Bug#665452: [Pkg-openssl-devel] Bug#665452: Bug#665452: libssl1.0.0: breaks HTTPS download of some sites (eg. https://sourceforge.net)
On Sun, Mar 25, 2012 at 04:01:13AM +0200, Kurt Roeckx wrote: That bug report mentions owa.mit.edu, which also responds with: Server: BigIP So Derek Poon reported this: | We run a site that uses the F5 Networks BIG-IP load balancer, and | OpenSSL 1.0.1 triggers this bug on the load balancer. When it | occurs, the load balancer neither forwards the request to a pool | member, nor does it respond to the OpenSSL client. There are | warning messages in the load balancer's /var/log/ltm file: | warning tmm[5313]: 012f0002:4: WARN at ../modules/hudproxy/bigproto/pva/pva_frames.c:1234:Received illegal header padding 100 versus 2ff | Working with F5 Networks tech support, we have determined that | this is a known issue, which they track as Bug 376483. It is | fixed in the recently released BIG-IP LTM 10.2.4 software, though | it is not mentioned in their release notes, and I confirm that TLS | 1.2 connections no longer hang after upgrading to 10.2.4. Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#665452: libssl1.0.0: breaks HTTPS download of some sites (eg. https://sourceforge.net)
Package: libssl1.0.0 Version: 1.0.1-2 Severity: important -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, installing the newest version breaks curl (and other download tools using libssl like perl GET) on https://sourceforge.net/ Downgrading to 1.0.0h solves the problem. Attached are curl --trace outputs with version 1.0.0h and 1.0.1. Since the SSL error message is not very helpful, I could not match this problem to any of the existing bugs. So feel free to ask for more info about this. Regards, Bastian - -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.12rum1 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libssl1.0.0 depends on: ii debconf [debconf-2.0] 1.5.42 ii libc6 2.13-27 ii multiarch-support 2.13-27 ii zlib1g 1:1.2.6.dfsg-2 libssl1.0.0 recommends no packages. libssl1.0.0 suggests no packages. - -- debconf information: libssl1.0.0/restart-failed: libssl1.0.0/restart-services: -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAk9trrQACgkQeBwlBDLsbz5QTwCg0/CiAMF15IWsTSmgQU0Moany +44AoKJ6cmESgDyoWCPsspfDseAB8UHx =YMwi -END PGP SIGNATURE- curl_sourceforge.net_1.0.0h.log Description: Binary data % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0== Info: About to connect() to sourceforge.net port 443 (#0) == Info: Trying 216.34.181.60... == Info: connected == Info: Connected to sourceforge.net (216.34.181.60) port 443 (#0) == Info: successfully set certificate verify locations: == Info: CAfile: none CApath: /etc/ssl/certs == Info: SSLv3, TLS handshake, Client hello (1): = Send SSL data, 335 bytes (0x14f) : 01 00 01 4b 03 03 4f 6d ac aa 95 b9 d6 ff f3 11 ...K..Om 0010: f6 70 ca 18 45 4c 97 84 34 a7 84 2b 8d b6 22 59 .p..EL..4..+..Y 0020: a5 8a dc 9d f4 8f 00 00 9e c0 30 c0 2c c0 28 c0 ..0.,.(. 0030: 24 c0 14 c0 0a c0 22 c0 21 00 a3 00 9f 00 6b 00 $..!.k. 0040: 6a 00 39 00 38 00 88 00 87 c0 32 c0 2e c0 2a c0 j.9.8.2...*. 0050: 26 c0 0f c0 05 00 9d 00 3d 00 35 00 84 c0 12 c0 ...=.5. 0060: 08 c0 1c c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 0070: 2f c0 2b c0 27 c0 23 c0 13 c0 09 c0 1f c0 1e 00 /.+.'.#. 0080: a2 00 9e 00 67 00 40 00 33 00 32 00 9a 00 99 00 g.@.3.2. 0090: 45 00 44 c0 31 c0 2d c0 29 c0 25 c0 0e c0 04 00 E.D.1.-.).%. 00a0: 9c 00 3c 00 2f 00 96 00 41 c0 11 c0 07 c0 0c c0 .../...A... 00b0: 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 00c0: 08 00 06 00 03 00 ff 02 01 00 00 83 00 00 00 14 00d0: 00 12 00 00 0f 73 6f 75 72 63 65 66 6f 72 67 65 .sourceforge 00e0: 2e 6e 65 74 00 0b 00 04 03 00 01 02 00 0a 00 34 .net...4 00f0: 00 32 00 0e 00 0d 00 19 00 0b 00 0c 00 18 00 09 .2.. 0100: 00 0a 00 16 00 17 00 08 00 06 00 07 00 14 00 15 0110: 00 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0f 0120: 00 10 00 11 00 0d 00 22 00 20 06 01 06 02 06 03 .. 0130: 05 01 05 02 05 03 04 01 04 02 04 03 03 01 03 02 0140: 03 03 02 01 02 02 02 03 01 01 00 0f 00 01 01... curl: (35) Unknown SSL protocol error in connection to sourceforge.net:443 == Info: Unknown SSL protocol error in connection to sourceforge.net:443 == Info: Closing connection #0
