[openssl-users] What does this error mean?

2018-04-16 Thread Rob Marshall
Hi, It may not be relevant, but I'm running SLES 10 SP3 which is a very old version of the OS and I can't upgrade it due to some installed products. When I try to do a wget I'm seeing the error: OpenSSL: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version What does

Re: [openssl-users] CVE-201-0737

2018-04-16 Thread Matt Caswell
On 16/04/18 16:59, Scott Neugroschl wrote: > Hi, > > I'm trying to make sure I have grokked this advisory properly. > > The advisory says this is a cache timing side channel attack on key > generation. So am I correct in assuming that a potential attacker must > > 1) Already have access to

Re: [openssl-users] CVE-201-0737

2018-04-16 Thread Scott Neugroschl
On 16/04/18 0935PDT, Matt Caswell wrote: >On 16/04/18 16:59, Scott Neugroschl wrote: >> Hi, >> >> I'm trying to make sure I have grokked this advisory properly. >> >> The advisory says this is a cache timing side channel attack on key >> generation. So am I correct in assuming that a

[openssl-users] CVE-201-0737

2018-04-16 Thread Scott Neugroschl
Hi, I'm trying to make sure I have grokked this advisory properly. The advisory says this is a cache timing side channel attack on key generation. So am I correct in assuming that a potential attacker must 1) Already have access to the system 2) Have sufficient privilege to be able to access

[openssl-users] OpenSSL Security Advisory

2018-04-16 Thread OpenSSL
2018 by Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia. The fix was developed by Billy Brumley. References == URL for this Security Advisory: https://www.openssl.org/news/secadv/20180416.txt Note: the online version of the advisory may

Re: [openssl-users] OpenSSL 1.1.0 assertion failure: ssl_free_wbio_buffer()

2018-04-16 Thread Matt Caswell
On 16/04/18 11:38, Matt Caswell wrote: > > > On 16/04/18 09:19, marcus.schafheu...@gmx.de wrote: >> SSL_set_bio(ssl, NULL, NULL); // free BIOs when finished > > There should be no reason to do this. The BIO's will get freed > automatically by the SSL_free() call. > > >> Is this a faulty

Re: [openssl-users] What does this error mean?

2018-04-16 Thread Marcus Meissner
On Mon, Apr 16, 2018 at 02:27:17PM -0400, Rob Marshall wrote: > Hi, > > It may not be relevant, but I'm running SLES 10 SP3 which is a very > old version of the OS and I can't upgrade it due to some installed > products. When I try to do a wget I'm seeing the error: > > OpenSSL:

Re: [openssl-users] What does this error mean?

2018-04-16 Thread Michael Wojcik
The server is rejecting the connection because it doesn't like the SSL/TLS version range that wget is offering. Anything prior to TLSv1.1 suffers from vulnerabilities that can be exploited under practical conditions, so many servers reject older protocol versions. You don't have to upgrade

Re: [openssl-users] What does this error mean?

2018-04-16 Thread Rob Marshall
Hi, I built and installed OpenSSL 1.0.2n and I'm still seeing the problem. I originally tried to build/install 1.1.0h but my goal was to build/install an updated OpenSSH (7.7.p1) and it wouldn't build with that version and a straight 1.1.0 build failed. So I went with the most recent 1.0.2 (in

Re: [openssl-users] What does this error mean?

2018-04-16 Thread Michael Wojcik
It may be how the (probably somewhat outdated) version of wget is using the openssl API. Try "openssl s_client -connect server:port", using the server and port you're trying to get wget to connect to. -- openssl-users mailing list To unsubscribe:

Re: [openssl-users] What does this error mean?

2018-04-16 Thread Rob Marshall
Hi, The command I'm running is: wget --no-check-certificate https://bootstrap.pypa.io/get-pip.py So in this particular case the host is: bootstrap.pypa.io. I was trying to install the Python pip command. Rob On Mon, Apr 16, 2018 at 5:53 PM, Salz, Rich via openssl-users

Re: [openssl-users] What does this error mean?

2018-04-16 Thread Rob Marshall
Hi, When I do that I see, among other things: ... SSL-Session: Protocol : TLSv1.2 Cipher: ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 9B63040F2D2F498F610A84E4A9D9017AF375772DFDDA760378666391A17C2C75 ... When I tried to force TLSv1.2 I got: hostname:~ # wget --no-check-certificate

Re: [openssl-users] What does this error mean?

2018-04-16 Thread Salz, Rich via openssl-users
You didn't answer the question that was asked. Which host? On 4/16/18, 4:23 PM, "Rob Marshall" wrote: Hi, I built and installed OpenSSL 1.0.2n and I'm still seeing the problem. I originally tried to build/install 1.1.0h but my goal was to

[openssl-users] OpenSSL 1.1.0 assertion failure: ssl_free_wbio_buffer()

2018-04-16 Thread Marcus . Schafheutle
Hello,   we encountered a strange behaviour of OpenSSL 1.1.0 when our test with "sslscan" provokes an unfinished  handshake. The problem exists since OpenSSL 1.1.0 - there were no problems with OpenSSL 1.0.2x.   Our asynchronous communication approach uses memory BIOs in order to read/write data

Re: [openssl-users] OpenSSL 1.1.0 assertion failure: ssl_free_wbio_buffer()

2018-04-16 Thread Matt Caswell
On 16/04/18 09:19, marcus.schafheu...@gmx.de wrote: > SSL_set_bio(ssl, NULL, NULL); // free BIOs when finished There should be no reason to do this. The BIO's will get freed automatically by the SSL_free() call. > Is this a faulty behavior of OpenSSL 1.1.0 or is the fault on my side?  This