[openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007

[Stephen Henson via RT]

On Thu Mar 29 21:17:31 2012, steve wrote:
 A temporary workaround for this is to apply these two patches to OpenSSL
 1.0.1:

 http://cvs.openssl.org/chngview?cn=22286
 http://cvs.openssl.org/chngview?cn=22306

 And recompile OpenSSL with -DOPENSSL_NO_TLS1_2_CLIENT (e.g. supplied as
 a command line option to config or Configure). I'm working on something
 better.


A new experimental workaround has been added to the master branch. See:

http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=0467ea686244

This is less disruptive as it doesn't disable TLS 1.2 or chop the cipher list.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007

[Amy Wilhelm via RT]

Per F5 Product Development, the log message quoted in the previous note is not 
related to ID 376483. It is a cosmetic issue which may be safely ignored.

Amy Wilhelm
Enterprise Network Engineer
F5 Networks

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007

[Andy Polyakov]

 - sourceforge.net
 
 This one still fails, but I believe that that was caused by the
 load balancer of F5 Networks (Big IP).

And there is no good solution for it, except for updating load balancer
software. The only thing one can do otherwise is to minimize ClientHello
by aggressively excluding ciphers. But you have to keep in mind to
disable enough to accommodate even session-id, so that you won't suffer
from the problem upon attempt to resume. For example it's possible to
'apps/openssl s_client -connect sourceforge.net:443 -no_tls1_2
-no_tls1_1', *but* if you save session data and try to resume, you're
stuck... To resume you'd have to complement it with e.g. -cipher
DEFAULT:\!EXPORT:\!DES:\!SEED...

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007

[Kurt Roeckx]

On Thu, Mar 29, 2012 at 09:46:34PM +0200, Kurt Roeckx wrote:
 On Sun, Mar 25, 2012 at 01:52:22PM +0200, Stephen Henson via RT wrote:
   [steve - Sun Mar 25 13:11:30 2012]:
   
   I've done some more tests and it seems that the size of the client hello
   message is significant: all the options that work reduce the size of
   client hello. If you use the -debug option and check out the first
   message bytes 4 and 5 it seems those servers hang if the length exceeds
   0xFF (using two bytes instead of one).
   
  
  If you use the option -servername very long string you can precisely
  control the size of the client hello. If you use that to make client
  hello long enough you get the hang with OpenSSL 1.0.0h and earlier as well.
 
 So I'm getting more and more reports of sites that have a problem
 since 1.0.1.  They basicly fall in 2 categories:
 - They don't tolerate versions higher than TLS 1.0
 - They don't like big packets.
 
 Of the 2nd case I have at least found people complain about those
 sites:
 - www.facebook.com
 - www.paypal.com

Those seem to work with the 1.0.1a version, even when the packets
are still bigger than 256.  It's sending a TLS 1.2 ClientHello
in a TLS 1.0 packet now.

 - sourceforge.net

This one still fails, but I believe that that was caused by the
load balancer of F5 Networks (Big IP).


Kurt

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007

[Derek Poon via RT]

We run a site that uses the F5 Networks BIG-IP load balancer, and OpenSSL 1.0.1 
triggers this bug on the load balancer.  When it occurs, the load balancer 
neither forwards the request to a pool member, nor does it respond to the 
OpenSSL client.  There are warning messages in the load balancer's /var/log/ltm 
file:

warning tmm[5313]: 012f0002:4: WARN at 
../modules/hudproxy/bigproto/pva/pva_frames.c:1234:Received illegal header 
padding 100 versus 2ff

Working with F5 Networks tech support, we have determined that this is a known 
issue, which they track as Bug 376483.  It is fixed in the recently released 
BIG-IP LTM 10.2.4 software, though it is not mentioned in their release notes, 
and I confirm that TLS 1.2 connections no longer hang after upgrading to 10.2.4.

Derek Poon
University of British Columbia


Begin forwarded message:

 From: F5 Support - Emailclerk c.emailcl...@f5.com
 Date: April 18, 2012 4:14:42 PM PDT
 
 Derek -
 
 Thanks for the data.  After some pretty extensive research, it appears that 
 while SOL 13037 was resolved as part of your update, you encounted a second 
 known issue where the SSL connection hangs after OpenSSL v.1.0.1's Client 
 Hello because it offered 80 ciphers.  
 
