[openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007
On Thu Mar 29 21:17:31 2012, steve wrote: A temporary workaround for this is to apply these two patches to OpenSSL 1.0.1: http://cvs.openssl.org/chngview?cn=22286 http://cvs.openssl.org/chngview?cn=22306 And recompile OpenSSL with -DOPENSSL_NO_TLS1_2_CLIENT (e.g. supplied as a command line option to config or Configure). I'm working on something better. A new experimental workaround has been added to the master branch. See: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=0467ea686244 This is less disruptive as it doesn't disable TLS 1.2 or chop the cipher list. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007
Per F5 Product Development, the log message quoted in the previous note is not related to ID 376483. It is a cosmetic issue which may be safely ignored. Amy Wilhelm Enterprise Network Engineer F5 Networks __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007
- sourceforge.net This one still fails, but I believe that that was caused by the load balancer of F5 Networks (Big IP). And there is no good solution for it, except for updating load balancer software. The only thing one can do otherwise is to minimize ClientHello by aggressively excluding ciphers. But you have to keep in mind to disable enough to accommodate even session-id, so that you won't suffer from the problem upon attempt to resume. For example it's possible to 'apps/openssl s_client -connect sourceforge.net:443 -no_tls1_2 -no_tls1_1', *but* if you save session data and try to resume, you're stuck... To resume you'd have to complement it with e.g. -cipher DEFAULT:\!EXPORT:\!DES:\!SEED... __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007
On Thu, Mar 29, 2012 at 09:46:34PM +0200, Kurt Roeckx wrote: On Sun, Mar 25, 2012 at 01:52:22PM +0200, Stephen Henson via RT wrote: [steve - Sun Mar 25 13:11:30 2012]: I've done some more tests and it seems that the size of the client hello message is significant: all the options that work reduce the size of client hello. If you use the -debug option and check out the first message bytes 4 and 5 it seems those servers hang if the length exceeds 0xFF (using two bytes instead of one). If you use the option -servername very long string you can precisely control the size of the client hello. If you use that to make client hello long enough you get the hang with OpenSSL 1.0.0h and earlier as well. So I'm getting more and more reports of sites that have a problem since 1.0.1. They basicly fall in 2 categories: - They don't tolerate versions higher than TLS 1.0 - They don't like big packets. Of the 2nd case I have at least found people complain about those sites: - www.facebook.com - www.paypal.com Those seem to work with the 1.0.1a version, even when the packets are still bigger than 256. It's sending a TLS 1.2 ClientHello in a TLS 1.0 packet now. - sourceforge.net This one still fails, but I believe that that was caused by the load balancer of F5 Networks (Big IP). Kurt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007
We run a site that uses the F5 Networks BIG-IP load balancer, and OpenSSL 1.0.1 triggers this bug on the load balancer. When it occurs, the load balancer neither forwards the request to a pool member, nor does it respond to the OpenSSL client. There are warning messages in the load balancer's /var/log/ltm file: warning tmm[5313]: 012f0002:4: WARN at ../modules/hudproxy/bigproto/pva/pva_frames.c:1234:Received illegal header padding 100 versus 2ff Working with F5 Networks tech support, we have determined that this is a known issue, which they track as Bug 376483. It is fixed in the recently released BIG-IP LTM 10.2.4 software, though it is not mentioned in their release notes, and I confirm that TLS 1.2 connections no longer hang after upgrading to 10.2.4. Derek Poon University of British Columbia Begin forwarded message: From: F5 Support - Emailclerk c.emailcl...@f5.com Date: April 18, 2012 4:14:42 PM PDT Derek - Thanks for the data. After some pretty extensive research, it appears that while SOL 13037 was resolved as part of your update, you encounted a second known issue where the SSL connection hangs after OpenSSL v.1.0.1's Client Hello because it offered 80 ciphers. [...] This has been listed as Bug 376483, and is reported as having been fixed as of Version 10.2.4. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007
