Re: Comparing LibreSSL and OpenSSL based on ApacheTest t/ssl results

Thu, 16 Jul 2015 14:49:13 -0700 

On Thu, Jul 16, 2015 at 7:02 PM, Michael Felt <[email protected]> wrote:
>
> A longish read - basically while 2.4.12 had few errors when built against
> OpenSSL 0.9.8 LibreSSL has quite a few errors - perhaps because it has
> removed many "unsafe" crypto combinations. The root question is: is this
> LibreSSL misbehaving, or are the tests needing some work to verify that
> "weak ciphers and key exchanges are not being used - e.g., via
> renegotiation.

Latest commit on test framework ([1]) replaced RC4-{MD5,SHA} with
AES{128,256}-SHA so that these are more likely to be known by both
libs (unless LibreSSL also disabled all CBC based chainings).
So if RC4 was the culprit, the tests (pr12355 and pr43738) should pass now.

BTW that's not what triggers the renegotiations since keep-alive seems
not be used for successive requests (that possibly could be another
test, though logs show Initial connections only here), but rather a
specific Location's CipherSuite different from the (handshaken)
VirtualHost's one.

>
> One test in LibreSSL (first one) from test:
> [...]
> [Thu Jul 16 11:47:11.864018 2015] [ssl:debug] [pid 389322:tid 772]
>  ssl_engine_kernel.c(1908): [client 127.0.0.1:48673] AH02043: SSL virtual 
> host for servername loopback found
> [Thu Jul 16 11:47:11.982116 2015] [ssl:debug] [pid 389322:tid 772]
>  ssl_engine_kernel.c(1841): [client 127.0.0.1:48673] AH02041: Protocol: 
> TLSv1.2, Cipher: ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)

Is the framework using openssl or libressl here?
Are PATH or APACHE_TEST_OPENSSL_CMD defined, or maybe the system's default lib?

> [Thu Jul 16 11:47:12.051994 2015] [ssl:error] [pid 389322:tid 772]
>  [client 127.0.0.1:48673] AH02261: Re-negotiation handshake failed: Not 
> accepted by client!?
> [Thu Jul 16 11:47:12.052072 2015] [ssl:info] [pid 389322:tid 772]
>  [client 127.0.0.1:48673] AH02008: SSL library error 1 in handshake (server 
> loopback:8532)
> [Thu Jul 16 11:47:12.052157 2015] [ssl:info] [pid 389322:tid 772]
>  SSL Library Error: error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected 
> message

That's not an alert (a close?).
Maybe a higher LogLevel (trace5?) would help, and/or a pcap...

Regards,
Yann.

[1] http://svn.apache.org/r1691419

Reply via email to