 [...] This has been listed as Bug 376483, and is reported as having been 
 fixed as of Version 10.2.4.


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007

[Kurt Roeckx]

On Sun, Apr 01, 2012 at 02:42:20PM +0200, Dr. Stephen Henson wrote:
 On Sun, Apr 01, 2012, Dr. Stephen Henson wrote:
 
  
  Did a quick hack modification setting header version to 0x3,0x0 and it now
  *will* connect to some sites it didn't before with a long client hello
  including paypal. It ends up negotiating TLS 1.2 anyway.
  
  I'll do some more tests to see what happens.
  
 
 SSLv3 or TLSv1 version in record header connects, anything higher hangs.
 
 So I'd say we set it to TLSv1 in header unless we only support SSLv3. That
 should retain compatibility with older versions of OpenSSL.

Do you have a patch for this?


Kurt

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007

[Andy Polyakov]

 It's empirically found that SSL 2.0 and TLS 1.0
 ClientHellos larger than 256 bytes *are* accepted, while TLS 1.1 and 1.2
 have to be shorter to be accepted.

TLS version in ClientHello *message* is denoted by corresponding field.
But then the *message* is placed to TLS *record*, which is denoted with
own protocol version. Quoting RFC5246, appendix E.1.

   Earlier versions of the TLS specification were not fully clear on
   what the record layer version number (TLSPlaintext.version) should
   contain when sending ClientHello (i.e., before it is known which
   version of the protocol will be employed).  Thus, TLS servers
   compliant with this specification MUST accept any value {03,XX} as
   the record layer version number for ClientHello.

   TLS clients that wish to negotiate with older servers MAY send any
   value {03,XX} as the record layer version number.  Typical values
   would be {03,00}, the lowest version number supported by the client,
   and the value of ClientHello.client_version.  No single value will
   guarantee interoperability with all old servers, but this is a
   complex topic beyond the scope of this document.

Yes, it's beyond document scope, but it seems that it's acceptable to
send TLS 1.2 ClientHello *message* in TLS 1.0 *record*. I.e. initial
record version would denote minimal TLS version, while message version -
maximal version.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007

[Kurt Roeckx]

On Sun, Apr 01, 2012 at 12:17:19PM +0200, Andy Polyakov wrote:
  It's empirically found that SSL 2.0 and TLS 1.0
  ClientHellos larger than 256 bytes *are* accepted, while TLS 1.1 and 1.2
  have to be shorter to be accepted.
 
 TLS version in ClientHello *message* is denoted by corresponding field.
 But then the *message* is placed to TLS *record*, which is denoted with
 own protocol version. Quoting RFC5246, appendix E.1.
 
Earlier versions of the TLS specification were not fully clear on
what the record layer version number (TLSPlaintext.version) should
contain when sending ClientHello (i.e., before it is known which
version of the protocol will be employed).  Thus, TLS servers
compliant with this specification MUST accept any value {03,XX} as
the record layer version number for ClientHello.
 
TLS clients that wish to negotiate with older servers MAY send any
value {03,XX} as the record layer version number.  Typical values
would be {03,00}, the lowest version number supported by the client,
and the value of ClientHello.client_version.  No single value will
guarantee interoperability with all old servers, but this is a
complex topic beyond the scope of this document.
 
 Yes, it's beyond document scope, but it seems that it's acceptable to
 send TLS 1.2 ClientHello *message* in TLS 1.0 *record*. I.e. initial
 record version would denote minimal TLS version, while message version -
 maximal version.

And they now both contain 0x03,0x03.  At least gnutls is sending
0x03,0x00 with 0x03,0x03.

I already wondered about this before, but I assumed it didn't
matter.


Kurt

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007

[Dr. Stephen Henson]

On Sun, Apr 01, 2012, Kurt Roeckx wrote:

 
 And they now both contain 0x03,0x03.  At least gnutls is sending
 0x03,0x00 with 0x03,0x03.
 

Gnutls is also sending client hellos shorter than 256 bytes (couldn't see a
way to extend it though I'm not familiar with gnutls).

