> On Jun 13, 2015, at 4:00 PM, Joel Sing <j...@sing.id.au> wrote: > > On Tuesday 09 June 2015, Alexey Ivanov wrote: >>> On Jun 6, 2015, at 5:31 AM, Joel Sing <j...@sing.id.au> wrote: >>> >>> On Saturday 06 June 2015, 1edhaz+9sj4olxjt6...@guerrillamail.com wrote: >>>> Hello, >>>> >>>> LibreSSL 2.2 (openbsd-current) fails to connect to >>>> https://webdav.yandex.com. >>>> >>>> OpenSSL 1.0.1m from OpenBSD packages does succeed. >>>> >>>> Yandex is the largest search engine in Russia. The webdav.yandex.com >>>> site is for accessing their file-hosting service. >>>> >>>> System info: >>>> >>>> $ uname -a >>>> OpenBSD roger.my.domain 5.7 GENERIC.MP#1039 amd64 >>>> $ dmesg | head -n 1 >>>> OpenBSD 5.7-current (GENERIC.MP) #1039: Wed Jun 3 12:09:31 MDT 2015 >>> >>> [snip] >>> >>> The issue is due to the remote end not being RFC compliant and failing to >>> complete a TLS handshake when it does not recognise TLS signature >>> algorithms (sigalgs) that are being advertised by the client. In this >>> case the new signature algorithms are related to GOST - almost the >>> definition of irony... >> >> GOST… lol indeed =) >> >>> If you want to verify this for yourself, you can comment out the GOST >>> related entries in the tls12_sigalgs array in t1_lib.c. HTTPS connections >>> to www.yandex.com work without issue, so it would seemingly be the >>> particular HTTP server that is being used for this service - I would >>> recommend contacting Yandex and reporting the issue to them. >> >> He just did - Yandex is heavy BSD user, so many people there are reading >> tech@ and freebsd-hackers@. Some brave souls even subscribed to >> trolls@^Wmisc@! >> >> Back to the problem itself, as far as I know they are aware of it. In the >> meantime, while they are busy solving it on their side, you may want to >> limit ciphersuites client is using by calling `SSL_CTX_set_cipher_list` >> before `SSL_do_handshake`. > > Except that would not have made any difference - currently the list of > signature algorithms is static and not dependent on the cipher suites > selected. You are right indeed, my bad.
The only other quick workaround that I can think of is to use TLS1.1 instead (if that’s acceptable from security standpoint): 𝛌 ~ echo -n | /usr/local/Cellar/libressl/2.1.6/bin/openssl s_client -connect webdav.yandex.ru:443 -tls1_1 |& fgrep DONE DONE > >> PS. Anyway, next time you probably want to report libressl-related problems >> to recently announced libre...@openbsd.org [1]. >> >> [1] http://comments.gmane.org/gmane.os.openbsd.tech/42319 > -- > > "Action without study is fatal. Study without action is futile." > -- Mary Ritter Beard
signature.asc
Description: Message signed with OpenPGP using GPGMail
