subject:"Bug#891570\: \[Bug#891570\: SSL connect attempt failed error\:141A90B5\:SSL routines\:ssl_cipher_list_to

Bug#891570: [Pkg-openssl-devel] Bug#891570: [Bug#891570: SSL connect attempt failed error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available

2018-02-27 Thread Kurt Roeckx

On Tue, Feb 27, 2018 at 09:39:11PM +0100, Sebastian Andrzej Siewior wrote:
> control: clone -1 -2
> control: reassign -2 libio-socket-ssl-perl 2.056-1
> control: severity -2 normal
> control: tags -2 patch
> 
> On 2018-02-27 21:52:23 [+0800], 積丹尼 Dan Jacobson wrote:
> > Here is all you need to reproduce it:
> > 
> > $ mech-dump https://mbasic.facebook.com/
> > POST 
> > https://mbasic.facebook.com/login.php?refsrc=https%3A%2F%2Fmbasic.facebook.com%2F&lwv=100&refid=8
> > 
> > Now  upgrade libssl1.1:amd64 1.1.0g-2 1.1.1~~pre1-1
> > 
> > $ mech-dump https://mbasic.facebook.com/
> > Error GETing https://mbasic.facebook.com/: Can't connect to 
> > mbasic.facebook.com:443 (SSL connect attempt failed error:141A90B5:SSL 
> > routines:ssl_cipher_list_to_bytes:no ciphers available) at 
> > /usr/bin/mech-dump line 68.
> > $ dlocate mech-dump
> > libwww-mechanize-perl: /usr/bin/mech-dump
> 
> Thank you. This was helpfull.
> The problem is that libio-socket-ssl-perl has a predefined cipher list
> which does not include any TLS1.3 cipher (yes, it has its own). The
> patch attached adds TLS1.3 cipher which means that it is possible to
> negotiate a TLS1.3 connection if the remote side supports it.
> 
> I cloned the bug and hope that openssl falls back to TLS1.2 only
> connection if the ciphers are missing especially if the remote side does
> not support 1.3. Lets see about that…

I wasn't exactly expecting this problem, I would have expected a
different error message as mentioned in the blog:
139998555496896:error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers 
available:ssl/statem/statem_clnt.c:3720:No ciphers enabled for max supported 
SSL/TLS version

But note that we're actually changing that behaviour in
https://github.com/openssl/openssl/pull/5392

That said, in general I think it's a bad idea for applications and
libraries to override the defaults. OpenSSL has sane defaults, and
if you want to exclude some ciphers I suggest you start from
DEFAULT and remove some and not create your own list of which one
you want to support.

> + 'TLS13-CHACHA20-POLY1305-SHA256',
> + 'TLS13-AES-256-GCM-SHA384',
> + 'TLS13-AES-128-GCM-SHA256',
> + 'TLS13-AES-128-CCM-8-SHA256',
> + 'TLS13-AES-128-CCM-SHA256',

You probably don't want the CCM ones by default.


Kurt

Processed: Re: [Pkg-openssl-devel] Bug#891570: [Bug#891570: SSL connect attempt failed error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available

2018-02-27 Thread Debian Bug Tracking System

Processing commands for cont...@bugs.debian.org:

> forwarded 891570 https://github.com/openssl/openssl/issues/5474
Bug #891570 [libssl1.1] SSL connect attempt failed error:141A90B5:SSL 
routines:ssl_cipher_list_to_bytes:no ciphers available
Set Bug forwarded-to-address to 
'https://github.com/openssl/openssl/issues/5474'.
>
End of message, stopping processing here.

Please contact me if you need assistance.
-- 
891570: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891570
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#891570: [Bug#891570: SSL connect attempt failed error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available

2018-02-27 Thread Sebastian Andrzej Siewior

control: clone -1 -2
control: reassign -2 libio-socket-ssl-perl 2.056-1
control: severity -2 normal
control: tags -2 patch