On Sun, Apr 01, 2012 at 02:42:20PM +0200, Dr. Stephen Henson wrote: On Sun, Apr 01, 2012, Dr. Stephen Henson wrote: Did a quick hack modification setting header version to 0x3,0x0 and it now *will* connect to some sites it didn't before with a long client hello including paypal. It ends up negotiating TLS 1.2 anyway. I'll do some more tests to see what happens. SSLv3 or TLSv1 version in record header connects, anything higher hangs. So I'd say we set it to TLSv1 in header unless we only support SSLv3. That should retain compatibility with older versions of OpenSSL. Do you have a patch for this? Kurt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007
It's empirically found that SSL 2.0 and TLS 1.0 ClientHellos larger than 256 bytes *are* accepted, while TLS 1.1 and 1.2 have to be shorter to be accepted. TLS version in ClientHello *message* is denoted by corresponding field. But then the *message* is placed to TLS *record*, which is denoted with own protocol version. Quoting RFC5246, appendix E.1. Earlier versions of the TLS specification were not fully clear on what the record layer version number (TLSPlaintext.version) should contain when sending ClientHello (i.e., before it is known which version of the protocol will be employed). Thus, TLS servers compliant with this specification MUST accept any value {03,XX} as the record layer version number for ClientHello. TLS clients that wish to negotiate with older servers MAY send any value {03,XX} as the record layer version number. Typical values would be {03,00}, the lowest version number supported by the client, and the value of ClientHello.client_version. No single value will guarantee interoperability with all old servers, but this is a complex topic beyond the scope of this document. Yes, it's beyond document scope, but it seems that it's acceptable to send TLS 1.2 ClientHello *message* in TLS 1.0 *record*. I.e. initial record version would denote minimal TLS version, while message version - maximal version. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007
On Sun, Apr 01, 2012 at 12:17:19PM +0200, Andy Polyakov wrote: It's empirically found that SSL 2.0 and TLS 1.0 ClientHellos larger than 256 bytes *are* accepted, while TLS 1.1 and 1.2 have to be shorter to be accepted. TLS version in ClientHello *message* is denoted by corresponding field. But then the *message* is placed to TLS *record*, which is denoted with own protocol version. Quoting RFC5246, appendix E.1. Earlier versions of the TLS specification were not fully clear on what the record layer version number (TLSPlaintext.version) should contain when sending ClientHello (i.e., before it is known which version of the protocol will be employed). Thus, TLS servers compliant with this specification MUST accept any value {03,XX} as the record layer version number for ClientHello. TLS clients that wish to negotiate with older servers MAY send any value {03,XX} as the record layer version number. Typical values would be {03,00}, the lowest version number supported by the client, and the value of ClientHello.client_version. No single value will guarantee interoperability with all old servers, but this is a complex topic beyond the scope of this document. Yes, it's beyond document scope, but it seems that it's acceptable to send TLS 1.2 ClientHello *message* in TLS 1.0 *record*. I.e. initial record version would denote minimal TLS version, while message version - maximal version. And they now both contain 0x03,0x03. At least gnutls is sending 0x03,0x00 with 0x03,0x03. I already wondered about this before, but I assumed it didn't matter. Kurt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007
On Sun, Apr 01, 2012, Kurt Roeckx wrote: And they now both contain 0x03,0x03. At least gnutls is sending 0x03,0x00 with 0x03,0x03. Gnutls is also sending client hellos shorter than 256 bytes (couldn't see a way to extend it though I'm not familiar with gnutls). I already wondered about this before, but I assumed it didn't matter. Did a quick hack modification setting header version to 0x3,0x0 and it now *will* connect to some sites it didn't before with a long client hello including paypal. It ends up negotiating TLS 1.2 anyway. I'll do some more tests to see what happens. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007
