Bug#338006: [Pkg-openssl-devel] Bug#338006: Doesn't seem to fix the problems with Nessus

2006-02-12 Thread Kurt Roeckx
On Sat, Feb 11, 2006 at 10:35:07PM +0100, Javier Fernández-Sanguino Peña wrote:
 
 The latest OpenSSL version (0.9.8-6) does not seem to fix the problem with
 Nessus, actually, it makes it work since now the workaround of using a
 restricted set of ciphers no longer works either:

Are you sure the server has been restarted since the upgrade of
libssl0.9.8?

 If you try to connect the Nessus client with the server you get this:
 [26753] SSL_connect: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
 handshake failure
 nessus : SSL error
 
 And using the standard OpenSSL client:
 
 $ openssl s_client -connect localhost:1241 -ssl3 -CAfile \
   /var/lib/nessus/CA/cacert.pem -bugs -no_ssl2
 CONNECTED(0003)
 26745:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
 failure:s3_pkt.c:1057:SSL alert number 40
 26745:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
 failure:s3_pkt.c:534:

There are various reasons why this can happen.  One reason
is that the client only uses ssl3 (as you did with -ssl3)
and that the server doesn't allow ssl3 connections.  I can
perfectly connect to it witout problems if I drop the
-ssl3 from the s_client parameters.

The server has this code in it:
#define SSL_VER_DEF_NAMETLSv1
#define SSL_VER_DEF_METHTLSv1_server_method
[...]
  if (strcasecmp(ssl_ver, SSLv2) == 0)
ssl_mt = SSLv2_server_method();
  else if (strcasecmp(ssl_ver, SSLv3) == 0)
ssl_mt = SSLv3_server_method();
  else if (strcasecmp(ssl_ver, SSLv23) == 0)
ssl_mt = SSLv23_server_method();
  else if (strcasecmp(ssl_ver, TLSv1) == 0)
ssl_mt = TLSv1_server_method();
  else
{
  fprintf(stderr, Unknown SSL version \%s\\nSwitching to default
 SSL_VER_DEF_NAME \n, ssl_ver);
  ssl_ver = SSL_VER_DEF_NAME;
  ssl_mt = SSL_VER_DEF_METH();
}

So it looks normal to me that if you use -ssl3 that it doesn't work.

(The client has the same code.)

Can you reproduce your problem using a combination of s_server and
s_client?  I've been trying to reproduce other problems, but I can't.

 So it seems that the fix introduced a different behaviour [1], but it's still
 broken.
 
 Should be easy to reproduce, just install Nessus, make a certificate and try
 to connect to the Nessus server...

So I just installed nessus and nessusd, it seems to
connect without problems, it even asks me to validate the
certificate, but for some reason I can't log in.

I get:
[Sun Feb 12 14:13:15 2006][7916] Client requested protocol version 12.
[Sun Feb 12 14:13:15 2006][7916] bad login attempt from 127.0.0.1

So it seems to me the ssl part is working perfectly.


Kurt




Bug#338006: Doesn't seem to fix the problems with Nessus

2006-02-11 Thread Javier Fernández-Sanguino Peña

The latest OpenSSL version (0.9.8-6) does not seem to fix the problem with
Nessus, actually, it makes it work since now the workaround of using a
restricted set of ciphers no longer works either:

If you try to connect the Nessus client with the server you get this:
[26753] SSL_connect: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
handshake failure
nessus : SSL error

And using the standard OpenSSL client:

$ openssl s_client -connect localhost:1241 -ssl3 -CAfile \
/var/lib/nessus/CA/cacert.pem -bugs -no_ssl2
CONNECTED(0003)
26745:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:1057:SSL alert number 40
26745:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:534:

So it seems that the fix introduced a different behaviour [1], but it's still
broken.

Should be easy to reproduce, just install Nessus, make a certificate and try
to connect to the Nessus server...

:-(

Javier

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=343487
In which the error was

 SSL_connect: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert
 bad record mac 
 nessus : SSL error


signature.asc
Description: Digital signature