[Bug 795355] Re: Intermittent SSL connection faults
Darren Spiteri
795355 at bugs.launchpad.net
Thu Jun 16 01:01:32 UTC 2011
Hi I'll try backporting the Natty openssl package and see how it goes.
Not using a wildcard cert, although I have tested with one, as well as
two seperate certs.
I have plenty of Apache debug logs, I'll distill some and upload when I
have a moment Here's an ssldump that accompanied the s_client output
above:
7 1 0.3464 (0.3464) C>S SSLv2 compatible client hello
Version 3.1
cipher suites
Unknown value 0x39
Unknown value 0x38
Unknown value 0x35
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
SSL2_CK_3DES
Unknown value 0x33
Unknown value 0x32
Unknown value 0x2f
SSL2_CK_RC2
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
SSL2_CK_RC4
TLS_DHE_RSA_WITH_DES_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
SSL2_CK_DES
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
SSL2_CK_RC2_EXPORT40
TLS_RSA_EXPORT_WITH_RC4_40_MD5
SSL2_CK_RC4_EXPORT40
Unknown value 0xff
7 2 0.3557 (0.0093) S>CV3.1(81) Handshake
ServerHello
Version 3.1
random[32]=
4d f1 5f 69 e8 65 f9 9e 0e 21 fd f8 6e 05 11 bb
45 6b b8 97 49 62 04 68 60 a2 4a 94 11 4a 81 84
session_id[32]=
c0 ca 5b 73 a3 9a 33 0a 65 30 8f 28 c2 db d1 d6
47 ff b6 0c bf 48 0f dd 1e 95 33 9b 56 8b 04 3e
cipherSuite Unknown value 0x39
compressionMethod NULL
7 3 0.3557 (0.0000) S>CV3.1(3382) Handshake
Certificate
7 4 0.3557 (0.0000) S>CV3.1(525) Handshake
ServerKeyExchange
7 5 0.3557 (0.0000) S>CV3.1(4) Handshake
ServerHelloDone
7 6 0.7052 (0.3494) C>SV3.1(2) Alert
level fatal
value decrypt_error
7 0.7054 (0.0002) S>C TCP FIN
7 0.7066 (0.0012) C>S TCP RST
For comparison, here's the ssldump of the prior, successful connection:
6 1 0.3416 (0.3416) C>S SSLv2 compatible client hello
Version 3.1
cipher suites
Unknown value 0x39
Unknown value 0x38
Unknown value 0x35
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
SSL2_CK_3DES
Unknown value 0x33
Unknown value 0x32
Unknown value 0x2f
SSL2_CK_RC2
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
SSL2_CK_RC4
TLS_DHE_RSA_WITH_DES_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
SSL2_CK_DES
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
SSL2_CK_RC2_EXPORT40
TLS_RSA_EXPORT_WITH_RC4_40_MD5
SSL2_CK_RC4_EXPORT40
Unknown value 0xff
6 2 0.3512 (0.0095) S>CV3.1(81) Handshake
ServerHello
Version 3.1
random[32]=
4d f1 5f 5c 41 3e 94 a9 68 9d 48 73 90 29 b2 08
62 b4 b6 6a 6b 98 ac 81 70 7d 44 a7 0c 6d fe ef
session_id[32]=
dd 42 bf a7 3b 46 a0 eb 38 19 a0 bf 56 c1 22 17
1c aa b4 0c 97 79 ea b7 90 d1 78 f8 85 7c 00 c0
cipherSuite Unknown value 0x39
compressionMethod NULL
6 3 0.3512 (0.0000) S>CV3.1(3382) Handshake
Certificate
6 4 0.3512 (0.0000) S>CV3.1(525) Handshake
ServerKeyExchange
6 5 0.3512 (0.0000) S>CV3.1(4) Handshake
ServerHelloDone
6 6 0.7370 (0.3858) C>SV3.1(134) Handshake
ClientKeyExchange
6 7 0.7370 (0.0000) C>SV3.1(1) ChangeCipherSpec
6 8 0.7370 (0.0000) C>SV3.1(48) Handshake
6 9 0.7403 (0.0032) S>CV3.1(1) ChangeCipherSpec
6 10 0.7403 (0.0000) S>CV3.1(48) Handshake
6 11 10.9898 (10.2495) S>CV3.1(32) Alert
6 10.9899 (0.0000) S>C TCP FIN
6 12 11.3304 (0.3404) C>SV3.1(32) Alert
6 11.3314 (0.0010) C>S TCP FIN
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/795355
Title:
Intermittent SSL connection faults
Status in “openssl” package in Ubuntu:
New
Bug description:
Binary package hint: openssl
Reported intermittent SSL connection issue on some apache mod_ssl
vhosts.
Platform: Ubuntu 10.04.2 LTS
Tested: Apache2-2.2.14-5ubuntu8.4 and backported 2.2.17-1ubuntu1 from Natty
Firefox client will intermittently report:
Secure Connection Failed
An error occurred during a connection to oem-ibs.canonical.com.
Peer's certificate has an invalid signature.
(Error code: sec_error_bad_signature)
Condition will clear on reload.
Occassionally the server will alternately serve a good page followed
by an SSL error until Apache is restarted. I am unable to reproduce
the condition on demand, but have output from when the fault occurs.
When the fault condition occurs it can be reproduced with any SSL
client.
The fault presents on multiple distinct servers.
Initially suspected to be a bug with mod_ssl
https://issues.apache.org/bugzilla/show_bug.cgi?id=46952, backport has
eliminated this as has anecdotal reports of this same error presented
from Dovecot.
Tested with SSL certs from different CAs.
Example:
$ openssl s_client -connect oem-ibs.canonical.com:443
CONNECTED(00000003)
depth=2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
verify error:num=20:unable to get local issuer certificate
verify return:0
14563:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:
14563:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:697:
14563:error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad signature:s3_clnt.c:1449:
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/795355/+subscriptions
More information about the foundations-bugs
mailing list