Bug#891570: [Pkg-openssl-devel] Bug#891570: [Bug#891570: SSL connect attempt failed error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available
On Tue, Feb 27, 2018 at 09:39:11PM +0100, Sebastian Andrzej Siewior wrote: > control: clone -1 -2 > control: reassign -2 libio-socket-ssl-perl 2.056-1 > control: severity -2 normal > control: tags -2 patch > > On 2018-02-27 21:52:23 [+0800], 積丹尼 Dan Jacobson wrote: > > Here is all you need to reproduce it: > > > > $ mech-dump https://mbasic.facebook.com/ > > POST > > https://mbasic.facebook.com/login.php?refsrc=https%3A%2F%2Fmbasic.facebook.com%2F&lwv=100&refid=8 > > > > Now upgrade libssl1.1:amd64 1.1.0g-2 1.1.1~~pre1-1 > > > > $ mech-dump https://mbasic.facebook.com/ > > Error GETing https://mbasic.facebook.com/: Can't connect to > > mbasic.facebook.com:443 (SSL connect attempt failed error:141A90B5:SSL > > routines:ssl_cipher_list_to_bytes:no ciphers available) at > > /usr/bin/mech-dump line 68. > > $ dlocate mech-dump > > libwww-mechanize-perl: /usr/bin/mech-dump > > Thank you. This was helpfull. > The problem is that libio-socket-ssl-perl has a predefined cipher list > which does not include any TLS1.3 cipher (yes, it has its own). The > patch attached adds TLS1.3 cipher which means that it is possible to > negotiate a TLS1.3 connection if the remote side supports it. > > I cloned the bug and hope that openssl falls back to TLS1.2 only > connection if the ciphers are missing especially if the remote side does > not support 1.3. Lets see about that… I wasn't exactly expecting this problem, I would have expected a different error message as mentioned in the blog: 139998555496896:error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available:ssl/statem/statem_clnt.c:3720:No ciphers enabled for max supported SSL/TLS version But note that we're actually changing that behaviour in https://github.com/openssl/openssl/pull/5392 That said, in general I think it's a bad idea for applications and libraries to override the defaults. OpenSSL has sane defaults, and if you want to exclude some ciphers I suggest you start from DEFAULT and remove some and not create your own list of which one you want to support. > + 'TLS13-CHACHA20-POLY1305-SHA256', > + 'TLS13-AES-256-GCM-SHA384', > + 'TLS13-AES-128-GCM-SHA256', > + 'TLS13-AES-128-CCM-8-SHA256', > + 'TLS13-AES-128-CCM-SHA256', You probably don't want the CCM ones by default. Kurt
Bug#891570: [Bug#891570: SSL connect attempt failed error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available
control: clone -1 -2 control: reassign -2 libio-socket-ssl-perl 2.056-1 control: severity -2 normal control: tags -2 patch On 2018-02-27 21:52:23 [+0800], 積丹尼 Dan Jacobson wrote: > Here is all you need to reproduce it: > > $ mech-dump https://mbasic.facebook.com/ > POST > https://mbasic.facebook.com/login.php?refsrc=https%3A%2F%2Fmbasic.facebook.com%2F&lwv=100&refid=8 > > Now upgrade libssl1.1:amd64 1.1.0g-2 1.1.1~~pre1-1 > > $ mech-dump https://mbasic.facebook.com/ > Error GETing https://mbasic.facebook.com/: Can't connect to > mbasic.facebook.com:443 (SSL connect attempt failed error:141A90B5:SSL > routines:ssl_cipher_list_to_bytes:no ciphers available) at /usr/bin/mech-dump > line 68. > $ dlocate mech-dump > libwww-mechanize-perl: /usr/bin/mech-dump Thank you. This was helpfull. The problem is that libio-socket-ssl-perl has a predefined cipher list which does not include any TLS1.3 cipher (yes, it has its own). The patch attached adds TLS1.3 cipher which means that it is possible to negotiate a TLS1.3 connection if the remote side supports it. I cloned the bug and hope that openssl falls back to TLS1.2 only connection if the ciphers are missing especially if the remote side does not support 1.3. Lets see about that… Sebastian diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm index ac56aaad4035..8544811d16d6 100644 --- a/lib/IO/Socket/SSL.pm +++ b/lib/IO/Socket/SSL.pm @@ -149,6 +149,11 @@ my %DEFAULT_SSL_CLIENT_ARGS = ( SSL_cipher_list => join(" ", + 'TLS13-CHACHA20-POLY1305-SHA256', + 'TLS13-AES-256-GCM-SHA384', + 'TLS13-AES-128-GCM-SHA256', + 'TLS13-AES-128-CCM-8-SHA256', + 'TLS13-AES-128-CCM-SHA256', # SSLabs report for Chrome 48/OSX. # This also includes the fewer ciphers Firefox uses. 'ECDHE-ECDSA-AES128-GCM-SHA256',
Bug#891570: [Bug#891570: SSL connect attempt failed error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available
Here is all you need to reproduce it: $ mech-dump https://mbasic.facebook.com/ POST https://mbasic.facebook.com/login.php?refsrc=https%3A%2F%2Fmbasic.facebook.com%2F&lwv=100&refid=8 Now upgrade libssl1.1:amd64 1.1.0g-2 1.1.1~~pre1-1 $ mech-dump https://mbasic.facebook.com/ Error GETing https://mbasic.facebook.com/: Can't connect to mbasic.facebook.com:443 (SSL connect attempt failed error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available) at /usr/bin/mech-dump line 68. $ dlocate mech-dump libwww-mechanize-perl: /usr/bin/mech-dump
Bug#891570: [Bug#891570: SSL connect attempt failed error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available
On 2018-02-27 09:12:06 [+0800], 積丹尼 Dan Jacobson wrote: > WWW::Mechanize: 500 Can't connect to mbasic.facebook.com:443... You opened a grave bug and provide way less then enough information to get this solved. It might look from your perspective that you provide enough information but over here it does not. I actually get the feeling that you sit behind a RFC1149 router and *need* to make it short. WWW::Mechanize looks like something perl based but I am not going trying to figure out which package I need to install and how to use it. I asked what you are doing in order to reproduce this. The command openssl s_client -connect mbasic.facebook.com:443 negotiates TLS1.2 and openssl s_client -connect blog.cloudflare.com:443 negotiates TLS1.3. So whatever the problem is, you need to provide more informations. Sebastian