On Sat, Feb 11, 2006 at 10:35:07PM +0100, Javier Fernández-Sanguino Peña wrote:
The latest OpenSSL version (0.9.8-6) does not seem to fix the problem with
Nessus, actually, it makes it work since now the workaround of using a
restricted set of ciphers no longer works either:
Are you sure the server has been restarted since the upgrade of
libssl0.9.8?
If you try to connect the Nessus client with the server you get this:
[26753] SSL_connect: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
handshake failure
nessus : SSL error
And using the standard OpenSSL client:
$ openssl s_client -connect localhost:1241 -ssl3 -CAfile \
/var/lib/nessus/CA/cacert.pem -bugs -no_ssl2
CONNECTED(0003)
26745:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:1057:SSL alert number 40
26745:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:534:
There are various reasons why this can happen. One reason
is that the client only uses ssl3 (as you did with -ssl3)
and that the server doesn't allow ssl3 connections. I can
perfectly connect to it witout problems if I drop the
-ssl3 from the s_client parameters.
The server has this code in it:
#define SSL_VER_DEF_NAMETLSv1
#define SSL_VER_DEF_METHTLSv1_server_method
[...]
if (strcasecmp(ssl_ver, SSLv2) == 0)
ssl_mt = SSLv2_server_method();
else if (strcasecmp(ssl_ver, SSLv3) == 0)
ssl_mt = SSLv3_server_method();
else if (strcasecmp(ssl_ver, SSLv23) == 0)
ssl_mt = SSLv23_server_method();
else if (strcasecmp(ssl_ver, TLSv1) == 0)
ssl_mt = TLSv1_server_method();
else
{
fprintf(stderr, Unknown SSL version \%s\\nSwitching to default
SSL_VER_DEF_NAME \n, ssl_ver);
ssl_ver = SSL_VER_DEF_NAME;
ssl_mt = SSL_VER_DEF_METH();
}
So it looks normal to me that if you use -ssl3 that it doesn't work.
(The client has the same code.)
Can you reproduce your problem using a combination of s_server and
s_client? I've been trying to reproduce other problems, but I can't.
So it seems that the fix introduced a different behaviour [1], but it's still
broken.
Should be easy to reproduce, just install Nessus, make a certificate and try
to connect to the Nessus server...
So I just installed nessus and nessusd, it seems to
connect without problems, it even asks me to validate the
certificate, but for some reason I can't log in.
I get:
[Sun Feb 12 14:13:15 2006][7916] Client requested protocol version 12.
[Sun Feb 12 14:13:15 2006][7916] bad login attempt from 127.0.0.1
So it seems to me the ssl part is working perfectly.
Kurt