On 2015-07-16 11:48 PM, Yann Ylavic wrote:
On Thu, Jul 16, 2015 at 7:02 PM, Michael Felt<[email protected]> wrote:
A longish read - basically while 2.4.12 had few errors when built against
OpenSSL 0.9.8 LibreSSL has quite a few errors - perhaps because it has
removed many "unsafe" crypto combinations. The root question is: is this
LibreSSL misbehaving, or are the tests needing some work to verify that
"weak ciphers and key exchanges are not being used - e.g., via
renegotiation.
Latest commit on test framework ([1]) replaced RC4-{MD5,SHA} with
AES{128,256}-SHA so that these are more likely to be known by both
libs (unless LibreSSL also disabled all CBC based chainings).
So if RC4 was the culprit, the tests (pr12355 and pr43738) should pass now.
I'll pull ApacheTest and check.
BTW that's not what triggers the renegotiations since keep-alive seems
not be used for successive requests (that possibly could be another
test, though logs show Initial connections only here), but rather a
specific Location's CipherSuite different from the (handshaken)
VirtualHost's one.
so if I look through the VirtualHost definitions made by ApacheTest I
should see some "Location CipherSuite" declarations?
One test in LibreSSL (first one) from test:
[...]
[Thu Jul 16 11:47:11.864018 2015] [ssl:debug] [pid 389322:tid 772]
ssl_engine_kernel.c(1908): [client 127.0.0.1:48673] AH02043: SSL virtual host
for servername loopback found
[Thu Jul 16 11:47:11.982116 2015] [ssl:debug] [pid 389322:tid 772]
ssl_engine_kernel.c(1841): [client 127.0.0.1:48673] AH02041: Protocol:
TLSv1.2, Cipher: ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)
Is the framework using openssl or libressl here?
Are PATH or APACHE_TEST_OPENSSL_CMD defined, or maybe the system's default lib?
As it is TLSv1.2 - that is LibreSSL. I'll generate a list of the ciphers
it supports asap.
[Thu Jul 16 11:47:12.051994 2015] [ssl:error] [pid 389322:tid 772]
[client 127.0.0.1:48673] AH02261: Re-negotiation handshake failed: Not
accepted by client!?
[Thu Jul 16 11:47:12.052072 2015] [ssl:info] [pid 389322:tid 772]
[client 127.0.0.1:48673] AH02008: SSL library error 1 in handshake (server
loopback:8532)
[Thu Jul 16 11:47:12.052157 2015] [ssl:info] [pid 389322:tid 772]
SSL Library Error: error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected
message
I had cut out all the debug statements - (grep -v debug
t/logs/error_log) - for me too much noise.
I'll see about pcap/tcpdump (AIX program name is either tcpdump
(standard *NIX interface) or iptrace
That's not an alert (a close?).
Maybe a higher LogLevel (trace5?) would help, and/or a pcap...
Regards,
Yann.
[1] http://svn.apache.org/r1691419
