Re: Comparing LibreSSL and OpenSSL based on ApacheTest t/ssl results

Fri, 17 Jul 2015 04:10:43 -0700 

On 2015-07-17 12:39 PM, Yann Ylavic wrote:

Michael Felt wrote:

Yann Ylavic wrote:

So if RC4 was the culprit, the tests (pr12355 and pr43738) should pass
now.

I'll pull ApacheTest and check.

I assume the attached logs_pr12355_LibreSSL.zip was with the latest
framework (including r1691419), so the RC4 =>  AES changes did not
work...
Yes, that was with the latest framework (svn checkout) - as I showed in the ciphers list - it is still there. 
so if I look through the VirtualHost definitions made by ApacheTest I should
see some "Location CipherSuite" declarations?

Yes, t/conf/ssl/ssl.conf.in has a VirtualHost SSLCipherSuite
"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL" which is
overridden for some<Location>s (/require-aes{128,256}-cgi and
/modules/ssl/aes{128,256}/) with SSLCipherSuite "AES{128,256}-SHA".


[Thu Jul 16 11:47:12.052157 2015] [ssl:info] [pid 389322:tid 772]
   SSL Library Error: error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected 
message

That's not an alert (a close?).
Maybe a higher LogLevel (trace5?) would help, and/or a pcap...

So, an attachment again, with both binary and text of iptrace during run of
test pr12355. I guess (rather hope) you can read what is going on here.

Ouch, quite hard to read TLS in the matrix :)
Maybe "tcpdump -i lo -w dump.pcap -s0 tcp port 8532"?
(dump.pcap would then be readable in wireshark).
I would expect wireshark can also read iptrace date (the .iptrc file in the bz2 attachment) 
But possibly "LogLevel trace5" in httpd.conf (or
t/conf/ssl/ssl.conf.in 's VirtualHost) would be enough to see what's
going on.
Easiest for testing to just set it in /etc/httpd/httpd.conf and run make test again. This server is only for testing anyway. 
Since the "error" (interruption) seems to be on the client side
though, it may also be interesting to start httpd with a configuration
like the framework's generated t/conf/ssl/ssl.conf file, and then use
openssl s_client (or libressl s_client? dunno the name of that binary
in libreSSL...) with -state and -debug to have the client's POV...
libressl is the name of the package. the commands, etc. are the same. So, if you can be more explicit about what you are thinking/needing I shall comply.

Reply via email to