 I already wondered about this before, but I assumed it didn't
 matter.
 

Did a quick hack modification setting header version to 0x3,0x0 and it now
*will* connect to some sites it didn't before with a long client hello
including paypal. It ends up negotiating TLS 1.2 anyway.

I'll do some more tests to see what happens.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007

[Dr. Stephen Henson]

On Sun, Apr 01, 2012, Dr. Stephen Henson wrote:

 
 Did a quick hack modification setting header version to 0x3,0x0 and it now
 *will* connect to some sites it didn't before with a long client hello
 including paypal. It ends up negotiating TLS 1.2 anyway.
 
 I'll do some more tests to see what happens.
 

SSLv3 or TLSv1 version in record header connects, anything higher hangs.

So I'd say we set it to TLSv1 in header unless we only support SSLv3. That
should retain compatibility with older versions of OpenSSL.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007

[Kurt Roeckx]

On Sun, Apr 01, 2012 at 02:42:20PM +0200, Dr. Stephen Henson wrote:
 On Sun, Apr 01, 2012, Dr. Stephen Henson wrote:
 
  
  Did a quick hack modification setting header version to 0x3,0x0 and it now
  *will* connect to some sites it didn't before with a long client hello
  including paypal. It ends up negotiating TLS 1.2 anyway.
  
  I'll do some more tests to see what happens.
  
 
 SSLv3 or TLSv1 version in record header connects, anything higher hangs.
 
 So I'd say we set it to TLSv1 in header unless we only support SSLv3. That
 should retain compatibility with older versions of OpenSSL.

Is there a reason not to send SSLv3 as the lowest version if
SSLv3 is enabled?


Kurt

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007

[Dr. Stephen Henson]

On Sun, Apr 01, 2012, Kurt Roeckx wrote:

 On Sun, Apr 01, 2012 at 02:42:20PM +0200, Dr. Stephen Henson wrote:
  On Sun, Apr 01, 2012, Dr. Stephen Henson wrote:
  
   
   Did a quick hack modification setting header version to 0x3,0x0 and it now
   *will* connect to some sites it didn't before with a long client hello
   including paypal. It ends up negotiating TLS 1.2 anyway.
   
   I'll do some more tests to see what happens.
   
  
  SSLv3 or TLSv1 version in record header connects, anything higher hangs.
  
  So I'd say we set it to TLSv1 in header unless we only support SSLv3. That
  should retain compatibility with older versions of OpenSSL.
 
 Is there a reason not to send SSLv3 as the lowest version if
 SSLv3 is enabled?
 

Well only reason I suggested using TLS 1.0 is that's would retain the same
behaviour as OpenSSL 1.0 and earlier which would send the same record header
version as the currently supported version.

Doing some more tests... session resumption would also have to use version
SSLv3/TLSv1 in the client hello record but other handshake records must use the
negotiated version.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007

[Andy Polyakov]

 I've done some more tests and it seems that the size of the client hello
 message is significant: all the options that work reduce the size of
 client hello. If you use the -debug option and check out the first
 message bytes 4 and 5 it seems those servers hang if the length exceeds
 0xFF (using two bytes instead of one).

 If you use the option -servername very long string you can precisely
 control the size of the client hello. If you use that to make client
 hello long enough you get the hang with OpenSSL 1.0.0h and earlier as well.
 
 So I'm getting more and more reports of sites that have a problem
 since 1.0.1.  They basicly fall in 2 categories:
 - They don't tolerate versions higher than TLS 1.0
 - They don't like big packets.
 
 Of the 2nd case I have at least found people complain about those
 sites:
 - www.facebook.com
 - www.paypal.com
 - sourceforge.net

It seems to be combination. For example www.paypal.com actually can
negotiate TLS 1.2, but doesn't tolerate long TLS 1.2 ClientHello. Most
notably 'openssl s_client -connect www.paypal.com:443 -cipher
DEFAULT:\!AES' results in 0xF8 bytes TLS 1.2 ClientHello and it manages
to connect and negotiate 1.2! But test with -cipher ALL. This for some
reason results in SSL *2.0* ClientHello which is 0x1B5[!] bytes long,
but it does announce TLS 1.2 capability and final negotiated version is
... TLS 1.2! Once again, SSL 2.0 [and TLS 1.0] ClientHello *may* be =
256 bytes, but not TLS 1.[12] ClientHello. But it doesn't seem to mean
that server doesn't support 1.2...
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007

[Kurt Roeckx]

On Sat, Mar 31, 2012 at 08:12:54PM +0200, Andy Polyakov wrote:
  I've done some more tests and it seems that the size of the client hello
  message is significant: all the options that work reduce the size of
  client hello. If you use the -debug option and check out the first
  message bytes 4 and 5 it seems those servers hang if the length exceeds
  0xFF (using two bytes instead of one).
 
