Re: [openssl-users] Possible bug in openssl?

Thu, 10 May 2012 05:09:18 -0700 

Le 10/05/2012 13:41, Andreas Bießmann a écrit :

On Thu, May 10, 2012 at 12:38:00PM +0200, Erwann Abalea wrote:

Le 10/05/2012 11:39, Andreas Bießmann a écrit :

My questions:
  * can anyone confirm this behaviour (it seems other hosts are working with
    openssl 1.0+, but not the banking.postbank.de)?
  * can anyone give me a hint how to track this down?

I happen to get the same behaviour behind our firewall when
ECDHE-whatever is negociated as the ciphersuite. The FW drops the
connection, resulting in this "errno=104" error. Try to limit the
set of ciphersuites in your client.

Ok so 'openssl s_client -connect banking.postbank.de:443 -cipher AES256-SHA'
works with 1.0.1b. Thanks so far.



After more tests on this host, it appears it suffers from the "0xff 
limit ClientHello" bug.
Try adding a large SNI extension to make this message bigger, by adding 
the "-servername xxxxxx" argument to your command line, with a 
sufficiently large "xxxxxx" string. It will stop working. With this only 
cipher accepted, the "xxxxxx" has to be at least 192 bytes long to cause 
the server to fail.

Your firewall is probably OK, your client is OK, the server is faulty.


But it is nasty to limit cipher by host. So I could exclude all these ECDHE-
stuff if these really causing the error.

But I wonder if there is another solution. I see this behaviour with all tools
using openssl 1.0.1. I found it first with python on my mac and asked myself
why it works from time to time (python packaged by fink uses openssl-1.0.1,
Apple's version uses openssl-0.9.8 ;). However that could be fixed by working
around in my scripts but wget fails also and curl does, ... So I ask myself
'could there be a solution inside the library?'.




The problem lies in the server, it's difficult to change the client's 
behaviour to correctly adapt to buggy servers.


--
Erwann ABALEA
-----
Quelqu'un peut me dire comment on fait pour creer un nouveaux groupe
Usenet? A qui faut-il s'adresse? Cela coute il de quoi?
-+- Moe in GNU - De quoi qu'est ce que ca coute-t-il combien ? -+-

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org






















					Reply via email to