Your message dated Sun, 29 Apr 2012 19:35:13 +0200
with message-id <[email protected]>
and subject line Re: I hit the same problem
has caused the Debian Bug report #667014,
regarding irssi: Can't connect to SSL-enabled server after upgrading libssl
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
667014: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=667014
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: irssi
Version: 0.8.15-4+b1
Severity: normal

Hi,

I'm unable to connect to a SSL-enabled IRC server after upgrading
libssl1.0.0.

This problem was apparently introduced in libssl 1.0.1-1. Previous
versions don't seem to be affected. Other SSL servers (I tried a few
from freenode) appear to work fine.

Unfortunately the server I'm having problems with is private and not
maintained by me so I can't give much information about it. This is
what irssi shows:

   -!- Irssi: warning SSL handshake failed: unsupported protocol

The output from openssl s_client:

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 4AE9B3BA50844D0DE4C7E0F4A8D060DE6D1295FA4B288C49FA305FF1A4938F2F
    Session-ID-ctx: 
    Master-Key: 
DC4B3C03F66FF34141717DDB89C57AB5857A9DF84899030EF70419675609BC717CF798A22094FCCFB6416C386FF08E0C
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1333452749
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)


I was going to file the bug report against openssl, but interestingly
enough, if I use irssi+stunnel (also based on openssl) everything
works fine. Here's the relevant stunnel output:

   SSL connected: new session negotiated
   Negotiated ciphers: RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
   Compression: null, expansion: null

Berto.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=pt_PT, LC_CTYPE=pt_PT (charmap=UTF-8) (ignored: LC_ALL set to 
pt_PT.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages irssi depends on:
ii  libc6                       2.13-27
ii  libglib2.0-0                2.30.2-6
ii  libncurses5                 5.9-4
ii  libperl5.14                 5.14.2-9
ii  libssl1.0.0                 1.0.1-4
ii  libtinfo5                   5.9-4
ii  perl                        5.14.2-9
ii  perl-base [perlapi-5.14.2]  5.14.2-9

irssi recommends no packages.

Versions of packages irssi suggests:
ii  irssi-scripts  20100512

-- no debconf information



--- End Message ---
--- Begin Message ---
On Mon, Apr 23, 2012 at 09:14:59AM +0200, Alberto Garcia wrote:
> On Sun, Apr 22, 2012 at 03:57:51PM +0200, Kurt Roeckx wrote:
> 
> > So it's my understanding that this happens:
> > - openssl sends a ClientHello, and says it supports TLS 1.0 - 1.2
> > - the server sends backa ServerHello saying to use TLS 1.1
> > - openssl has TLS 1.1 disabled and the connection fails.
> > 
> > And I think we won't be able to do much about this, without breaking
> > more things.
> 
> Do you think it is a problem in OpenSSL or in GnuTLS?

It was clearly a problem in openssl.  We've remapped the define to
a free and unused bit in 1.0.1b, and things should work again now.
So I think we can close this bug.


Kurt



--- End Message ---

Reply via email to