[Bug 795355] Re: Intermittent SSL connection faults
James M. Leddy
795355 at bugs.launchpad.net
Wed Jan 18 17:28:54 UTC 2012
Interestingly, I can't reproduce with openssl. As such, this _may_ be a
different bug than in the description. One important difference between
openssl and both firefox/gnutls is that openssl uses SSLv3, whereas both
firefox and gnutls use TLSv1. So it would appear that hexr handles all
SSLv3 connections well, but not all TLSv1 connections.
I have a bunch of packet dumps and cmdline output I'll upload presently.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/795355
Title:
Intermittent SSL connection faults
Status in OEM Priority Project:
Confirmed
Status in OEM Priority Project lucid series:
New
Status in “apache” package in Ubuntu:
Confirmed
Status in “openssl” package in Ubuntu:
Confirmed
Bug description:
Binary package hint: openssl
Reported intermittent SSL connection issue on some apache mod_ssl
vhosts.
Platform: Ubuntu 10.04.2 LTS
Tested: Apache2-2.2.14-5ubuntu8.4 and backported 2.2.17-1ubuntu1 from Natty
Firefox client will intermittently report:
Secure Connection Failed
An error occurred during a connection to oem-ibs.canonical.com.
Peer's certificate has an invalid signature.
(Error code: sec_error_bad_signature)
Condition will clear on reload.
Occassionally the server will alternately serve a good page followed
by an SSL error until Apache is restarted. I am unable to reproduce
the condition on demand, but have output from when the fault occurs.
When the fault condition occurs it can be reproduced with any SSL
client.
The fault presents on multiple distinct servers.
Initially suspected to be a bug with mod_ssl
https://issues.apache.org/bugzilla/show_bug.cgi?id=46952, backport has
eliminated this as has anecdotal reports of this same error presented
from Dovecot.
Tested with SSL certs from different CAs.
Example:
$ openssl s_client -connect oem-ibs.canonical.com:443
CONNECTED(00000003)
depth=2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
verify error:num=20:unable to get local issuer certificate
verify return:0
14563:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:
14563:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:697:
14563:error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad signature:s3_clnt.c:1449:
To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/795355/+subscriptions
More information about the foundations-bugs
mailing list