Re: SSL_ERROR_DECODE_ERROR_ALERT in Fedora 30 Firefox when connecting to some OpenBSD servers
On 2019-06-06, kasak wrote: > > Excuse me, can this issue also break dovecot and latest thunderbird? > With the latest thunderbird 60.7.0 (on fedora) my dovecot (and > opensmtpd) suddenly refuse to log me in. > Dovecot shows something like this in logs: > > TLS handshaking: SSL_accept() failed: error:140270E3:SSL > routines:ACCEPT_SR_CLNT_HELLO_C:parse tlsext Yes I am pretty much certain this has the same cause. Fixes: - move the server to current where this has been fixed already - the fix has been committed to -stable today so you can update libssl from there; if you already have a checkout you can do this cd /usr/src/lib/libssl cvs up -r OPENBSD_6_5 -Pd make obj make make install (and restart the relevant services) - an errata/syspatch is planned for this issue; should show up in the next few days (possibly Monday) - update crypto-policies from the Fedora testing repository, see links in comments 10/11 on https://bugzilla.redhat.com/show_bug.cgi?id=1713777 > I found workarond for this, by switching from "STARTTLS" to SLL/TLS for > imap. But OpenSMTPD still not working. > As I said, this behavior appeared in latest thunderbird 60.7.0. Older > versions of thunderbird work. btw, where possible it's usually a good idea to use a port which just uses plain TLS rather than starting as text and switching with STARTTLS, this avoids the risk of a cleartext connection being intercepted and modified to disable the STARTTLS. (of course if a client is configured to never send cleartext credentials then it doesn't matter, but that's not always done)
Re: SSL_ERROR_DECODE_ERROR_ALERT in Fedora 30 Firefox when connecting to some OpenBSD servers
Stuart Henderson писал 2019-06-05 17:10: On 2019-06-05, Frank Groeneveld wrote: On Wed, Jun 5, 2019, at 08:07, Frank Groeneveld wrote: After updating to Firefox 67.0 on Fedora 30 it seems some OpenBSD servers cannot be reached over HTTPS anymore. The error produced is SSL_ERROR_DECODE_ERROR_ALERT. I get this with some of my own servers, but also with https://cvsweb.openbsd.org/ Anybody know what is going on? Chromium and openssl s_client on the same system works fine and the same Firefox version in Ubuntu, Mac OS and Windows don't have this problem. Thanks in advance. Sorry for the noise, apparently there is a bug in the Fedora side when connecting with newer versions of LibreSSL. Related bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1713777 The bug is server-side not client, looks like it would have been introduced around January, and fixed in lib/libssl/ssl_tlsext.c r1.49 revision 1.49 date: 2019/05/29 17:28:37; author: jsing; state: Exp; lines: +2 -5; commitid: DLpHk0vyoFEK0Baa; Relax parsing of TLS key share extensions on the server. The RFC does not require X25519 and it also allows clients to send an empty key share when the want the server to select a group. The current behaviour results in handshake failures where the client supports TLS 1.3 and sends a TLS key share extension that does not contain X25519. Issue reported by Hubert Kario via github. ok tb@ Excuse me, can this issue also break dovecot and latest thunderbird? With the latest thunderbird 60.7.0 (on fedora) my dovecot (and opensmtpd) suddenly refuse to log me in. Dovecot shows something like this in logs: TLS handshaking: SSL_accept() failed: error:140270E3:SSL routines:ACCEPT_SR_CLNT_HELLO_C:parse tlsext I found workarond for this, by switching from "STARTTLS" to SLL/TLS for imap. But OpenSMTPD still not working. As I said, this behavior appeared in latest thunderbird 60.7.0. Older versions of thunderbird work.
Re: SSL_ERROR_DECODE_ERROR_ALERT in Fedora 30 Firefox when connecting to some OpenBSD servers
On 2019-06-05, Frank Groeneveld wrote: > On Wed, Jun 5, 2019, at 08:07, Frank Groeneveld wrote: >> After updating to Firefox 67.0 on Fedora 30 it seems some OpenBSD >> servers cannot be reached over HTTPS anymore. The error produced is >> SSL_ERROR_DECODE_ERROR_ALERT. I get this with some of my own servers, >> but also with https://cvsweb.openbsd.org/ >> Anybody know what is going on? Chromium and openssl s_client on the >> same system works fine and the same Firefox version in Ubuntu, Mac OS >> and Windows don't have this problem. >> >> Thanks in advance. > > Sorry for the noise, apparently there is a bug in the Fedora side when > connecting with newer versions of LibreSSL. Related bug report: > https://bugzilla.redhat.com/show_bug.cgi?id=1713777 The bug is server-side not client, looks like it would have been introduced around January, and fixed in lib/libssl/ssl_tlsext.c r1.49 revision 1.49 date: 2019/05/29 17:28:37; author: jsing; state: Exp; lines: +2 -5; commitid: DLpHk0vyoFEK0Baa; Relax parsing of TLS key share extensions on the server. The RFC does not require X25519 and it also allows clients to send an empty key share when the want the server to select a group. The current behaviour results in handshake failures where the client supports TLS 1.3 and sends a TLS key share extension that does not contain X25519. Issue reported by Hubert Kario via github. ok tb@
Re: SSL_ERROR_DECODE_ERROR_ALERT in Fedora 30 Firefox when connecting to some OpenBSD servers
On Wed, Jun 5, 2019, at 08:07, Frank Groeneveld wrote: > After updating to Firefox 67.0 on Fedora 30 it seems some OpenBSD > servers cannot be reached over HTTPS anymore. The error produced is > SSL_ERROR_DECODE_ERROR_ALERT. I get this with some of my own servers, > but also with https://cvsweb.openbsd.org/ > Anybody know what is going on? Chromium and openssl s_client on the > same system works fine and the same Firefox version in Ubuntu, Mac OS > and Windows don't have this problem. > > Thanks in advance. Sorry for the noise, apparently there is a bug in the Fedora side when connecting with newer versions of LibreSSL. Related bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1713777 Regards, Frank