In a message of Sun, 03 Jun 2007 20:19:45 EDT, Eric Dorland writes:
>> >So the LD_LIBRARY_PATH is set to /usr/lib/iceweasel in the iceweasel
>> >shell script (which invokes the actual binary,
>> >/usr/lib/iceweasel/firefox-bin). How are you invoking it?
>>
>> Using the /usr/bin/iceweasel script... So at least theoretically,
>> running it as "env LD_LIBRARY_PATH=/usr/lib/iceweasel iceweasel"
>> vs just "iceweasel" shouldn't make any difference (I've read the
>> script now). But it certainly did when I was chasing the SSL problem
>> friday (or am I going insane?).
>
>I doubt you're crazy but maybe you made a mistake. Try it again on the
>machine you were having problems with and see.
Ok, I have some more data now (which also explains why I thought
setting LD_LIBRARY_PATH helped). I haven't managed to recreate
exactly the same situation I had on friday, but it looks similar
enough that I think it's still the same problem.
It seems that it is caused by interaction between the SSL server and
iceweasel. If the SSL server asks for a client certificate, but does
not specify any acceptable certificate authorities, connecting to the
SSL server will always work flawlessly the first time. Sometimes
the second and further attempts to connect will fail with a "connection
interrupted" error message:
The connection was interrupted
The connection to localhost:9999 was interrupted while the page was loading.
* The site could be temporarily unavailable or too busy. Try again in a few
moments.
* If you are unable to load any pages, check your computer's network
connection.
* If your computer or network is protected by a firewall or proxy, make sure
that Iceweasel is permitted to access the Web.
Sometimes, if the SSL server uses TLSv1 only, it will instead say that
the "Iceweasel can't connect securely to localhost because the site uses
a security protocol which isn't enabled."
Unfortunately, I can't trigger it consistently, but it seems more common
if the server uses SSLv3 only or TLSv1 only. Using SSLv23 (i.e. 2 and 3
autonegotiation) breaks less often, but it happens there too.
Oh, and it's not the server, because openssl s_client connects just fine.
I'm including a small python program to test it. Uncommenting the
load_client_ca() line seems to make it consistently not break. If it's
not there, it will occasionally break. Switching methods seems to trigger
it quicker, so changing which SSL.*_METHOD is uncommented and then
reloading the page is more likely to trigger.
You'll need python-twisted-web2 and python-pyopenssl installed.
Generate the required certificates like:
$ openssl genrsa -out CA.key 1024
$ openssl req -new -key CA.key -x509 -out cacert
$ openssl genrsa -out foo.pkey 1024
$ openssl req -new -key foo.pkey -out foo.creq
$ openssl x509 -req -in foo.creq -CA cacert -CAkey CA.key -CAcreateserial -out
foo.cert
/Anders
from twisted.python import log
from twisted.internet import reactor, ssl
from twisted.web2 import server, resource, channel, http
import sys
from OpenSSL import SSL, crypto
class Root(resource.Resource):
addSlash = True
def render(self, req):
return http.Response(code=200, stream='foo')
class SSLContextFactory(ssl.ContextFactory):
def __init__(self, pkey, cert, cacert, method):
_pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, open(pkey).read())
_cert = crypto.load_certificate(crypto.FILETYPE_PEM, open(cert).read())
_cacert = crypto.load_certificate(crypto.FILETYPE_PEM, open(cacert).read())
self._ctx = ctx = SSL.Context(method)
#ctx.load_client_ca(cacert)
ctx.set_verify(SSL.VERIFY_PEER, self.verifyClientCallback)
ctx.set_cipher_list('RC4:-EXP:-LOW:-ADH:@STRENGTH')
ctx.use_certificate(_cert)
ctx.use_privatekey(_pkey)
certstore = ctx.get_cert_store()
certstore.add_cert(_cacert)
def verifyClientCallback(self, conn, cert, errnum, depth, ok):
"""
Verifiy the client connection.
Arguments: conn - the SSL connection
cert - the certificate being checked
errnum - error code from SSL (if applicable)
depth - depth in certificate verification chain
ok - 1: everything ok so far,
0: an error (available in errnum)
Returns: The new 'ok' value
"""
return ok
def getContext(self):
return self._ctx
def main():
log.startLogging(sys.stderr)
site = server.Site(Root())
print site
sslctx = SSLContextFactory('foo.pkey', 'foo.cert', 'cacert',
#SSL.SSLv23_METHOD)
#SSL.SSLv3_METHOD)
SSL.TLSv1_METHOD)
print site
reactor.listenSSL(9999, channel.HTTPFactory(site), sslctx)
reactor.run()
if __name__ == '__main__':
main()
