On Tuesday 09 June 2015, Alexey Ivanov wrote: > > On Jun 6, 2015, at 5:31 AM, Joel Sing <j...@sing.id.au> wrote: > > > > On Saturday 06 June 2015, 1edhaz+9sj4olxjt6...@guerrillamail.com wrote: > >> Hello, > >> > >> LibreSSL 2.2 (openbsd-current) fails to connect to > >> https://webdav.yandex.com. > >> > >> OpenSSL 1.0.1m from OpenBSD packages does succeed. > >> > >> Yandex is the largest search engine in Russia. The webdav.yandex.com > >> site is for accessing their file-hosting service. > >> > >> System info: > >> > >> $ uname -a > >> OpenBSD roger.my.domain 5.7 GENERIC.MP#1039 amd64 > >> $ dmesg | head -n 1 > >> OpenBSD 5.7-current (GENERIC.MP) #1039: Wed Jun 3 12:09:31 MDT 2015 > > > > [snip] > > > > The issue is due to the remote end not being RFC compliant and failing to > > complete a TLS handshake when it does not recognise TLS signature > > algorithms (sigalgs) that are being advertised by the client. In this > > case the new signature algorithms are related to GOST - almost the > > definition of irony... > > GOST… lol indeed =) > > > If you want to verify this for yourself, you can comment out the GOST > > related entries in the tls12_sigalgs array in t1_lib.c. HTTPS connections > > to www.yandex.com work without issue, so it would seemingly be the > > particular HTTP server that is being used for this service - I would > > recommend contacting Yandex and reporting the issue to them. > > He just did - Yandex is heavy BSD user, so many people there are reading > tech@ and freebsd-hackers@. Some brave souls even subscribed to > trolls@^Wmisc@! > > Back to the problem itself, as far as I know they are aware of it. In the > meantime, while they are busy solving it on their side, you may want to > limit ciphersuites client is using by calling `SSL_CTX_set_cipher_list` > before `SSL_do_handshake`.
Except that would not have made any difference - currently the list of signature algorithms is static and not dependent on the cipher suites selected. > PS. Anyway, next time you probably want to report libressl-related problems > to recently announced libre...@openbsd.org [1]. > > [1] http://comments.gmane.org/gmane.os.openbsd.tech/42319 -- "Action without study is fatal. Study without action is futile." -- Mary Ritter Beard