On Sun, Apr 01, 2012, Dr. Stephen Henson wrote: Did a quick hack modification setting header version to 0x3,0x0 and it now *will* connect to some sites it didn't before with a long client hello including paypal. It ends up negotiating TLS 1.2 anyway. I'll do some more tests to see what happens. SSLv3 or TLSv1 version in record header connects, anything higher hangs. So I'd say we set it to TLSv1 in header unless we only support SSLv3. That should retain compatibility with older versions of OpenSSL. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007
On Sun, Apr 01, 2012 at 02:42:20PM +0200, Dr. Stephen Henson wrote: On Sun, Apr 01, 2012, Dr. Stephen Henson wrote: Did a quick hack modification setting header version to 0x3,0x0 and it now *will* connect to some sites it didn't before with a long client hello including paypal. It ends up negotiating TLS 1.2 anyway. I'll do some more tests to see what happens. SSLv3 or TLSv1 version in record header connects, anything higher hangs. So I'd say we set it to TLSv1 in header unless we only support SSLv3. That should retain compatibility with older versions of OpenSSL. Is there a reason not to send SSLv3 as the lowest version if SSLv3 is enabled? Kurt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007
On Sun, Apr 01, 2012, Kurt Roeckx wrote: On Sun, Apr 01, 2012 at 02:42:20PM +0200, Dr. Stephen Henson wrote: On Sun, Apr 01, 2012, Dr. Stephen Henson wrote: Did a quick hack modification setting header version to 0x3,0x0 and it now *will* connect to some sites it didn't before with a long client hello including paypal. It ends up negotiating TLS 1.2 anyway. I'll do some more tests to see what happens. SSLv3 or TLSv1 version in record header connects, anything higher hangs. So I'd say we set it to TLSv1 in header unless we only support SSLv3. That should retain compatibility with older versions of OpenSSL. Is there a reason not to send SSLv3 as the lowest version if SSLv3 is enabled? Well only reason I suggested using TLS 1.0 is that's would retain the same behaviour as OpenSSL 1.0 and earlier which would send the same record header version as the currently supported version. Doing some more tests... session resumption would also have to use version SSLv3/TLSv1 in the client hello record but other handshake records must use the negotiated version. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007
I've done some more tests and it seems that the size of the client hello message is significant: all the options that work reduce the size of client hello. If you use the -debug option and check out the first message bytes 4 and 5 it seems those servers hang if the length exceeds 0xFF (using two bytes instead of one). If you use the option -servername very long string you can precisely control the size of the client hello. If you use that to make client hello long enough you get the hang with OpenSSL 1.0.0h and earlier as well. So I'm getting more and more reports of sites that have a problem since 1.0.1. They basicly fall in 2 categories: - They don't tolerate versions higher than TLS 1.0 - They don't like big packets. Of the 2nd case I have at least found people complain about those sites: - www.facebook.com - www.paypal.com - sourceforge.net It seems to be combination. For example www.paypal.com actually can negotiate TLS 1.2, but doesn't tolerate long TLS 1.2 ClientHello. Most notably 'openssl s_client -connect www.paypal.com:443 -cipher DEFAULT:\!AES' results in 0xF8 bytes TLS 1.2 ClientHello and it manages to connect and negotiate 1.2! But test with -cipher ALL. This for some reason results in SSL *2.0* ClientHello which is 0x1B5[!] bytes long, but it does announce TLS 1.2 capability and final negotiated version is ... TLS 1.2! Once again, SSL 2.0 [and TLS 1.0] ClientHello *may* be = 256 bytes, but not TLS 1.[12] ClientHello. But it doesn't seem to mean that server doesn't support 1.2... __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007
