OK, so I'm seeing the same symptoms for a different reason: we're using statically linked openssl 1.0.1e & fips-2.0.2 (the full one, not the ecp version with curves removed) we've built ourselves from openssl.org downloads so this is either a bug in openssl or nss (3.15.1 on CentOS 6.5, 3.15.2 on OpenSUSE 13.1, the 2 platforms we've reproduced this on).
Here is s_client debug output using the openssl executable from our build, is there something useful here? [root@Fred bin]# ./openssl s_client -debug -connect u-86:1515 CONNECTED(00000003) write to 0xa18f4b8 [0xa18f500] (321 bytes => 321 (0x141)) 0000 - 16 03 01 01 3c 01 00 01-38 03 03 52 b0 a6 94 ec ....<...8..R.... 0010 - ad 02 e0 e2 a9 3d b1 52-6a 93 d1 d9 05 63 21 e4 .....=.Rj....c!. 0020 - c1 cc 12 c0 38 04 2b 6c-e2 fe da 00 00 a0 c0 30 ....8.+l.......0 0030 - c0 2c c0 28 c0 24 c0 14-c0 0a c0 22 c0 21 00 a3 .,.(.$.....".!.. 0040 - 00 9f 00 6b 00 6a 00 39-00 38 00 88 00 87 c0 32 ...k.j.9.8.....2 0050 - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35 ...*.&.......=.5 0060 - 00 84 c0 12 c0 08 c0 1c-c0 1b 00 16 00 13 c0 0d ................ 0070 - c0 03 00 0a c0 2f c0 2b-c0 27 c0 23 c0 13 c0 09 ...../.+.'.#.... 0080 - c0 1f c0 1e 00 a2 00 9e-00 67 00 40 00 33 00 32 .........g.@.3.2 0090 - 00 9a 00 99 00 45 00 44-c0 31 c0 2d c0 29 c0 25 .....E.D.1.-.).% 00a0 - c0 0e c0 04 00 9c 00 3c-00 2f 00 96 00 41 00 07 .......<./...A.. 00b0 - c0 11 c0 07 c0 0c c0 02-00 05 00 04 00 15 00 12 ................ 00c0 - 00 09 00 14 00 11 00 08-00 06 00 03 00 ff 01 00 ................ 00d0 - 00 6f 00 0b 00 04 03 00-01 02 00 0a 00 34 00 32 .o...........4.2 00e0 - 00 0e 00 0d 00 19 00 0b-00 0c 00 18 00 09 00 0a ................ 00f0 - 00 16 00 17 00 08 00 06-00 07 00 14 00 15 00 04 ................ 0100 - 00 05 00 12 00 13 00 01-00 02 00 03 00 0f 00 10 ................ 0110 - 00 11 00 23 00 00 00 0d-00 22 00 20 06 01 06 02 ...#.....". .... 0120 - 06 03 05 01 05 02 05 03-04 01 04 02 04 03 03 01 ................ 0130 - 03 02 03 03 02 01 02 02-02 03 01 01 00 0f 00 01 ................ 0140 - 01 . read from 0xa18f4b8 [0xa194a60] (7 bytes => 7 (0x7)) 0000 - 15 03 03 00 02 02 50 ......P 3086775968:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:741: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 321 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- -Andrew -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Matt Caswell Sent: Tuesday, December 17, 2013 10:47 AM To: openssl-users@openssl.org Subject: Re: OpenSSL 1.0.1e - OpenJDK/NSS interoperability issue? On 17 December 2013 18:11, Porter, Andrew <andrew_por...@bmc.com> wrote: > We've into a problem with a native x86/Linux app of ours - linked > statically with vanilla openssl-fips-2.0.2 and openssl-1.0.1e we've > built - trying to connect to our Java app when it is running under the > latest OpenJDK 1.7.0_45 on RedHat 6.5 or OpenSUSE v13.1: > the native app logs > > SSL_connect: tlsv1 alert internal error > > and the Java app throws the exception: > > PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID > > A little searching turned up a very close match to our scenario in > this RedHat bug report: > > https://bugzilla.redhat.com/show_bug.cgi?id=1022017 > > The conclusion (scroll down to comments 37/38) is that this is a bug > with openssl claiming to support an algorithm it doesn't, and the > RedHat version of the openssl 1.0.1e source has been patched to fix > this. > > Question: are they correct that this is an openssl bug? If so, will > this be fixed in a 1.0.1f or 1.02 release? As I understand it Red Hat OpenSSL packages have restricted EC capabilities due to concerns about patents (although other distros do not share this concern): https://bugzilla.redhat.com/show_bug.cgi?id=319901 The bug that you refer to above concerns an issue with the Red Hat OpenSSL package incorrectly advertising support for an EC curve that has been deliberately removed by the Red Hat package maintainers, i.e. it is not a bug in OpenSSL itself, but in the Red Hat OpenSSL package. Matt ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
