This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 173399 - upgrade to 0.9.8a broke use of SSLv23_method() with SSL_OP_NO_SSLv2
upgrade to 0.9.8a broke use of SSLv23_method() with SSL_OP_NO_SSLv2
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: openssl (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
:
Depends On:
Blocks: 173401
  Show dependency treegraph
 
Reported: 2005-11-16 17:56 EST by Jason Vas Dias
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: openssl-0.9.8a-3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-11-22 11:02:32 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
test program tarball (2.04 KB, application/octet-stream)
2005-11-16 17:56 EST, Jason Vas Dias
no flags Details

  None (edit)
Description Jason Vas Dias 2005-11-16 17:56:35 EST
Created attachment 121152 [details]
test program tarball
Comment 1 Jason Vas Dias 2005-11-16 17:56:35 EST
Description of problem:

If a server and client both use :
  ssl_ctx = SSL_CTX_new( SSLv23_method() )
to initialize the ssl context, and both set the SSL_OP_NO_SSLv2 ssl option :
  sslopt = SSL_OP_ALL | SSL_OP_NO_SSLv2 ;
  SSL_CTX_set_options(ssl, sslopt);
then the client cannot connect to the server.

Eg. for a server that can to support both v2 and v3 clients, but can be
configured to support only v3 clients, as for the tog-pegasus cimserver,
for which the FC-5 upgrade to openssl-0.9.8a broke SSL support .

The example program in fc5_ssl_bug.tar.gz demonstrates the problem:
  $ gunzip < fc5_ssl_bug.tar.gz | tar -xpf -
  $ cd ssl
  $ make
  ...
  $ B='' make test
./svr  & echo $!>svr.pid ;sleep 1;
./cli ;
SSL_accept failure: -1 1
7982:error:1408F455:lib(20):func(143):reason(1109):s3_pkt.c:426:
SSL_accept failed
...
  $ make test
./svr -b & echo $!>svr.pid ;sleep 1;
./cli -b;
--- CLIENT 127.0.0.1 CONNECTED
hello
world
--- CLIENT 127.0.0.1 DISCONNECTED
kill `cat svr.pid`;
rm -f svr.pid

Without supplying the -b option test programs, they do:
  
  ssl_ctx = SSL_CTX_new( SSLv3_method() ); 
  ...
  sslopt = SSL_OP_ALL ;
  SSL_CTX_set_options(ssl, sslopt);

This makes them work OK . With the -b option, they do:
  ssl_ctx = SSL_CTX_new( SSLv23_method() ); 
  ...
  sslopt = SSL_OP_ALL | SSL_OP_NO_SSLv2 ;
  SSL_CTX_set_options(ssl, sslopt);
and this makes the server fails with the SSL_accept failure ,
whereas under 0.9.7f, or on FC-4, the above options work fine.

Version-Release number of selected component (if applicable):
openssl-0.9.8a

How reproducible:
100%

Steps to Reproduce:
Run test program in attached 'fc5_ssl_bug.tar.gz' :
  $ gunzip < fc5_ssl_bug.tar.gz | tar -xpf -
  $ cd ssl
  $ make
  $ B='' make test
  
Actual results:
Server fails with SSL_accept error

Expected results:
Same results as for
  $ make test

Additional info:  
  See attached fc5_ssl_bug.tar.gz
Comment 2 Tomas Mraz 2005-11-22 11:01:58 EST
Apparently the problem happens now because zlib compression is enabled by
default in OpenSSL 0.9.8. (If its explicitely enabled with the OpenSSL 0.9.7 the
problem happens there too.) I've switched it off for now.

Please try openssl-0.9.8a-3 if it resolves the problem.
Comment 3 Jason Vas Dias 2005-11-22 12:20:50 EST
Yes, openssl-0.9.8a-3 resolves the problem - thanks!

Note You need to log in before you can comment on or make changes to this bug.