Stuart Henderson писал 2019-06-05 17:10:
On 2019-06-05, Frank Groeneveld <[email protected]> wrote:
On Wed, Jun 5, 2019, at 08:07, Frank Groeneveld wrote:
After updating to Firefox 67.0 on Fedora 30 it seems some OpenBSD
servers cannot be reached over HTTPS anymore. The error produced is
SSL_ERROR_DECODE_ERROR_ALERT. I get this with some of my own servers,
but also with https://cvsweb.openbsd.org/
Anybody know what is going on? Chromium and openssl s_client on the
same system works fine and the same Firefox version in Ubuntu, Mac OS
and Windows don't have this problem.
Thanks in advance.
Sorry for the noise, apparently there is a bug in the Fedora side when
connecting with newer versions of LibreSSL. Related bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=1713777
The bug is server-side not client, looks like it would have been
introduced
around January, and fixed in lib/libssl/ssl_tlsext.c r1.49
----------------------------
revision 1.49
date: 2019/05/29 17:28:37; author: jsing; state: Exp; lines: +2 -5;
commitid: DLpHk0vyoFEK0Baa;
Relax parsing of TLS key share extensions on the server.
The RFC does not require X25519 and it also allows clients to send an
empty
key share when the want the server to select a group. The current
behaviour
results in handshake failures where the client supports TLS 1.3 and
sends a
TLS key share extension that does not contain X25519.
Issue reported by Hubert Kario via github.
ok tb@
----------------------------
Excuse me, can this issue also break dovecot and latest thunderbird?
With the latest thunderbird 60.7.0 (on fedora) my dovecot (and
opensmtpd) suddenly refuse to log me in.
Dovecot shows something like this in logs:
TLS handshaking: SSL_accept() failed: error:140270E3:SSL
routines:ACCEPT_SR_CLNT_HELLO_C:parse tlsext
I found workarond for this, by switching from "STARTTLS" to SLL/TLS for
imap. But OpenSMTPD still not working.
As I said, this behavior appeared in latest thunderbird 60.7.0. Older
versions of thunderbird work.