  If you use the option -servername very long string you can precisely
  control the size of the client hello. If you use that to make client
  hello long enough you get the hang with OpenSSL 1.0.0h and earlier as well.
  
  So I'm getting more and more reports of sites that have a problem
  since 1.0.1.  They basicly fall in 2 categories:
  - They don't tolerate versions higher than TLS 1.0
  - They don't like big packets.
  
  Of the 2nd case I have at least found people complain about those
  sites:
  - www.facebook.com
  - www.paypal.com
  - sourceforge.net
 
 It seems to be combination. For example www.paypal.com actually can
 negotiate TLS 1.2, but doesn't tolerate long TLS 1.2 ClientHello. Most
 notably 'openssl s_client -connect www.paypal.com:443 -cipher
 DEFAULT:\!AES' results in 0xF8 bytes TLS 1.2 ClientHello and it manages
 to connect and negotiate 1.2! But test with -cipher ALL. This for some
 reason results in SSL *2.0* ClientHello which is 0x1B5[!] bytes long,
 but it does announce TLS 1.2 capability and final negotiated version is
 ... TLS 1.2! Once again, SSL 2.0 [and TLS 1.0] ClientHello *may* be =
 256 bytes, but not TLS 1.[12] ClientHello. But it doesn't seem to mean
 that server doesn't support 1.2...

Yes, paypal seems to support TLS 1.2 (but not 1.1), which is why
I've put them in the second category.

So you're saying you send a different ClientHello depending on the
size?  If it's  0xFF you send an SSL 2.0 ClientHello, but
announce 1.2 while otherwise you send a TLS 1.2 ClientHello?
It doesn't make sense to me, and that doesn't seem to happen here.


Kurt

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007

[Andy Polyakov]

 So I'm getting more and more reports of sites that have a problem
 since 1.0.1.  They basicly fall in 2 categories:
 - They don't tolerate versions higher than TLS 1.0
 - They don't like big packets.

 Of the 2nd case I have at least found people complain about those
 sites:
 - www.facebook.com
 - www.paypal.com
 - sourceforge.net
 It seems to be combination. For example www.paypal.com actually can
 negotiate TLS 1.2, but doesn't tolerate long TLS 1.2 ClientHello. Most
 notably 'openssl s_client -connect www.paypal.com:443 -cipher
 DEFAULT:\!AES' results in 0xF8 bytes TLS 1.2 ClientHello and it manages
 to connect and negotiate 1.2! But test with -cipher ALL. This for some
 reason results in SSL *2.0* ClientHello which is 0x1B5[!] bytes long,
 but it does announce TLS 1.2 capability and final negotiated version is
 ... TLS 1.2! Once again, SSL 2.0 [and TLS 1.0] ClientHello *may* be =
 256 bytes, but not TLS 1.[12] ClientHello. But it doesn't seem to mean
 that server doesn't support 1.2...
 
 Yes, paypal seems to support TLS 1.2 (but not 1.1), which is why
 I've put them in the second category.
 
 So you're saying you send a different ClientHello depending on the
 size?  If it's  0xFF you send an SSL 2.0 ClientHello, but
 announce 1.2 while otherwise you send a TLS 1.2 ClientHello?

I merely report empiric findings. I wouldn't say I'm sending different
ClientHello depending on the size, as I'm not modifying any code [at
the moment]. SSL 2.0 ClientHello is sent if you specify -cipher ALL, for
*some* reason. It's empirically found that SSL 2.0 and TLS 1.0
ClientHellos larger than 256 bytes *are* accepted, while TLS 1.1 and 1.2
have to be shorter to be accepted. As SSL 2.0 leaves room for higher
version negotiation you can send 2.0 hello larger than 256 bytes and
negotiate TLS 1.2. So it's not like paypal doesn't like big packets, it
doesn't like TLS 1.1 and 1.2 big packets.