On Sat, Mar 31, 2012 at 08:12:54PM +0200, Andy Polyakov wrote: I've done some more tests and it seems that the size of the client hello message is significant: all the options that work reduce the size of client hello. If you use the -debug option and check out the first message bytes 4 and 5 it seems those servers hang if the length exceeds 0xFF (using two bytes instead of one). If you use the option -servername very long string you can precisely control the size of the client hello. If you use that to make client hello long enough you get the hang with OpenSSL 1.0.0h and earlier as well. So I'm getting more and more reports of sites that have a problem since 1.0.1. They basicly fall in 2 categories: - They don't tolerate versions higher than TLS 1.0 - They don't like big packets. Of the 2nd case I have at least found people complain about those sites: - www.facebook.com - www.paypal.com - sourceforge.net It seems to be combination. For example www.paypal.com actually can negotiate TLS 1.2, but doesn't tolerate long TLS 1.2 ClientHello. Most notably 'openssl s_client -connect www.paypal.com:443 -cipher DEFAULT:\!AES' results in 0xF8 bytes TLS 1.2 ClientHello and it manages to connect and negotiate 1.2! But test with -cipher ALL. This for some reason results in SSL *2.0* ClientHello which is 0x1B5[!] bytes long, but it does announce TLS 1.2 capability and final negotiated version is ... TLS 1.2! Once again, SSL 2.0 [and TLS 1.0] ClientHello *may* be = 256 bytes, but not TLS 1.[12] ClientHello. But it doesn't seem to mean that server doesn't support 1.2... Yes, paypal seems to support TLS 1.2 (but not 1.1), which is why I've put them in the second category. So you're saying you send a different ClientHello depending on the size? If it's 0xFF you send an SSL 2.0 ClientHello, but announce 1.2 while otherwise you send a TLS 1.2 ClientHello? It doesn't make sense to me, and that doesn't seem to happen here. Kurt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007
So I'm getting more and more reports of sites that have a problem since 1.0.1. They basicly fall in 2 categories: - They don't tolerate versions higher than TLS 1.0 - They don't like big packets. Of the 2nd case I have at least found people complain about those sites: - www.facebook.com - www.paypal.com - sourceforge.net It seems to be combination. For example www.paypal.com actually can negotiate TLS 1.2, but doesn't tolerate long TLS 1.2 ClientHello. Most notably 'openssl s_client -connect www.paypal.com:443 -cipher DEFAULT:\!AES' results in 0xF8 bytes TLS 1.2 ClientHello and it manages to connect and negotiate 1.2! But test with -cipher ALL. This for some reason results in SSL *2.0* ClientHello which is 0x1B5[!] bytes long, but it does announce TLS 1.2 capability and final negotiated version is ... TLS 1.2! Once again, SSL 2.0 [and TLS 1.0] ClientHello *may* be = 256 bytes, but not TLS 1.[12] ClientHello. But it doesn't seem to mean that server doesn't support 1.2... Yes, paypal seems to support TLS 1.2 (but not 1.1), which is why I've put them in the second category. So you're saying you send a different ClientHello depending on the size? If it's 0xFF you send an SSL 2.0 ClientHello, but announce 1.2 while otherwise you send a TLS 1.2 ClientHello? I merely report empiric findings. I wouldn't say I'm sending different ClientHello depending on the size, as I'm not modifying any code [at the moment]. SSL 2.0 ClientHello is sent if you specify -cipher ALL, for *some* reason. It's empirically found that SSL 2.0 and TLS 1.0 ClientHellos larger than 256 bytes *are* accepted, while TLS 1.1 and 1.2 have to be shorter to be accepted. As SSL 2.0 leaves room for higher version negotiation you can send 2.0 hello larger than 256 bytes and negotiate TLS 1.2. So it's not like paypal doesn't like big packets, it doesn't like TLS 1.1 and 1.2 big packets. It doesn't make sense to me, and that doesn't seem to happen here. Bugs never make sense. But what do you mean by doesn't seem to happen here? Can you connect with 'openssl s_client -connect www.paypal.com:443 -cipher DEFAULT:\!AES' and 'openssl s_client -connect www.paypal.com:443 -cipher ALL'? If not can you send 'nslookup www.paypal.com' and outputs with -msg. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007
