Package: openssl Version: 1.0.1c-3 Severity: important --- Please enter the report below this line. ---
I can't connect to hosts which allow only SSLv3 : $ openssl s_client -connect www.ovh.com:443 CONNECTED(00000003) 139991546484392:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 320 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- but by specifiying "ssl3" on command line, it works : $ openssl s_client -connect www.ovh.com:443 -ssl3 CONNECTED(00000003) depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/serialNumber=424761419/1.3.6.1.4.1.311.60.2.1.3=FR/1.3.6.1.4.1.311.60.2.1.2=Nord/1.3.6.1.4.1.311.60.2.1.1=ROUBAIX/businessCategory=Private Organization/C=FR/postalCode=59100/ST=NORD/L=ROUBAIX/street=2 rue Kellermann/O=OVH/OU=0002 424761419/OU=Comodo EV SSL/CN=www.ovh.com i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Extended Validation Secure Server CA 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Extended Validation Secure Server CA i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- [...] --- SSL handshake has read 5379 bytes and written 491 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : AES256-SHA Session-ID: 8635E8662D8A62507C15E8371C4E8121F317A17F15D749FE40112EA5FC022455 Session-ID-ctx: Master-Key: D5035A130786444B3B08C7E522EA0805B80B461803F32554B1ABF98B9172ECBE98E9252C4A6840F8500C9913CAE85281 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1343556050 Timeout : 7200 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- Note that *gnutls* is also affected, but browsers like Lynx, Iceweasel, Chromium or Empathy doesn't have any trouble. --- System information. --- Architecture: amd64 Kernel: Linux 3.2.0-3-amd64 Debian Release: wheezy/sid 500 unstable apt.daevel.fr 1 experimental apt.daevel.fr --- Package information. --- Depends (Version) | Installed ============================-+-============= libc6 (>= 2.7) | 2.13-35 libssl1.0.0 (>= 1.0.1) | 1.0.1c-3 zlib1g (>= 1:1.1.4) | 1:1.2.7.dfsg-13 Package's Recommends field is empty. Suggests (Version) | Installed ==============================-+-=========== ca-certificates | 20120623 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org