 It doesn't make sense to me, and that doesn't seem to happen here.

Bugs never make sense. But what do you mean by doesn't seem to happen
here? Can you connect with 'openssl s_client -connect
www.paypal.com:443 -cipher DEFAULT:\!AES' and 'openssl s_client -connect
www.paypal.com:443 -cipher ALL'? If not can you send 'nslookup
www.paypal.com' and outputs with -msg.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007

[Dr. Stephen Henson]

On Sat, Mar 31, 2012, Kurt Roeckx wrote:

 On Sat, Mar 31, 2012 at 08:12:54PM +0200, Andy Polyakov wrote:
   I've done some more tests and it seems that the size of the client hello
   message is significant: all the options that work reduce the size of
   client hello. If you use the -debug option and check out the first
   message bytes 4 and 5 it seems those servers hang if the length exceeds
   0xFF (using two bytes instead of one).
  
   If you use the option -servername very long string you can precisely
   control the size of the client hello. If you use that to make client
   hello long enough you get the hang with OpenSSL 1.0.0h and earlier as 
   well.
   
   So I'm getting more and more reports of sites that have a problem
   since 1.0.1.  They basicly fall in 2 categories:
   - They don't tolerate versions higher than TLS 1.0
   - They don't like big packets.
   
   Of the 2nd case I have at least found people complain about those
   sites:
   - www.facebook.com
   - www.paypal.com
   - sourceforge.net
  
  It seems to be combination. For example www.paypal.com actually can
  negotiate TLS 1.2, but doesn't tolerate long TLS 1.2 ClientHello. Most
  notably 'openssl s_client -connect www.paypal.com:443 -cipher
  DEFAULT:\!AES' results in 0xF8 bytes TLS 1.2 ClientHello and it manages
  to connect and negotiate 1.2! But test with -cipher ALL. This for some
  reason results in SSL *2.0* ClientHello which is 0x1B5[!] bytes long,
  but it does announce TLS 1.2 capability and final negotiated version is
  ... TLS 1.2! Once again, SSL 2.0 [and TLS 1.0] ClientHello *may* be =
  256 bytes, but not TLS 1.[12] ClientHello. But it doesn't seem to mean
  that server doesn't support 1.2...
 
 Yes, paypal seems to support TLS 1.2 (but not 1.1), which is why
 I've put them in the second category.
 
 So you're saying you send a different ClientHello depending on the
 size?  If it's  0xFF you send an SSL 2.0 ClientHello, but
 announce 1.2 while otherwise you send a TLS 1.2 ClientHello?
 It doesn't make sense to me, and that doesn't seem to happen here.
 

Before OpenSSL 1.0.0 OpenSSL always sent an SSLv2 compatible client hello
indicating support for the highest TLS version (which was 1.0 for that
version) provided SSLv2 support was enabled in the library.

An SSLv2 compatible client hello cannot indicate compression or extensions so
it is rather limiting.

OpenSSL 1.0 and later will use an *SSLv3* compatible client hello provided no
SSLv2 ciphersuites are requested. The default cipherstring now excludes all
SSLv2 ciphersuites so by default you wont get SSLv2 client hellos. If however
you specify ALL as the cipherstring you will get SSLv2 ciphersuites present.

If the library has been compiled with no-ssl2 this wont happen and you'll only
ever get the SSLv3 compatible client hello.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007

[Kurt Roeckx]

On Sat, Mar 31, 2012 at 11:09:15PM +0200, Andy Polyakov wrote:
 
 Bugs never make sense. But what do you mean by doesn't seem to happen
 here? Can you connect with 'openssl s_client -connect
 www.paypal.com:443 -cipher DEFAULT:\!AES' and 'openssl s_client -connect
 www.paypal.com:443 -cipher ALL'? If not can you send 'nslookup
 www.paypal.com' and outputs with -msg.

openssl s_client -connect www.paypal.com:443 -cipher ALL doesn't
work for me.

openssl s_client -connect www.paypal.com:443 -cipher DEFAULT:\!AES
does work and gets me a TLS1.2 connection.