Bug#665452: [Pkg-openssl-devel] Bug#665452: libssl1.0.0: breaks HTTPS download of some sites (eg. https://sourceforge.net)
On Sat, Mar 24, 2012 at 12:23:37PM +0100, Bastian Kleineidam wrote: Package: libssl1.0.0 Version: 1.0.1-2 Severity: important Hi, installing the newest version breaks curl (and other download tools using libssl like perl GET) on https://sourceforge.net/ Downgrading to 1.0.0h solves the problem. Attached are curl --trace outputs with version 1.0.0h and 1.0.1. Since the SSL error message is not very helpful, I could not match this problem to any of the existing bugs. So feel free to ask for more info about this. I can reproduce it, and it doesn't make much sense to me at this time. sourceforge just doesn't seem to reply. The biggest change in 1.0.1 is that it supports TLS 1.1 and 1.2. But using s_client with -no_tls1_1 -no_tls1_2 still doesn't get me a connection. On the other hand gnutls-cli sourceforge.net does work as expected. And forcing an SSL3 or TLS1 connection using s_client also works. So I think someone at sourceforge will have to take a look at this. Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#665452: [Pkg-openssl-devel] Bug#665452: libssl1.0.0: breaks HTTPS download of some sites (eg. https://sourceforge.net)
Hello Kurt, Am Saturday, 24. March 2012, 12:39:03 schrieb Kurt Roeckx: And forcing an SSL3 or TLS1 connection using s_client also works. Can I configure this somehow to be the default for all applications using libssl? On the other hand gnutls-cli sourceforge.net does work as expected. Yes, there are some gnutls alternatives. Unfortunately the Perl and Python https libraries are using libssl. In fact that is when I first noticed the bug: my custom python script could not login to Sourceforge anymore. So I think someone at sourceforge will have to take a look at this. This upstream bug seems to be the same problem: http://rt.openssl.org/Ticket/Display.html?id=2771user=guestpass=guest Unfortunately the developer does not seem to see that as a regression :-/ I guess the best choice for me right now is to keep using v1.0.0h. Regards, Bastian signature.asc Description: This is a digitally signed message part.
Bug#665452: [Pkg-openssl-devel] Bug#665452: libssl1.0.0: breaks HTTPS download of some sites (eg. https://sourceforge.net)
On Sat, Mar 24, 2012 at 07:45:51PM +0100, Bastian Kleineidam wrote: Hello Kurt, Am Saturday, 24. March 2012, 12:39:03 schrieb Kurt Roeckx: And forcing an SSL3 or TLS1 connection using s_client also works. Can I configure this somehow to be the default for all applications using libssl? Not that I know, as far as I know they all need to set this up themself. On the other hand gnutls-cli sourceforge.net does work as expected. Yes, there are some gnutls alternatives. Unfortunately the Perl and Python https libraries are using libssl. In fact that is when I first noticed the bug: my custom python script could not login to Sourceforge anymore. So I think someone at sourceforge will have to take a look at this. This upstream bug seems to be the same problem: http://rt.openssl.org/Ticket/Display.html?id=2771user=guestpass=guest Unfortunately the developer does not seem to see that as a regression :-/ That bug report mentions owa.mit.edu, which also responds with: Server: BigIP Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org