On Sat, Mar 31, 2012, Kurt Roeckx wrote: On Sat, Mar 31, 2012 at 08:12:54PM +0200, Andy Polyakov wrote: I've done some more tests and it seems that the size of the client hello message is significant: all the options that work reduce the size of client hello. If you use the -debug option and check out the first message bytes 4 and 5 it seems those servers hang if the length exceeds 0xFF (using two bytes instead of one). If you use the option -servername very long string you can precisely control the size of the client hello. If you use that to make client hello long enough you get the hang with OpenSSL 1.0.0h and earlier as well. So I'm getting more and more reports of sites that have a problem since 1.0.1. They basicly fall in 2 categories: - They don't tolerate versions higher than TLS 1.0 - They don't like big packets. Of the 2nd case I have at least found people complain about those sites: - www.facebook.com - www.paypal.com - sourceforge.net It seems to be combination. For example www.paypal.com actually can negotiate TLS 1.2, but doesn't tolerate long TLS 1.2 ClientHello. Most notably 'openssl s_client -connect www.paypal.com:443 -cipher DEFAULT:\!AES' results in 0xF8 bytes TLS 1.2 ClientHello and it manages to connect and negotiate 1.2! But test with -cipher ALL. This for some reason results in SSL *2.0* ClientHello which is 0x1B5[!] bytes long, but it does announce TLS 1.2 capability and final negotiated version is ... TLS 1.2! Once again, SSL 2.0 [and TLS 1.0] ClientHello *may* be = 256 bytes, but not TLS 1.[12] ClientHello. But it doesn't seem to mean that server doesn't support 1.2... Yes, paypal seems to support TLS 1.2 (but not 1.1), which is why I've put them in the second category. So you're saying you send a different ClientHello depending on the size? If it's 0xFF you send an SSL 2.0 ClientHello, but announce 1.2 while otherwise you send a TLS 1.2 ClientHello? It doesn't make sense to me, and that doesn't seem to happen here. Before OpenSSL 1.0.0 OpenSSL always sent an SSLv2 compatible client hello indicating support for the highest TLS version (which was 1.0 for that version) provided SSLv2 support was enabled in the library. An SSLv2 compatible client hello cannot indicate compression or extensions so it is rather limiting. OpenSSL 1.0 and later will use an *SSLv3* compatible client hello provided no SSLv2 ciphersuites are requested. The default cipherstring now excludes all SSLv2 ciphersuites so by default you wont get SSLv2 client hellos. If however you specify ALL as the cipherstring you will get SSLv2 ciphersuites present. If the library has been compiled with no-ssl2 this wont happen and you'll only ever get the SSLv3 compatible client hello. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007
On Sat, Mar 31, 2012 at 11:09:15PM +0200, Andy Polyakov wrote: Bugs never make sense. But what do you mean by doesn't seem to happen here? Can you connect with 'openssl s_client -connect www.paypal.com:443 -cipher DEFAULT:\!AES' and 'openssl s_client -connect www.paypal.com:443 -cipher ALL'? If not can you send 'nslookup www.paypal.com' and outputs with -msg. openssl s_client -connect www.paypal.com:443 -cipher ALL doesn't work for me. openssl s_client -connect www.paypal.com:443 -cipher DEFAULT:\!AES does work and gets me a TLS1.2 connection. $ host www.paypal.com www.paypal.com is an alias for www.paypal.com.akadns.net. www.paypal.com.akadns.net is an alias for wlb.paypal.com.akadns.net. wlb.paypal.com.akadns.net is an alias for active-www.paypal.com. active-www.paypal.com has address 66.211.169.14 active-www.paypal.com has address 66.211.169.65 active-www.paypal.com has address 66.211.169.74 active-www.paypal.com has address 173.0.88.2 active-www.paypal.com has address 66.211.169.2 $ openssl s_client -connect www.paypal.com:443 -cipher ALL -msg CONNECTED(0003) TLS 1.2 [length 0165] 01 00 01 61 03 03 4f 77 83 c2 a2 4a a5 b6 af 88 46 6f 39 28 af 30 1a 23 53 cb ea f2 7c 33 31 6a 1c 3b 29 07 dd 5a 00 00 c8 c0 30 c0 2c c0 28 c0 24 c0 14 c0 0a c0 22 c0 21 00 a3 00 9f 00 6b 00 6a 00 39 00 38 00 88 00 87 c0 19 c0 20 00 a7 00 6d 00 3a 00 89 c0 32 c0 2e c0 2a c0 26 c0 0f c0 05 00 9d 00 3d 00 35 00 84 c0 12 c0 08 c0 1c c0 1b 00 16 00 13 c0 17 c0 1a 00 1b c0 0d c0 03 00 0a c0 2f c0 2b c0 27 c0 23 c0 13 c0 09 c0 1f c0 1e 00 a2 00 9e 00 