Re: bin/45639: STARTTLS fails sometimes with builtin OpenSSL

To: gnats-bugs%NetBSD.org@localhost
Subject: Re: bin/45639: STARTTLS fails sometimes with builtin OpenSSL
From: Rhialto <rhialto%falu.nl@localhost>
Date: Tue, 22 Nov 2011 01:34:44 +0100

On Mon 21 Nov 2011 at 23:35:02 +0000, Thomas Klausner wrote:
>  Could this issue be another one case from the "bad TLS1.1 support"?
>  
>  See e.g.
>  https://bitbucket.org/site/master/issue/2552/problem-checking-out-with-tlsv11

If I understand that reference correctly, using the -tls1 option means
that TLS1.1 is not used? So, adding -tls1 should make the issue better?

I see exactly the opposite, though, when I use /usr/bin/openssl.

$ /usr/bin/openssl s_client -connect smtp.tele2.nl:25 -starttls smtp -tls1
CONNECTED(00000003)
140187688595268:error:14092073:SSL routines:SSL3_GET_SERVER_HELLO:bad packet 
length:/home/builds/ab/netbsd-5-1-RELEASE/src/crypto/dist/openssl/ssl/s3_clnt.c:906:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 374 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID: 001215364ECAE3B2A8DF9F2833C113B29988EF39A71891DA611C8F31871848E0
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1321919410
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
$ 

but if I leave out the -tls1 option I get

$ /usr/bin/openssl s_client -connect smtp.tele2.nl:25 -starttls smtp 
CONNECTED(00000003)
depth=1 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST 
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=SE/postalCode=164 94/ST=Stockholm/L=Kista/streetAddress=Box 
62/O=Tele2/OU=Network Operations/OU=Issued through Tele2 Sverige AB E-PKI 
Manager/OU=Comodo PremiumSSL Wildcard/CN=*.tele2.nl
   i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST 
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
 1 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST 
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External 
CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF8jCCBNqgAwIBAgIRAKxAFqoIeVvY/rKWtrU54HAwDQYJKoZIhvcNAQEFBQAw
...
6AeDm142pfuFbXcYCp+QeavBQFWNT4h1UqXe/1LqUqm7C9cftao=
-----END CERTIFICATE-----
subject=/C=SE/postalCode=164 94/ST=Stockholm/L=Kista/streetAddress=Box 
62/O=Tele2/OU=Network Operations/OU=Issued through Tele2 Sverige AB E-PKI 
Manager/OU=Comodo PremiumSSL Wildcard/CN=*.tele2.nl
issuer=/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST 
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
---
No client certificate CA names sent
---
SSL handshake has read 3146 bytes and written 551 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 0012B8C04ECAE3D5A33EA027E403C4789222FCBF06BA5DD834BE080F6A27F54C
    Session-ID-ctx: 
    Master-Key: 
CCED98E919799672F48FB37C680B5EE1BA59F5B8ED4B71F5B9D91B0998FE7B497E342F59A498AF08BED8023BF5A507C5
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1321919445
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
250 EHLO
help
214-Commands Supported:
214-HELO EHLO AUTH HELP QUIT MAIL NOOP RSET RCPT DATA ETRN VRFY ATRN STARTTLS
214-Copyright (c) 1995-2011, Stalker Software, Inc.
214- 
214 End Of Help
DONE

With /usr/pkg/bin/openssl ... -tls1, it works.
The postmaster at tele2.nl tried something similar with his version of
openssl, without -tls1 option, and it worked for him (but he got a
"Protocol  : SSLv3" connection).

I tried to find out what version netbsd's version of openssl is, but it
seems to be something like "0.9.9 plus own set of patches". The pkgsrc
version would then be older, being 0.9.8q nb3.

>   Thomas
-Olaf.
-- 
___ Olaf 'Rhialto' Seibert  -- There's no point being grown-up if you 
\X/ rhialto/at/xs4all.nl    -- can't be childish sometimes. -The 4th Doctor

References:
- Re: bin/45639: STARTTLS fails sometimes with builtin OpenSSL
  - From: Thomas Klausner

Prev by Date: Re: bin/45639: STARTTLS fails sometimes with builtin OpenSSL
Next by Date: Re: bin/45639: STARTTLS fails sometimes with builtin OpenSSL
Previous by Thread: Re: bin/45639: STARTTLS fails sometimes with builtin OpenSSL
Next by Thread: Re: bin/45639: STARTTLS fails sometimes with builtin OpenSSL
Indexes:

Home | Main Index | Thread Index | Old Index