On Sat, Feb 11, 2006 at 10:35:07PM +0100, Javier Fernández-Sanguino Peña wrote: > > The latest OpenSSL version (0.9.8-6) does not seem to fix the problem with > Nessus, actually, it makes it work since now the workaround of using a > restricted set of ciphers no longer works either:
Are you sure the server has been restarted since the upgrade of libssl0.9.8? > If you try to connect the Nessus client with the server you get this: > [26753] SSL_connect: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert > handshake failure > nessus : SSL error > > And using the standard OpenSSL client: > > $ openssl s_client -connect localhost:1241 -ssl3 -CAfile \ > /var/lib/nessus/CA/cacert.pem -bugs -no_ssl2 > CONNECTED(00000003) > 26745:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake > failure:s3_pkt.c:1057:SSL alert number 40 > 26745:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake > failure:s3_pkt.c:534: There are various reasons why this can happen. One reason is that the client only uses ssl3 (as you did with -ssl3) and that the server doesn't allow ssl3 connections. I can perfectly connect to it witout problems if I drop the -ssl3 from the s_client parameters. The server has this code in it: #define SSL_VER_DEF_NAME "TLSv1" #define SSL_VER_DEF_METH TLSv1_server_method [...] if (strcasecmp(ssl_ver, "SSLv2") == 0) ssl_mt = SSLv2_server_method(); else if (strcasecmp(ssl_ver, "SSLv3") == 0) ssl_mt = SSLv3_server_method(); else if (strcasecmp(ssl_ver, "SSLv23") == 0) ssl_mt = SSLv23_server_method(); else if (strcasecmp(ssl_ver, "TLSv1") == 0) ssl_mt = TLSv1_server_method(); else { fprintf(stderr, "Unknown SSL version \"%s\"\nSwitching to default " SSL_VER_DEF_NAME "\n", ssl_ver); ssl_ver = SSL_VER_DEF_NAME; ssl_mt = SSL_VER_DEF_METH(); } So it looks normal to me that if you use -ssl3 that it doesn't work. (The client has the same code.) Can you reproduce your problem using a combination of s_server and s_client? I've been trying to reproduce other problems, but I can't. > So it seems that the fix introduced a different behaviour [1], but it's still > broken. > > Should be easy to reproduce, just install Nessus, make a certificate and try > to connect to the Nessus server... So I "just installed" nessus and nessusd, it seems to connect without problems, it even asks me to validate the certificate, but for some reason I can't log in. I get: [Sun Feb 12 14:13:15 2006][7916] Client requested protocol version 12. [Sun Feb 12 14:13:15 2006][7916] bad login attempt from 127.0.0.1 So it seems to me the ssl part is working perfectly. Kurt