lib/46878: connection to some https site using openssl causes freeze

To: lib-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: lib/46878: connection to some https site using openssl causes freeze
From: ryoon%NetBSD.org@localhost
Date: Thu, 30 Aug 2012 16:05:01 +0000 (UTC)

>Number:         46878
>Category:       lib
>Synopsis:       connection to some https site using openssl causes freeze
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Aug 30 16:05:01 +0000 2012
>Originator:     Ryo ONODERA
>Release:        NetBSD 6.99.10
>Organization:
        
>Environment:
        
        
System: NetBSD hydrogen.elements.tetera.org 6.99.10 NetBSD 6.99.10 (GENERIC) 
#3: Thu Aug 30 21:58:31 JST 2012 
root%hydrogen.elements.tetera.org@localhost:/usr/obj/sys/arch/i386/compile/GENERIC
 i386
Architecture: i386
Machine: i386
>Description:
% openssl s_client -connect secure.nicovideo.jp:443
WARNING: can't open config file: /etc/openssl/openssl.cnf
CONNECTED(00000006)
(freeze)

I had reported to current-users@ about one year ago.
http://mail-index.netbsd.org/current-users/2011/07/28/msg017182.html

OpenSSL 1.0.1c resolves some connection to https sites,
but I cannot connect to, for example, secure.nicovide.jp properly.
This problem prevents net/nicovideo-dl use on NetBSD current and 6.0.

Original problem is mixture of some problems.
If I can analyse it correctly, the problem of secure.nicovideo.jp
 is caused from TLS 1.2 isdefault trial of openssl 1.0.1c
(thank you, Matthias Drochner).

With the patch in Fix: section, nicovideo-dl works well,
and connection to some erroneous sites with www/w3m also works well,
for example, owa.mit.edu.

        
>How-To-Repeat:
        
Run the following command on NetBSD current of today, or 6.0_RC1.
% openssl s_client -connect secure.nicovideo.jp:443

>Fix:
        
I have no idea about correct place for definition of OPENSSL_NO_TLS1_2_CLIENT.
The following patch works well.

Index: Makefile.openssl
===================================================================
RCS file: /cvsroot/src/crypto/Makefile.openssl,v
retrieving revision 1.10
diff -u -r1.10 Makefile.openssl
--- Makefile.openssl    23 Sep 2009 04:02:28 -0000      1.10
+++ Makefile.openssl    30 Aug 2012 15:45:34 -0000
@@ -9,5 +9,6 @@
 CPPFLAGS+=     -DOPENSSLDIR=\"/etc/openssl\"
 CPPFLAGS+=     -DENGINESDIR=\"/usr/lib/openssl\"
 CPPFLAGS+=     -DDSO_DLFCN -DHAVE_DLFCN_H
+CPPFLAGS+=     -DOPENSSL_NO_TLS1_2_CLIENT
 
 .endif


>Unformatted:

Prev by Date: kern/46877: missing device definition in mfi-driver for SAS 9261-8i
Next by Date: kern/46879: panic in reboot 5_1_STABLE in dkwedge - dead-lock detected
Previous by Thread: kern/46877: missing device definition in mfi-driver for SAS 9261-8i
Next by Thread: Re: lib/46878: connection to some https site using openssl causes freeze
Indexes:

Home | Main Index | Thread Index | Old Index