[Bug 558176] New: openssl "error in SSLv3 read client hello A"
http://bugzilla.novell.com/show_bug.cgi?id=558176 http://bugzilla.novell.com/show_bug.cgi?id=558176#c0 Summary: openssl "error in SSLv3 read client hello A" Classification: openSUSE Product: openSUSE 11.2 Version: Final Platform: x86-64 OS/Version: openSUSE 11.2 Status: NEW Severity: Major Priority: P5 - None Component: Apache AssignedTo: bnc-team-apache@forge.provo.novell.com ReportedBy: jc@phocean.net QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; fr; rv:1.9.1.4) Gecko/20091016 SUSE/3.5.4-1.1.2 Firefox/3.5.4 I am having an issue with mod-ssl client authentifation. After migrating a Debian Lenny box to openSUSE 11.2, I moved the certificates and kept almost the same apache virtual host configuration. However, I have never been able to get the client authentication to work. The browser doesn't even prompt me for the client certificate and send out a generic alert message : "ssl_error_handshake_failure_alert". There is the debug trace : [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1875): OpenSSL: Handshake: start [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: before accept initialization [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1893): OpenSSL: Write: SSLv3 read client hello A [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1912): OpenSSL: Exit: error in SSLv3 read client hello A [Tue Nov 24 16:56:15 2009] [error] [client 194.2.193.253] Re-negotiation handshake failed: Not accepted by client!? [Tue Nov 24 16:56:23 2009] [debug] ssl_engine_io.c(1869): OpenSSL: I/O error, 5 bytes expected to read on BIO#7f313d364fc0 [mem: 7f313d8641a0] My virtual host directory configuration is pretty straight-forward : My apache configuration hasn't changed : <Directory /secured> SSLRequireSSL SSLVerifyClient require SSLVerifyDepth 1 Order allow,deny allow from All </Directory> Of course, I have tried all possible combination that a non-ssl specialist can do (I have been searching almost exclusively for 3 days). I mean I : - renewed several time all the certificates, from the CA to the client - tried several mod-ssl tweak, related to the browser, session cache, etc. - tried several browser - tried several ssl keys and cipher protocols At the end, I took a blank Debian virtual machine. Within 5 minutes, I configure a directory with the same settings, transfered the certificates and... it worked !!! So there is definitely something wrong, but neither with my certificates nor the apache configuration. Why could it be ? Is there anything specific with the openssl version embedded with openSUSE ? Thank you in advance for looking at it. Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=558176 http://bugzilla.novell.com/show_bug.cgi?id=558176#c1 --- Comment #1 from jean-christophe baptiste <jc@phocean.net> 2009-11-24 21:34:32 UTC --- I forgot to add that I first tried to get some hints from upstream, on the mod-ssl mailing list. I got little feedback and no clue about what is going on. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=558176 http://bugzilla.novell.com/show_bug.cgi?id=558176#c jean-christophe baptiste <jc@phocean.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|openssl "error in SSLv3 |[mod-ssl] "error in SSLv3 |read client hello A" |read client hello A" with | |client auth -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=558176 http://bugzilla.novell.com/show_bug.cgi?id=558176#c2 --- Comment #2 from jean-christophe baptiste <jc@phocean.net> 2009-11-28 09:21:26 UTC --- Ok, as a kind guy on IRC pointed out, it might have something to do with a recent patch from upstream : http://www.mail-archive.com/openssl-users@openssl.org/msg59562.html By the way, the exact versions of openSSL I tried : Debian Lenny : OpenSSL 0.9.8g 19 Oct 2007 openSUSE 11.2 : OpenSSL 0.9.8k 25 Mar 2009 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=558176 http://bugzilla.novell.com/show_bug.cgi?id=558176#c3 --- Comment #3 from jean-christophe baptiste <jc@phocean.net> 2009-11-28 10:53:00 UTC --- My investigation is paying. I set up a fresh openSUSE 11.2 virtual machine from the CD, without doing any updates. I tested on it the client auth successfuly. Then, I updated everything. There were several updates on openssl. After that, I could reproduce the same error as above. So, it seems pretty evident now that the latest updates broke something. Probably because of this change, as suspected : 13 novembre 2009 (gjhe@novell.com): - fix security bug [bnc#553641] CVE-2009-3555 Please, can you address this ? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=558176 http://bugzilla.novell.com/show_bug.cgi?id=558176#c4 --- Comment #4 from jean-christophe baptiste <jc@phocean.net> 2009-11-28 14:27:44 UTC --- The comments are interesting there : https://bugzilla.redhat.com/show_bug.cgi?id=533125 So it appears not to be a breakage but a "feature". Renegociation is just not allowed anymore, breaking any client authentication. By the way, the log could be improved on this point. The message telling it is not accepted by the client is just wrong and confusing. So as long as browsers don't get a patch also, it seems to be a no go. Personnally I will probably stick with an older version of ssl until then. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=558176 http://bugzilla.novell.com/show_bug.cgi?id=558176#c5 Marcus Meissner <meissner@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |gjhe@novell.com, | |security-team@suse.de AssignedTo|bnc-team-apache@forge.provo |security-team@suse.de |.novell.com | --- Comment #5 from Marcus Meissner <meissner@novell.com> 2009-11-29 20:57:07 UTC --- bnc-team-apache is /dev/null ... -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=558176 http://bugzilla.novell.com/show_bug.cgi?id=558176#c6 Tomas Hoger <thoger@pobox.sk> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |thoger@pobox.sk --- Comment #6 from Tomas Hoger <thoger@pobox.sk> 2009-11-30 07:42:47 UTC --- OpenSSL 0.9.8l does not send hello request when server calls SSL_do_handshake. IIRC, SUSE-SA:2009:057 did add the patch equal to 0.9.8k -> 0.9.8l diff. As SSLVerifyClient none global setting + SSLVerifyClient require for some directory requires renegotiation, so it does not work with 0.9.8l (unless you modify mod_ssl to set flag). -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=558176 http://bugzilla.novell.com/show_bug.cgi?id=558176#c7 --- Comment #7 from jean-christophe baptiste <jc@phocean.net> 2009-11-30 08:45:59 UTC --- I know it's upstream, but do you think it's normal that some servers in production get broken after an update ? Client authentication is not just a minor option or some obscure theoretical stuff... -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=558176 http://bugzilla.novell.com/show_bug.cgi?id=558176#c8 --- Comment #8 from Guanjun He <gjhe@novell.com> 2009-12-29 03:11:41 UTC --- please reference bug #553641. Renegotiation is disabled. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=558176 http://bugzilla.novell.com/show_bug.cgi?id=558176#c9 Thomas Biege <thomas@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |UPSTREAM --- Comment #9 from Thomas Biege <thomas@novell.com> 2010-01-06 08:59:54 UTC --- As soon as the problem is really solved upstream we will release updates. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=558176 http://bugzilla.novell.com/show_bug.cgi?id=558176#c10 Thomas Schmühl <t.schmuehl@fz-juelich.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |t.schmuehl@fz-juelich.de --- Comment #10 from Thomas Schmühl <t.schmuehl@fz-juelich.de> 2010-02-15 13:01:04 UTC --- Is there anything new about this problem? I've got the same problem with my SLES 10 after updating it to SP3 (and the final patchlevel). We need these renegotiation handshakes because we have configured "SSLVerifyClient require" for some directories. What can I do? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=558176 http://bugzilla.novell.com/show_bug.cgi?id=558176#c13 Willy Weisz <weisz@vcpc.univie.ac.at> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |weisz@vcpc.univie.ac.at --- Comment #13 from Willy Weisz <weisz@vcpc.univie.ac.at> 2010-03-16 11:40:22 UTC --- (In reply to comment #9)
As soon as the problem is really solved upstream we will release updates.
IT's already solved in openssl-0.9.8, but this version isn't available as openSuSE RPM. So please release a corresponding update!!! -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=558176 http://bugzilla.novell.com/show_bug.cgi?id=558176#c14 --- Comment #14 from Willy Weisz <weisz@vcpc.univie.ac.at> 2010-03-16 11:50:49 UTC --- (In reply to comment #9)
As soon as the problem is really solved upstream we will release updates.
It's already solved in openssl-0.9.8m(!) which incorporates TLS renegotiation according to RFC 5746, but this version isn't available as openSuSE RPM. So please release a corresponding update!!! And please release an Apache 2.2.15 RPM compiled against openssl-0.9.8m which allows to accept or reject unsecure "old-style" TLS renegotiations. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com