Bug 91800 - Unable to connect via SSL with openssl-0.9.7a-5 with some servers
Unable to connect via SSL with openssl-0.9.7a-5 with some servers
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: openssl (Show other bugs)
9
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-05-28 09:06 EDT by Milan Kerslager
Modified: 2007-04-18 12:54 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-05-28 13:51:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Milan Kerslager 2003-05-28 09:06:28 EDT
I'm unable to connect with some servers with openssl-0.9.7a-5 (current RH 9
package).

Try run following command (this is MUZO site for paying with credit cards in
Czech republic) and request title page (they have IBM_HTTP_Server/1.3.12.3
Apache/1.3.12 server):

openssl s_client -connect epay.paynet.cz:443
GET / HTTP/1.0

On RH 8.0 with openssl-0.9.6b-33 I'm unable to get title page from their server.
Comment 1 Milan Kerslager 2003-05-28 09:19:33 EDT
Oh sorry I would like to tell that openssl-0.9.6b-33 form RH 8.0 is OK and works!
Comment 2 Milan Kerslager 2003-05-28 09:22:28 EDT
Bad day today.
The output after trying to get a title page is only (I can see certificate
exchange):

read:errno=0

and then connection is closed.
Comment 3 Milan Kerslager 2003-05-28 13:51:34 EDT
The solution is to use -bugs option for s_client. This is related to
incompatibility with broken implementations because CBC vulnerability
countermeasure.

I will try to post some more info here how to workaround this in PHP and curl.
Comment 4 Milan Kerslager 2003-05-28 17:45:30 EDT
It seems that there is no option to bypass code that disallow connect to broken
servers. This option is SSL_OP_ALL (for OpenSSL library). I recompiled curl with
one-line patch (permanent SSL_OP_ALL) and curl from commandline and PHP works ok.

--- curl-7.9.8/lib/ssluse.c.orig        2002-06-10 15:24:15.000000000 +0200
+++ curl-7.9.8/lib/ssluse.c     2003-05-28 21:53:16.000000000 +0200
@@ -715,6 +715,8 @@
     return CURLE_OUT_OF_MEMORY;
   }

+  SSL_CTX_set_options(conn->ssl.ctx, SSL_OP_ALL);
+
   if(data->set.cert) {
     if (!cert_stuff(conn,
                     data->set.cert,

Note You need to log in before you can comment on or make changes to this bug.