Hi, there!
<lengthy_introduction_that_you_may_skip_without_loss>
My problem started recently with a migration from openSUSE-12.1 to
openSUSE-12.2.
openSUSE-12.2 comes with curl-7.25.0 resp. libcurl/7.25.0,
and they in turn use OpenSSL/1.0.1c
Until "recently" this worked for me
(and it still does on a different platform with *older* versions of
"everything"),
but now it breaks:
$ curl --verbose --insecure 'https://banking.postbank.de/rai/login'
* About to connect() to banking.postbank.de port 443 (#0)
* Trying 62.153.105.15...
* connected
* Connected to banking.postbank.de (62.153.105.15) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs/
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to banking.postbank.de:443
* Closing connection #0
curl: (35) Unknown SSL protocol error in connection to
banking.postbank.de:443
</lengthy_introduction_that_you_may_skip_without_loss>
A web page on curl.haxx.se (http://curl.haxx.se/docs/sslcerts.html) teaches me,
that I should try this, in order to find out, whether the problem is with
openssl:
$ openssl s_client -connect banking.postbank.de:443
Alright, I did a binary search on the "recent" releases of openssl:
0.9.8x, 1.0.0, 1.0.0j, 1.0.1, 1.0.1c
The last one, that did not break my request is 1.0.0j,
the first one, that breaks my request is 1.0.1 .
(I skipped the betas.)
And the problem report looks like this
("SSL handshake has read 0 bytes and written ..."):
$ /usr/local/src/openssl-1.0.1/apps/openssl s_client -connect
banking.postbank.de:443
$ openssl s_client -connect banking.postbank.de:443
WARNING: can't open config file: /usr/local/openssl-1.0.1/openssl.cnf
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 321 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
Here are the last few lines of "make test" for 1.0.0j and 1.0.1,
just in case you want to see them:
openssl-1.0.0j
ALL TESTS SUCCESSFUL.
make[1]: Leaving directory `/usr/local/src/openssl-1.0.0j/test'
OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a
OpenSSL 1.0.0j 10 May 2012
built on: Tue Sep 18 14:21:04 CEST 2012
platform: linux-elf
options: bn(64,32) rc4(4x,int) des(ptr,risc1,16,long) idea(int)
blowfish(idx)
compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN
-DHAVE_DLFCN_H -Wa,--noexecstack -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer
-Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
-DWHIRLPOOL_ASM
OPENSSLDIR: "/usr/local/openssl-1.0.0j"
openssl-1.0.1
ALL TESTS SUCCESSFUL.
make[1]: Leaving directory `/usr/local/src/openssl-1.0.1/test'
OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Tue Sep 18 14:29:57 CEST 2012
platform: linux-elf
options: bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) idea(int)
blowfish(idx)
compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN
-DHAVE_DLFCN_H -Wa,--noexecstack -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer
-Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
-DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/local/openssl-1.0.1"
Anybody any idea?
Any specific details I can provide you with?
Is it a bug or a feature?
A little lost ...
Jochen
P.S.
I posted this already yesterday through Google Groups as
https://groups.google.com/forum/?fromgroups=&hl=en#!topic/mailing.openssl.users/1bw48CGd5xQ
,
but it looks, as if this doesn't reach the mailing list,
so I post it here again.
I apologise for the redundancy.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