$ host www.paypal.com
www.paypal.com is an alias for www.paypal.com.akadns.net.
www.paypal.com.akadns.net is an alias for
wlb.paypal.com.akadns.net.
wlb.paypal.com.akadns.net is an alias for active-www.paypal.com.
active-www.paypal.com has address 66.211.169.14
active-www.paypal.com has address 66.211.169.65
active-www.paypal.com has address 66.211.169.74
active-www.paypal.com has address 173.0.88.2
active-www.paypal.com has address 66.211.169.2

$ openssl s_client -connect www.paypal.com:443 -cipher ALL -msg
CONNECTED(0003)
 TLS 1.2  [length 0165]
01 00 01 61 03 03 4f 77 83 c2 a2 4a a5 b6 af 88
46 6f 39 28 af 30 1a 23 53 cb ea f2 7c 33 31 6a
1c 3b 29 07 dd 5a 00 00 c8 c0 30 c0 2c c0 28 c0
24 c0 14 c0 0a c0 22 c0 21 00 a3 00 9f 00 6b 00
6a 00 39 00 38 00 88 00 87 c0 19 c0 20 00 a7 00
6d 00 3a 00 89 c0 32 c0 2e c0 2a c0 26 c0 0f c0
05 00 9d 00 3d 00 35 00 84 c0 12 c0 08 c0 1c c0
1b 00 16 00 13 c0 17 c0 1a 00 1b c0 0d c0 03 00
0a c0 2f c0 2b c0 27 c0 23 c0 13 c0 09 c0 1f c0
1e 00 a2 00 9e 00 67 00 40 00 33 00 32 00 9a 00
99 00 45 00 44 c0 18 c0 1d 00 a6 00 6c 00 34 00
9b 00 46 c0 31 c0 2d c0 29 c0 25 c0 0e c0 04 00
9c 00 3c 00 2f 00 96 00 41 c0 11 c0 07 c0 16 00
18 c0 0c c0 02 00 05 00 04 00 15 00 12 00 1a 00
09 00 14 00 11 00 19 00 08 00 06 00 17 00 03 00
ff 02 01 00 00 6f 00 0b 00 04 03 00 01 02 00 0a
00 34 00 32 00 0e 00 0d 00 19 00 0b 00 0c 00 18
00 09 00 0a 00 16 00 17 00 08 00 06 00 07 00 14
00 15 00 04 00 05 00 12 00 13 00 01 00 02 00 03
00 0f 00 10 00 11 00 23 00 00 00 0d 00 22 00 20
06 01 06 02 06 03 05 01 05 02 05 03 04 01 04 02
04 03 03 01 03 02 03 03 02 01 02 02 02 03 01 01
00 0f 00 01 01

Note that I configured it with no-ssl2, if that has anything to do
with it.

DEFAULT:\!AES gets me this instead:
CONNECTED(0003)
 TLS 1.2  [length 00df]
01 00 00 db 03 03 4f 77 84 26 f8 63 4c 98 df 6d
75 4e d7 54 44 49 d0 e0 3b 75 42 32 ba 2c 40 9b
65 3c 0b a2 d4 3e 00 00 42 00 88 00 87 00 84 c0
12 c0 08 c0 1c c0 1b 00 16 00 13 c0 0d c0 03 00
0a 00 9a 00 99 00 45 00 44 00 96 00 41 c0 11 c0
07 c0 0c c0 02 00 05 00 04 00 15 00 12 00 09 00
14 00 11 00 08 00 06 00 03 00 ff 02 01 00 00 6f
00 0b 00 04 03 00 01 02 00 0a 00 34 00 32 00 0e
00 0d 00 19 00 0b 00 0c 00 18 00 09 00 0a 00 16
00 17 00 08 00 06 00 07 00 14 00 15 00 04 00 05
00 12 00 13 00 01 00 02 00 03 00 0f 00 10 00 11
00 23 00 00 00 0d 00 22 00 20 06 01 06 02 06 03
05 01 05 02 05 03 04 01 04 02 04 03 03 01 03 02
03 03 02 01 02 02 02 03 01 01 00 0f 00 01 01
 TLS 1.2  [length 0051]
02 00 00 4d 03 03 50 18 67 31 eb 7c c8 35 ef 31
93 4d 2b 45 d5 3f 4c f1 2b 98 51 b0 49 93 67 6d
d9 59 13 25 a9 ab 20 16 e1 e1 27 a6 d8 24 a9 c2
d9 11 eb 20 8b e5 3f 08 a2 78 a0 53 96 55 4f 57
70 4d d6 8c 5c 99 9e 00 0a 00 00 05 ff 01 00 01
00
[...]


