Red Hat Bugzilla – Bug 91800
Unable to connect via SSL with openssl-0.9.7a-5 with some servers
Last modified: 2007-04-18 12:54:05 EDT
I'm unable to connect with some servers with openssl-0.9.7a-5 (current RH 9
Try run following command (this is MUZO site for paying with credit cards in
Czech republic) and request title page (they have IBM_HTTP_Server/126.96.36.199
openssl s_client -connect epay.paynet.cz:443
GET / HTTP/1.0
On RH 8.0 with openssl-0.9.6b-33 I'm unable to get title page from their server.
Oh sorry I would like to tell that openssl-0.9.6b-33 form RH 8.0 is OK and works!
Bad day today.
The output after trying to get a title page is only (I can see certificate
and then connection is closed.
The solution is to use -bugs option for s_client. This is related to
incompatibility with broken implementations because CBC vulnerability
I will try to post some more info here how to workaround this in PHP and curl.
It seems that there is no option to bypass code that disallow connect to broken
servers. This option is SSL_OP_ALL (for OpenSSL library). I recompiled curl with
one-line patch (permanent SSL_OP_ALL) and curl from commandline and PHP works ok.
--- curl-7.9.8/lib/ssluse.c.orig 2002-06-10 15:24:15.000000000 +0200
+++ curl-7.9.8/lib/ssluse.c 2003-05-28 21:53:16.000000000 +0200
@@ -715,6 +715,8 @@
+ SSL_CTX_set_options(conn->ssl.ctx, SSL_OP_ALL);