67 00 40 00 33 00 32 00 9a 00 99 00 45 00 44 c0 18 c0 1d 00 a6 00 6c 00 34 00 9b 00 46 c0 31 c0 2d c0 29 c0 25 c0 0e c0 04 00 9c 00 3c 00 2f 00 96 00 41 c0 11 c0 07 c0 16 00 18 c0 0c c0 02 00 05 00 04 00 15 00 12 00 1a 00 09 00 14 00 11 00 19 00 08 00 06 00 17 00 03 00 ff 02 01 00 00 6f 00 0b 00 04 03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19 00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00 00 0d 00 22 00 20 06 01 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 03 01 03 02 03 03 02 01 02 02 02 03 01 01 00 0f 00 01 01 Note that I configured it with no-ssl2, if that has anything to do with it. DEFAULT:\!AES gets me this instead: CONNECTED(0003) TLS 1.2 [length 00df] 01 00 00 db 03 03 4f 77 84 26 f8 63 4c 98 df 6d 75 4e d7 54 44 49 d0 e0 3b 75 42 32 ba 2c 40 9b 65 3c 0b a2 d4 3e 00 00 42 00 88 00 87 00 84 c0 12 c0 08 c0 1c c0 1b 00 16 00 13 c0 0d c0 03 00 0a 00 9a 00 99 00 45 00 44 00 96 00 41 c0 11 c0 07 c0 0c c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ff 02 01 00 00 6f 00 0b 00 04 03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19 00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00 00 0d 00 22 00 20 06 01 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 03 01 03 02 03 03 02 01 02 02 02 03 01 01 00 0f 00 01 01 TLS 1.2 [length 0051] 02 00 00 4d 03 03 50 18 67 31 eb 7c c8 35 ef 31 93 4d 2b 45 d5 3f 4c f1 2b 98 51 b0 49 93 67 6d d9 59 13 25 a9 ab 20 16 e1 e1 27 a6 d8 24 a9 c2 d9 11 eb 20 8b e5 3f 08 a2 78 a0 53 96 55 4f 57 70 4d d6 8c 5c 99 9e 00 0a 00 00 05 ff 01 00 01 00 [...] Kurt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007
On Sun, Apr 01, 2012 at 12:13:44AM +0200, Dr. Stephen Henson wrote: OpenSSL 1.0 and later will use an *SSLv3* compatible client hello provided no SSLv2 ciphersuites are requested. The default cipherstring now excludes all SSLv2 ciphersuites so by default you wont get SSLv2 client hellos. If however you specify ALL as the cipherstring you will get SSLv2 ciphersuites present. If the library has been compiled with no-ssl2 this wont happen and you'll only ever get the SSLv3 compatible client hello. So like I said, I compiled with no-ssl2, which at least explains the difference in behaviour. Kurt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007
A temporary workaround for this is to apply these two patches to OpenSSL 1.0.1: http://cvs.openssl.org/chngview?cn=22286 http://cvs.openssl.org/chngview?cn=22306 And recompile OpenSSL with -DOPENSSL_NO_TLS1_2_CLIENT (e.g. supplied as a command line option to config or Configure). I'm working on something better. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007
On Sun, Mar 25, 2012 at 01:52:22PM +0200, Stephen Henson via RT wrote: [steve - Sun Mar 25 13:11:30 2012]: I've done some more tests and it seems that the size of the client hello message is significant: all the options that work reduce the size of client hello. If you use the -debug option and check out the first message bytes 4 and 5 it seems those servers hang if the length exceeds 0xFF (using two bytes instead of one). If you use the option -servername very long string you can precisely control the size of the client hello. If you use that to make client hello long enough you get the hang with OpenSSL 1.0.0h and earlier as well. So I'm getting more and more reports of sites that have a problem since 1.0.1. They basicly fall in 2 categories: - They don't tolerate versions higher than TLS 1.0 - They don't like big packets. Of the 2nd case I have at least found people complain about those sites: - www.facebook.com - www.paypal.com - sourceforge.net Kurt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007
