[Bug 965371] Re: HTTPS requests fail on sites which immediately close the connection if TLS 1.1 negotiation is attempted, on Ubuntu 12.04

Sat Jul 7 12:57:17 UTC 2012

In Ubuntu 11.10, Evernote works correctly in Wine.  In Ubuntu 12.04, it
fails to sync because of this bug:

err:wininet:NETCON_secure_connect SSL_connect failed: 12157

According to
<https://groups.google.com/d/msg/mailing.postfix.users/75pH1hGb1P8/bw_P6V5U_boJ>:

"The OpenSSL API does not provide an interface to allow older programs
to disable new protocol versions defined in later versions of the API.
Therefore, to disable TLS 1.1 or 1.2 one has to add code that uses the
new constants introduced with OpenSSL 1.0.1."  The author goes on to
provide a patch to Postfix, but I doubt it would be feasible to patch
Wine for this bug.

There is apparently no way to disable TLS or any protocols in
/etc/ssl/openssl.cnf.  I can't find any information about disabling or
controlling such features in Wine.

Apparently users such as myself have no recourse, other than running a
virtual machine for a single app.  Since the app in question works fine
on the previous version of Ubuntu, that seems quite silly.  Downgrading
OpenSSL seems unwise, if not totally impractical (perhaps requiring
recompiling all software that uses it).

This is very poor, especially for an LTS release.  Such a glaring
regression deserves more than "Medium" priority, even if it's not
Ubuntu's fault per se.  Ubuntu, OpenSSL, and all developers would be
wise to follow Linus's advice: "Don't break userspace!"  Even though
OpenSSL may be adhering to the standard and exposing bugs in proprietary
implementations, the end result is still broken FOSS software, while
proprietary software continues working.  Bugs like this deserve high
priority.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/965371

Title:
  HTTPS requests fail on sites which immediately close the connection if
  TLS 1.1 negotiation is attempted, on Ubuntu 12.04

Status in OpenSSL cryptography and SSL/TLS toolkit:
  Confirmed
Status in “openssl” package in Ubuntu:
  Triaged
Status in “openssl” source package in Precise:
  Triaged
Status in “openssl” package in Debian:
  Fix Released

Bug description:
  This week, HTTPS connections from a Python script I wrote started
  giving me this error:

  urllib2.URLError: <urlopen error [Errno 8] _ssl.c:497: EOF occurred in
  violation of protocol>

  This used to work up until some three days ago and still works on
  other Ubuntu versions, but not in other Python versions on Precise. I
  was suspecting this was a bug in Python, but a guy on AskUbuntu (
  http://askubuntu.com/questions/116020/python-https-requests-urllib2
  -to-some-sites-fail-on-ubuntu-12-04-without-proxy/116059#116059 )
  found out this happens using the openssl command line tool too:

  $ openssl s_client -connect www.mediafire.com:443

  But succeeds if forcing TLS 1 with the -tls1 argument.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/965371/+subscriptions