On 2018-02-27 21:52:23 [+0800], 積丹尼 Dan Jacobson wrote:
> Here is all you need to reproduce it:
> 
> $ mech-dump https://mbasic.facebook.com/
> POST 
> https://mbasic.facebook.com/login.php?refsrc=https%3A%2F%2Fmbasic.facebook.com%2F&lwv=100&refid=8
> 
> Now  upgrade libssl1.1:amd64 1.1.0g-2 1.1.1~~pre1-1
> 
> $ mech-dump https://mbasic.facebook.com/
> Error GETing https://mbasic.facebook.com/: Can't connect to 
> mbasic.facebook.com:443 (SSL connect attempt failed error:141A90B5:SSL 
> routines:ssl_cipher_list_to_bytes:no ciphers available) at /usr/bin/mech-dump 
> line 68.
> $ dlocate mech-dump
> libwww-mechanize-perl: /usr/bin/mech-dump

Thank you. This was helpfull.
The problem is that libio-socket-ssl-perl has a predefined cipher list
which does not include any TLS1.3 cipher (yes, it has its own). The
patch attached adds TLS1.3 cipher which means that it is possible to
negotiate a TLS1.3 connection if the remote side supports it.

I cloned the bug and hope that openssl falls back to TLS1.2 only
connection if the ciphers are missing especially if the remote side does
not support 1.3. Lets see about that…

Sebastian
diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm
index ac56aaad4035..8544811d16d6 100644
--- a/lib/IO/Socket/SSL.pm
+++ b/lib/IO/Socket/SSL.pm
@@ -149,6 +149,11 @@ my %DEFAULT_SSL_CLIENT_ARGS = (
 
 SSL_cipher_list => join(" ",
 
+	'TLS13-CHACHA20-POLY1305-SHA256',
+	'TLS13-AES-256-GCM-SHA384',
+	'TLS13-AES-128-GCM-SHA256',
+	'TLS13-AES-128-CCM-8-SHA256',
+	'TLS13-AES-128-CCM-SHA256',
 	# SSLabs report for Chrome 48/OSX. 
 	# This also includes the fewer ciphers Firefox uses.
 	'ECDHE-ECDSA-AES128-GCM-SHA256',

Bug#891570: [Bug#891570: SSL connect attempt failed error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available

2018-02-27 Thread 積丹尼 Dan Jacobson

Here is all you need to reproduce it:

$ mech-dump https://mbasic.facebook.com/
POST 
https://mbasic.facebook.com/login.php?refsrc=https%3A%2F%2Fmbasic.facebook.com%2F&lwv=100&refid=8

Now  upgrade libssl1.1:amd64 1.1.0g-2 1.1.1~~pre1-1

$ mech-dump https://mbasic.facebook.com/
Error GETing https://mbasic.facebook.com/: Can't connect to 
mbasic.facebook.com:443 (SSL connect attempt failed error:141A90B5:SSL 
routines:ssl_cipher_list_to_bytes:no ciphers available) at /usr/bin/mech-dump 
line 68.
$ dlocate mech-dump
libwww-mechanize-perl: /usr/bin/mech-dump

Bug#891570: [Bug#891570: SSL connect attempt failed error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available

2018-02-27 Thread Sebastian Andrzej Siewior

On 2018-02-27 09:12:06 [+0800], 積丹尼 Dan Jacobson wrote:
> WWW::Mechanize: 500 Can't connect to mbasic.facebook.com:443...

You opened a grave bug and provide way less then enough information to
get this solved. It might look from your perspective that you provide
enough information but over here it does not. I actually get the feeling
that you sit behind a RFC1149 router and *need* to make it short.

WWW::Mechanize looks like something perl based but I am not going trying
to figure out which package I need to install and how to use it. I asked
what you are doing in order to reproduce this.

The command
  openssl s_client -connect mbasic.facebook.com:443

negotiates TLS1.2 and
  openssl s_client -connect blog.cloudflare.com:443

negotiates TLS1.3. So whatever the problem is, you need to provide more
informations.

Sebastian

Bug#891570: [Pkg-openssl-devel] Bug#891570: [Bug#891570: SSL connect attempt failed error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available

Processed: Re: [Pkg-openssl-devel] Bug#891570: [Bug#891570: SSL connect attempt failed error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available

Bug#891570: [Bug#891570: SSL connect attempt failed error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available

Bug#891570: [Bug#891570: SSL connect attempt failed error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available

Bug#891570: [Bug#891570: SSL connect attempt failed error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available

5 matches

Site Navigation

Mail list logo

Footer information