A NOTE has been added to this issue. ====================================================================== https://www.opencsw.org/mantis/view.php?id=5068 ====================================================================== Reported By: beezly Assigned To: dam ====================================================================== Project: wget Issue ID: 5068 Category: regular use Reproducibility: always Severity: minor Priority: normal Status: assigned ====================================================================== Date Submitted: 2013-04-19 11:58 CEST Last Modified: 2013-04-19 23:18 CEST ====================================================================== Summary: Problems negotiating SSL with updates.oracle.com Description: with wget 1.14 I am experiencing problems connecting to updates.oracle.com (as PCA does when it pulls down the patchdiag.xref file).
If I do; /opt/csw/bin/wget -d --progress=dot:binary --ca-certificate=/opt/csw/bin/pca -O /var/tmp/patchdiag.xref "https://getupdates.oracle.com/reports/patchdiag.xref"; I get; Setting --progress (progress) to dot:binary Setting --ca-certificate (cacertificate) to /opt/csw/bin/pca Setting --output-document (outputdocument) to /var/tmp/patchdiag.xref DEBUG output created by Wget 1.14 on solaris2.10. URI encoding = 'ISO8859-1' --2013-04-19 10:54:03-- https://getupdates.oracle.com/reports/patchdiag.xref Resolving getupdates.oracle.com (getupdates.oracle.com)... 141.146.44.51 Caching getupdates.oracle.com => 141.146.44.51 Connecting to getupdates.oracle.com (getupdates.oracle.com)|141.146.44.51|:443... connected. Created socket 5. Releasing 0x000e8a18 (new refcount 1). Initiating SSL handshake. SSL handshake failed. Closed fd 5 Unable to establish SSL connection. The same works if I use /usr/sfw/bin/wget instead (1.12 on this system). ====================================================================== ---------------------------------------------------------------------- (0010340) dam (administrator) - 2013-04-19 23:18 https://www.opencsw.org/mantis/view.php?id=5068#c10340 ---------------------------------------------------------------------- Ok, quick answer: you must add --secure-protocol=TLSv1 Long answer: the server at Oracles side is broken. Here is the analysis from my colleague Yann Roulliard: Am 19.04.2013 um 23:10 schrieb Yann Rouillard <yann@xxx>: Ok, I thing I got it. It is not directly related to the tls protocol version, nor the cipher list. As soon as the "client hello" packet is bigger to equal to 256, the Oracle webserver doesn't respond anymore. It is triggered with tls 1.2 because it supports a lot more ciphers which is why the packet easily reaches the 256 size. I put some tests I made at the end of this mail. This is rather a bug on the oracle server side. It there a lot of ssl implementations which have this bug, I could open a ticket upstream and maybe patch. Now the question is how to submit this problem to Oracle, I wonder if they will accept that kind of bug on "My Oracle Support". I will try. Yann To reproduce: # openssl s_client -bugs -tls1_2 -cipher ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES! -128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:CAMELLIA128-SHA -connect getupdates.oracle.com:443 CONNECTED(00000005) Packet size 256 -> the connection is stucked. Let's remove just one cipher: # openssl s_client -bugs -tls1_2 -cipher ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES! -128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA -connect getupdates.oracle.com:443 CONNECTED(00000005) 18446741324917160760:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: --- no peer certificate available [...] Packet size < 256: it worked, the server answered. Let's use the same cipher list as before, but we disable the session ticket extension to shorten the size of the packet: # openssl s_client -bugs -tls1_2 -cipher ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES! -128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:CAMELLIA128-SHA -no_ticket -connect getupdates.oracle.com:443 CONNECTED(00000005) 18446741324917160760:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: --- no peer certificate available [...] Packet size < 256: it works also. _______________________________________________ bug-notifications mailing list [email protected] https://lists.opencsw.org/mailman/listinfo/bug-notifications