Kurt

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007

[Kurt Roeckx]

On Sun, Apr 01, 2012 at 12:13:44AM +0200, Dr. Stephen Henson wrote:
 
 OpenSSL 1.0 and later will use an *SSLv3* compatible client hello provided no
 SSLv2 ciphersuites are requested. The default cipherstring now excludes all
 SSLv2 ciphersuites so by default you wont get SSLv2 client hellos. If however
 you specify ALL as the cipherstring you will get SSLv2 ciphersuites present.
 
 If the library has been compiled with no-ssl2 this wont happen and you'll only
 ever get the SSLv3 compatible client hello.

So like I said, I compiled with no-ssl2, which at least explains
the difference in behaviour.


Kurt

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007

[Stephen Henson via RT]

A temporary workaround for this is to apply these two patches to OpenSSL
1.0.1:

http://cvs.openssl.org/chngview?cn=22286
http://cvs.openssl.org/chngview?cn=22306

And recompile OpenSSL with -DOPENSSL_NO_TLS1_2_CLIENT (e.g. supplied as
a command line option to config or Configure). I'm working on something
better.

Steve.
-- 
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007

[Kurt Roeckx]

On Sun, Mar 25, 2012 at 01:52:22PM +0200, Stephen Henson via RT wrote:
  [steve - Sun Mar 25 13:11:30 2012]:
  
  I've done some more tests and it seems that the size of the client hello
  message is significant: all the options that work reduce the size of
  client hello. If you use the -debug option and check out the first
  message bytes 4 and 5 it seems those servers hang if the length exceeds
  0xFF (using two bytes instead of one).
  
 
 If you use the option -servername very long string you can precisely
 control the size of the client hello. If you use that to make client
 hello long enough you get the hang with OpenSSL 1.0.0h and earlier as well.

So I'm getting more and more reports of sites that have a problem
since 1.0.1.  They basicly fall in 2 categories:
- They don't tolerate versions higher than TLS 1.0
- They don't like big packets.

Of the 2nd case I have at least found people complain about those
sites:
- www.facebook.com
- www.paypal.com
- sourceforge.net


Kurt

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007

[Stephen Henson via RT]

 [k...@roeckx.be - Sun Mar 25 04:51:32 2012]:
 
 On Fri, Mar 23, 2012 at 06:49:43PM +0100, Stephen Henson via RT wrote:
   [ste...@stebalien.com - Fri Mar 23 18:21:39 2012]:
  
   OpenSSL negotiation times out when connecting to Outlook Exchange
 2007
   both through Outlook Web Access (webmail) and IMAP (POP untested).
 This
   bug appeared between version 1.0.0h and 1.0.1-beta1.
  
   OS: Arch Linux
   Applications tested: Offlineimap (IMAP), elinks (webmail), wget
 (webmail).
   Version: 1.0.1, 1.0.1-beta{3,2,1}.
   Versions-not-affected: 1.0.0h
  
   To reproduce, run `wget https://owa.mit.edu/`.
  
 
  It isn't clear that this is a problem with OpenSSL. The server
 doesn't
  seem to be responding to the OpenSSL client hello. If you disable
  TLSv1.2 (with -no_tls1_2) or disable AES or ECDH ciphersuites or
 various
  other things it responds OK.
 
 -no_tls1_2 and -no_tls1_1 doesn't work for me, I need to use -tls1
 (or -ssl3) to be able to get a connection.
 
 gnutls-cli which also supports TLS 1.1 and 1.2 works with that
 site without problem.
 
 https://sourceforge.net/ has the same problem, both report BigIP
 as the server.
 