[k...@roeckx.be - Sun Mar 25 04:51:32 2012]: On Fri, Mar 23, 2012 at 06:49:43PM +0100, Stephen Henson via RT wrote: [ste...@stebalien.com - Fri Mar 23 18:21:39 2012]: OpenSSL negotiation times out when connecting to Outlook Exchange 2007 both through Outlook Web Access (webmail) and IMAP (POP untested). This bug appeared between version 1.0.0h and 1.0.1-beta1. OS: Arch Linux Applications tested: Offlineimap (IMAP), elinks (webmail), wget (webmail). Version: 1.0.1, 1.0.1-beta{3,2,1}. Versions-not-affected: 1.0.0h To reproduce, run `wget https://owa.mit.edu/`. It isn't clear that this is a problem with OpenSSL. The server doesn't seem to be responding to the OpenSSL client hello. If you disable TLSv1.2 (with -no_tls1_2) or disable AES or ECDH ciphersuites or various other things it responds OK. -no_tls1_2 and -no_tls1_1 doesn't work for me, I need to use -tls1 (or -ssl3) to be able to get a connection. gnutls-cli which also supports TLS 1.1 and 1.2 works with that site without problem. https://sourceforge.net/ has the same problem, both report BigIP as the server. Disabling TLSv1.2 will eliminate some ciphersuites and the signature algorithm extension. Due to a bug it still sends that extension in OpenSSL 1.0.1 if you specify -no_tls1_2. This fixes it: http://cvs.openssl.org/chngview?cn=22286 It should then also work with -no_tls1_2. Without that option some arguments also allow a connection. For example -cipher 'DEFAULT:!ECDH' or -cipher 'DEFAULT:!AES'. I've done some more tests and it seems that the size of the client hello message is significant: all the options that work reduce the size of client hello. If you use the -debug option and check out the first message bytes 4 and 5 it seems those servers hang if the length exceeds 0xFF (using two bytes instead of one). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007
[steve - Sun Mar 25 13:11:30 2012]: I've done some more tests and it seems that the size of the client hello message is significant: all the options that work reduce the size of client hello. If you use the -debug option and check out the first message bytes 4 and 5 it seems those servers hang if the length exceeds 0xFF (using two bytes instead of one). If you use the option -servername very long string you can precisely control the size of the client hello. If you use that to make client hello long enough you get the hang with OpenSSL 1.0.0h and earlier as well. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007
On Fri, Mar 23, 2012 at 06:49:43PM +0100, Stephen Henson via RT wrote: [ste...@stebalien.com - Fri Mar 23 18:21:39 2012]: OpenSSL negotiation times out when connecting to Outlook Exchange 2007 both through Outlook Web Access (webmail) and IMAP (POP untested). This bug appeared between version 1.0.0h and 1.0.1-beta1. OS: Arch Linux Applications tested: Offlineimap (IMAP), elinks (webmail), wget (webmail). Version: 1.0.1, 1.0.1-beta{3,2,1}. Versions-not-affected: 1.0.0h To reproduce, run `wget https://owa.mit.edu/`. It isn't clear that this is a problem with OpenSSL. The server doesn't seem to be responding to the OpenSSL client hello. If you disable TLSv1.2 (with -no_tls1_2) or disable AES or ECDH ciphersuites or various other things it responds OK. -no_tls1_2 and -no_tls1_1 doesn't work for me, I need to use -tls1 (or -ssl3) to be able to get a connection. gnutls-cli which also supports TLS 1.1 and 1.2 works with that site without problem. https://sourceforge.net/ has the same problem, both report BigIP as the server. Kurt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007
OpenSSL negotiation times out when connecting to Outlook Exchange 2007 both through Outlook Web Access (webmail) and IMAP (POP untested). This bug appeared between version 1.0.0h and 1.0.1-beta1. OS: Arch Linux Applications tested: Offlineimap (IMAP), elinks (webmail), wget (webmail). Version: 1.0.1, 1.0.1-beta{3,2,1}. Versions-not-affected: 1.0.0h To reproduce, run `wget https://owa.mit.edu/`. -- Steven Allen MIT 2014, EECS pgp9z90KfynO3.pgp Description: PGP signature
[openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007
[ste...@stebalien.com - Fri Mar 23 18:21:39 2012]: OpenSSL negotiation times out when connecting to Outlook Exchange 2007 both through Outlook Web Access (webmail) and IMAP (POP untested). This bug appeared between version 1.0.0h and 1.0.1-beta1. OS: Arch Linux Applications tested: Offlineimap (IMAP), elinks (webmail), wget (webmail). Version: 1.0.1, 1.0.1-beta{3,2,1}. Versions-not-affected: 1.0.0h To reproduce, run `wget https://owa.mit.edu/`. It isn't clear that this is a problem with OpenSSL. The server doesn't seem to be responding to the OpenSSL client hello. If you disable TLSv1.2 (with -no_tls1_2) or disable AES or ECDH ciphersuites or various other things it responds OK. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org