From owner-freebsd-stable@FreeBSD.ORG  Sat Dec 19 04:43:56 2009
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 633C31065697
	for <freebsd-stable@freebsd.org>; Sat, 19 Dec 2009 04:43:56 +0000 (UTC)
	(envelope-from peter@simons-rock.edu)
Received: from hedwig.simons-rock.edu (hedwig.simons-rock.edu [208.81.88.14])
	by mx1.freebsd.org (Postfix) with ESMTP id 2967E8FC17
	for <freebsd-stable@freebsd.org>; Sat, 19 Dec 2009 04:43:55 +0000 (UTC)
Received: from cesium.hyperfine.info (c2.8d.5646.static.theplanet.com
	[70.86.141.194])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by hedwig.simons-rock.edu (Postfix) with ESMTP id A40512BB36A;
	Fri, 18 Dec 2009 23:43:54 -0500 (EST)
Date: Fri, 18 Dec 2009 23:43:53 -0500
From: "Peter C. Lai" <peter@simons-rock.edu>
To: Chris H <chris#@1command.com>
Message-ID: <20091219044352.GO88081@cesium.hyperfine.info>
References: <f196357e2f75a3f986ab0c4dd04a7697.HRCIM@webmail.1command.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <f196357e2f75a3f986ab0c4dd04a7697.HRCIM@webmail.1command.com>
User-Agent: Mutt/1.5.17 (2007-11-01)
Cc: freebsd-stable@freebsd.org
Subject: Re: SSL appears to be broken in 8-STABLE/RELEASE
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Dec 2009 04:43:56 -0000

This might have something to do with a libthr discussion I was CCed on.
Someone mentioned something about removing a link to libthr in openssl
but I can't remember if this was in the port or base openssl...

On 2009-12-18 05:32:41PM -0800, Chris H wrote:
> Greetings,
>  A recent (cvs checkout of src/ports on 2009-12-09) install of 8 seems to indicate
> that changes in SSL have made it virtually unusable. I've spent the past 3 days
> attempting to (re)create an SSL enabled virtual host that serves web based access
> to local mail. Since it's local, I'm using self-signed certs following a scheme
> that
> has always worked flawlessly for the past 9 yrs. However, now having installed 8,
> it isn't working. The browser(s) throw "ssl_error_handshake_failure_alert"
> (ff-3.56).
> Other gecko based, and non-gecko based UA's throw similar, as well as openssl's
> s_client. After immense research, the only thing I can find that might best explain
> it is a recent SA patch applied to FreeBSD's src (SA-09:15). After reading what the
> patch provides. I am able to better understand the error messages thrown to
> /var/messages when attempting to negotiate a secure session in a UA:
> 
> kernel: TCP: [web.server.host.IP]:59735 to [web.server.host.IP]:443 tcpflags
> 0x18<PUSH,ACK>; tcp_do_segment: FIN_WAIT_2: Received 37 bytes of data after
> socket was closed, sending RST and removing tcpcb
> kernel: TCP: [web.server.host.IP]:59735 to [web.server.host.IP]:443 tcpflags
> 0x11<FIN,ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment
> rejected (probably spoofed)
> kernel: TCP: [web.server.host.IP]:52153 to [web.server.host.IP]:443 tcpflags
> 0x18<PUSH,ACK>; tcp_do_segment: FIN_WAIT_2: Received 37 bytes of data after
> socket was closed, sending RST and removing tcpcb
> kernel: TCP: [web.server.host.IP]:52153 to [web.server.host.IP]:443 tcpflags
> 0x11<FIN,ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment
> rejected (probably spoofed)
> kernel: TCP: [web.server.host.IP]:60382 to [web.server.host.IP]:443 tcpflags
> 0x18<PUSH,ACK>; tcp_do_segment: FIN_WAIT_2: Received 37 bytes of data after
> socket was closed, sending RST and removing tcpcb
> kernel: TCP: [web.server.host.IP]:60382 to [web.server.host.IP]:443 tcpflags
> 0x11<FIN,ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment
> rejected (probably spoofed)
> 
> So, if I understand things correctly. The patch prevents (re)negotiation. Making
> the likelihood of a successful "handshake" near null (as the log messages above
> show). I'm sure that some may be quick to point the finger at the self-signed
> cert being more likely the cause, I should add that while in fact quite unlikely,
> I too didn't completely rule that out. So I purchased one from startssl - money
> wasted. The results were the same. So it would appear that until something else
> is done to overcome the hole in current openssl, my only recourse is to back the
> patch out, and rebuild openssl && all affected ports - no?
> 
> Thank you for all your time and consideration in this matter.
> 
> --Chris H
> 
> 
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"

-- 
===========================================================
Peter C. Lai                 | Bard College at Simon's Rock
Systems Administrator        | 84 Alford Rd.
Information Technology Svcs. | Gt. Barrington, MA 01230 USA
peter AT simons-rock.edu     | (413) 528-7428
===========================================================