Disabling TLSv1.2 will eliminate some ciphersuites and the signature
algorithm extension. Due to a bug it still sends that extension in
OpenSSL 1.0.1 if you specify -no_tls1_2. This fixes it:

http://cvs.openssl.org/chngview?cn=22286

It should then also work with -no_tls1_2. Without that option some
arguments also allow a connection. For example -cipher 'DEFAULT:!ECDH'
or -cipher 'DEFAULT:!AES'.

I've done some more tests and it seems that the size of the client hello
message is significant: all the options that work reduce the size of
client hello. If you use the -debug option and check out the first
message bytes 4 and 5 it seems those servers hang if the length exceeds
0xFF (using two bytes instead of one).

Steve.
-- 
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007

[Stephen Henson via RT]

 [steve - Sun Mar 25 13:11:30 2012]:
 
 I've done some more tests and it seems that the size of the client hello
 message is significant: all the options that work reduce the size of
 client hello. If you use the -debug option and check out the first
 message bytes 4 and 5 it seems those servers hang if the length exceeds
 0xFF (using two bytes instead of one).
 

If you use the option -servername very long string you can precisely
control the size of the client hello. If you use that to make client
hello long enough you get the hang with OpenSSL 1.0.0h and earlier as well.

Steve.
-- 
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007

[Kurt Roeckx via RT]

On Fri, Mar 23, 2012 at 06:49:43PM +0100, Stephen Henson via RT wrote:
  [ste...@stebalien.com - Fri Mar 23 18:21:39 2012]:
  
  OpenSSL negotiation times out when connecting to Outlook Exchange 2007
  both through Outlook Web Access (webmail) and IMAP (POP untested). This
  bug appeared between version 1.0.0h and 1.0.1-beta1.
  
  OS: Arch Linux
  Applications tested: Offlineimap (IMAP), elinks (webmail), wget (webmail).
  Version: 1.0.1, 1.0.1-beta{3,2,1}.
  Versions-not-affected: 1.0.0h
  
  To reproduce, run `wget https://owa.mit.edu/`.
  
 
 It isn't clear that this is a problem with OpenSSL. The server doesn't
 seem to be responding to the OpenSSL client hello. If you disable
 TLSv1.2 (with -no_tls1_2) or disable AES or ECDH ciphersuites or various
 other things it responds OK.

-no_tls1_2 and -no_tls1_1 doesn't work for me, I need to use -tls1
(or -ssl3) to be able to get a connection.

gnutls-cli which also supports TLS 1.1 and 1.2 works with that
site without problem.

https://sourceforge.net/ has the same problem, both report BigIP
as the server.


Kurt


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007

[Steven Allen via RT]

OpenSSL negotiation times out when connecting to Outlook Exchange 2007
both through Outlook Web Access (webmail) and IMAP (POP untested). This
bug appeared between version 1.0.0h and 1.0.1-beta1.

OS: Arch Linux
Applications tested: Offlineimap (IMAP), elinks (webmail), wget (webmail).
Version: 1.0.1, 1.0.1-beta{3,2,1}.
Versions-not-affected: 1.0.0h

To reproduce, run `wget https://owa.mit.edu/`.

-- 
Steven Allen
MIT 2014, EECS



pgp9z90KfynO3.pgp
Description: PGP signature

[openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007

[Stephen Henson via RT]

 [ste...@stebalien.com - Fri Mar 23 18:21:39 2012]:
 
 OpenSSL negotiation times out when connecting to Outlook Exchange 2007
 both through Outlook Web Access (webmail) and IMAP (POP untested). This
 bug appeared between version 1.0.0h and 1.0.1-beta1.
 
 OS: Arch Linux
 Applications tested: Offlineimap (IMAP), elinks (webmail), wget (webmail).
 Version: 1.0.1, 1.0.1-beta{3,2,1}.
 Versions-not-affected: 1.0.0h
 
 To reproduce, run `wget https://owa.mit.edu/`.
 

It isn't clear that this is a problem with OpenSSL. The server doesn't
seem to be responding to the OpenSSL client hello. If you disable
TLSv1.2 (with -no_tls1_2) or disable AES or ECDH ciphersuites or various
other things it responds OK.

Steve.
-- 
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org