempts which I'm willing to upload to freefall upon request. Likewise, my ssleay configure script and binaries. [Impassionate plea: This is a *real* show-stopper for us! I was planning on updating our web server survey to handle https as well as http servers, (see http://www.netcraft.com/cgi-bin/Survey/whats) but there's no point if I can't resolve this problem. I've got as far as I can with my current level of expertise, but can't progress any further without delving into the SSL protocol and SSLeay code. I am, however, willing to donate some time, machine resources, and even _money_, if I can get this resolved in a timely manner. Help!!] >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610101700.SAA23552>