OpenSSL 0.9.8j bug (reproducible SSL negotiation issue, 0.9.8i unaffected)

Thu, 08 Jan 2009 16:33:45 -0800 

What I've narrowed it down to is this ...

Command run:
./openssl s_client -no_ssl2 -connect igusprodb.globalpay.com:443

Tested versions:
OpenSSL 0.9.8h - good
OpenSSL 0.9.8i - good
OpenSSL 0.9.8j-stable-SNAP-20081123 - good
OpenSSL 0.9.8j release - bad

Without the -no_ssl2, the release 0.9.8j is fine.  Also, if I
pass -no_ticket _with_ -no_ssl2, it works ...

So I'm wondering what's happened since November that would cause
this to fail...  The 20081123 snapshot is the only one I have, I'll have
to do pulls directly from CVS to try to narrow the timeframe down
further, but maybe someone else knows already what the issue is...

=====
Here's the error with -debug:

b...@linux23-x64 ~/openssl-0.9.8j/apps $ ./openssl version
OpenSSL 0.9.8j 07 Jan 2009

b...@linux23-x64 ~/openssl-0.9.8j/apps $ ./openssl s_client -no_ssl2 -connect 
igusproda.globalpay.com:443 -debug
CONNECTED(00000003)
write to 0x81bf000 [0x81bf058] (94 bytes => 94 (0x5E))
0000 - 16 03 01 00 59 01 00 00-55 03 01 49 66 99 20 67   ....Y...U..If. g
0010 - 8a c9 db df 03 b6 50 27-c0 51 83 ad 5e 72 5d 26   ......P'.Q..^r]&
0020 - db f2 b4 57 f3 88 d3 6d-21 e0 4a 00 00 28 00 39   ...W...m!.J..(.9
0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f   .8.5.......3.2./
0040 - 00 07 00 05 00 04 00 15-00 12 00 09 00 14 00 11   ................
0050 - 00 08 00 06 00 03 01 00-00 04 00 23               ...........#
005e - <SPACES/NULS>
read from 0x81bf000 [0x81c45b8] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 2f                              ....../
4448:error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal 
parameter:s23_clnt.c:596:
=====

=====
Here's it working with the 20081123 0.9.8j snapshot
b...@linux23-x64 ~/openssl-0.9.8-stable-SNAP-20081123/apps $ ./openssl version
OpenSSL 0.9.8j-dev xx XXX xxxx
b...@linux23-x64 ~/openssl-0.9.8-stable-SNAP-20081123/apps $ ./openssl s_client -no_ssl2 -connect igusproda.globalpay.com:443 
CONNECTED(00000003)
depth=1 /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign 
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=Georgia/L=Atlanta/O=Global Payments Inc./OU=Systems & 
Engineering/CN=gpgw3.globalpay.com
i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign 1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign 
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIESzCCA7SgAwIBAgIQEusKd1YxUQh1N59FuooNTzANBgkqhkiG9w0BAQUFADCB
ujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVy
aVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2Vy
dmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMg
SW5jb3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjAeFw0w
ODA0MjUwMDAwMDBaFw0xMDA0MjUyMzU5NTlaMIGOMQswCQYDVQQGEwJVUzEQMA4G
A1UECBMHR2VvcmdpYTEQMA4GA1UEBxQHQXRsYW50YTEdMBsGA1UEChQUR2xvYmFs
IFBheW1lbnRzIEluYy4xHjAcBgNVBAsUFVN5c3RlbXMgJiBFbmdpbmVlcmluZzEc
MBoGA1UEAxQTZ3BndzMuZ2xvYmFscGF5LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEAq+7KAymLVuSyzBFlbKGlpzAokASOcTCBqqvxfp05kR9KkCTzxRO9
pMWwNg/00IwOLnhWTGnwhAiNXPRiG4NEzmtuRPSL+YiT+id644Rtys4L0kdGwRuN
PmULU0044Uct9Jms+nHezbiinnudQbsUfFUJOn4zg8uGnyEcaCOOkb0CAwEAAaOC
AXowggF2MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMEYGA1UdHwQ/MD0wO6A5oDeG
NWh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL0NsYXNzM0ludGVybmF0aW9uYWxTZXJ2
ZXIuY3JsMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHFwMwKjAoBggrBgEFBQcCARYc
aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYTAoBgNVHSUEITAfBglghkgBhvhC
BAEGCCsGAQUFBwMBBggrBgEFBQcDAjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUH
MAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTBuBggrBgEFBQcBDARiMGChXqBc
MFowWDBWFglpbWFnZS9naWYwITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsH
iyEFGDAmFiRodHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJ
KoZIhvcNAQEFBQADgYEAZYq0ZzMUPxeR4AiRJoJLVKSaRwXKwnrz54phsCC5tBfp
pNeeKVcIb+bReamMVJYRAA7iIGxFbeaoF4nbzjwn9idXZ+pZkIppHlc66j7Lp88i
LVE07jI96VRcbWfBc7jLAXczSBUiEQ+n45IEIepg7gjG7W1f98eNpYC6iEu/FfY=
-----END CERTIFICATE-----
subject=/C=US/ST=Georgia/L=Atlanta/O=Global Payments Inc./OU=Systems & 
Engineering/CN=gpgw3.globalpay.com
issuer=/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign 
---
No client certificate CA names sent
---
SSL handshake has read 2139 bytes and written 270 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID: 00003F80C92E0000AD8E063F74F2DB5E
    Session-ID-ctx:
    Master-Key: 
B93453BF53E27AD4957BF17E0A98FD84D56C970632913287AEC999F0E22BF179C469BE4243F55F2DE922267CBD0A130D
    Key-Arg   : None
    Start Time: 1231460573
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
=====

Any insight would be appreciated.

Thanks!
-Brad
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to