[Bug 966980] [NEW] libssl1.0.0_1.0.1-2ubuntu2 fails to connect to SSLv2 sites breaking wget and others

Sander Smeenk ubuntu at freshdot.net
Wed Mar 28 10:03:56 UTC 2012 

Public bug reported:

Installed is libssl1.0.0, pkg version 1.0.1-2ubuntu2 on Ubuntu Precise.
I can't connect to SSL-sites with openssl s_client or other tools compiled against libssl like wget and curl:


[root at haze:~] # openssl s_client -connect www.paypal.com:443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 320 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
[1]    861 exit 1     openssl s_client -connect www.paypal.com:443


When forcing SSLv3 with '-ssl3' it works:

[root at haze:~] # openssl s_client -ssl3 -connect www.paypal.com:443
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
[ .. ]


Also, the '-ssl2' option does not work although advertised:

[root at haze:~] # openssl s_client foobar 2>&1 | grep ssl2
 -ssl2         - just use SSLv2
 -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol

[root at haze:~] # openssl s_client -ssl2 -connect bitkeys.bit.nl:443
unknown option -ssl2
usage: s_client args
[ .. ]


Tshark logs for 'openssl s_client -connect www.paypal.com:443':
  0.000000 192.168.0.55 -> 66.211.169.2 TCP 74 39271 > 443 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=55150170 TSecr=0 WS=64
  0.154815 66.211.169.2 -> 192.168.0.55 TCP 78 443 > 39271 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 WS=1 TSval=1488937822 TSecr=55150170 SACK_PERM=1
  0.154856 192.168.0.55 -> 66.211.169.2 TCP 66 39271 > 443 [ACK] Seq=1 Ack=1 Win=14656 Len=0 TSval=55150209 TSecr=1488937822
  0.155119 192.168.0.55 -> 66.211.169.2 SSL 386 Client Hello
  0.409902 66.211.169.2 -> 192.168.0.55 TCP 66 443 > 39271 [ACK] Seq=1 Ack=321 Win=4700 Len=0 TSval=1488938077 TSecr=55150209
 53.554408 192.168.0.55 -> 66.211.169.2 TCP 66 39271 > 443 [FIN, ACK] Seq=321 Ack=1 Win=14656 Len=0 TSval=55163559 TSecr=1488938077
 53.709382 66.211.169.2 -> 192.168.0.55 TCP 66 443 > 39271 [ACK] Seq=1 Ack=322 Win=4700 Len=0 TSval=1488991376 TSecr=55163559
 53.709428 66.211.169.2 -> 192.168.0.55 TCP 66 443 > 39271 [FIN, ACK] Seq=1 Ack=322 Win=4700 Len=0 TSval=1488991376 TSecr=55163559
 53.709453 192.168.0.55 -> 66.211.169.2 TCP 66 39271 > 443 [ACK] Seq=322 Ack=2 Win=14656 Len=0 TSval=55163598 TSecr=1488991376


Tshark logs for 'openssl s_client -ssl3 -connect www.paypal.com:443':
 79.458256 192.168.0.55 -> 66.211.169.2 TCP 74 39272 > 443 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=55170035 TSecr=0 WS=64
 79.616839 66.211.169.2 -> 192.168.0.55 TCP 78 443 > 39272 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 WS=1 TSval=1489017524 TSecr=55170035 SACK_PERM=1
 79.616881 192.168.0.55 -> 66.211.169.2 TCP 66 39272 > 443 [ACK] Seq=1 Ack=1 Win=14656 Len=0 TSval=55170075 TSecr=1489017524
 79.617183 192.168.0.55 -> 66.211.169.2 SSL 229 Client Hello
 79.776232 66.211.169.2 -> 192.168.0.55 SSLv3 1514 Server Hello
 79.776323 192.168.0.55 -> 66.211.169.2 TCP 66 39272 > 443 [ACK] Seq=164 Ack=1449 Win=17536 Len=0 TSval=55170115 TSecr=1489017683
 79.776476 66.211.169.2 -> 192.168.0.55 TCP 2962 [TCP segment of a reassembled PDU]
 79.776537 192.168.0.55 -> 66.211.169.2 TCP 66 39272 > 443 [ACK] Seq=164 Ack=4345 Win=20416 Len=0 TSval=55170115 TSecr=1489017683
 79.934822 66.211.169.2 -> 192.168.0.55 SSLv3 201 Certificate, Server Hello Done
 79.934920 192.168.0.55 -> 66.211.169.2 TCP 66 39272 > 443 [ACK] Seq=164 Ack=4480 Win=23296 Len=0 TSval=55170154 TSecr=1489017842
 79.936254 192.168.0.55 -> 66.211.169.2 SSLv3 406 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
 80.097971 66.211.169.2 -> 192.168.0.55 SSLv3 141 Change Cipher Spec, Encrypted Handshake Message
 80.136340 192.168.0.55 -> 66.211.169.2 TCP 66 39272 > 443 [ACK] Seq=504 Ack=4555 Win=23296 Len=0 TSval=55170205 TSecr=1489018005
[ .. session is open .. ]


Downgrading the libssl / openssl binaries to pkg version 1.0.0[gh]
resolves the problem too.


More information by request.

** Affects: openssl (Ubuntu)
     Importance: Undecided
         Status: Confirmed


** Tags: 1.0.1 openssl ssl3

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/966980

Title:
  libssl1.0.0_1.0.1-2ubuntu2 fails to connect to SSLv2 sites breaking
  wget and others

Status in “openssl” package in Ubuntu:
  Confirmed

Bug description:
  Installed is libssl1.0.0, pkg version 1.0.1-2ubuntu2 on Ubuntu Precise.
  I can't connect to SSL-sites with openssl s_client or other tools compiled against libssl like wget and curl:

  
  [root at haze:~] # openssl s_client -connect www.paypal.com:443
  CONNECTED(00000003)
  write:errno=104
  ---
  no peer certificate available
  ---
  No client certificate CA names sent
  ---
  SSL handshake has read 0 bytes and written 320 bytes
  ---
  New, (NONE), Cipher is (NONE)
  Secure Renegotiation IS NOT supported
  Compression: NONE
  Expansion: NONE
  ---
  [1]    861 exit 1     openssl s_client -connect www.paypal.com:443


  When forcing SSLv3 with '-ssl3' it works:

  [root at haze:~] # openssl s_client -ssl3 -connect www.paypal.com:443
  CONNECTED(00000003)
  depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
  verify error:num=20:unable to get local issuer certificate
  verify return:0
  ---
  Certificate chain
  [ .. ]


  Also, the '-ssl2' option does not work although advertised:

  [root at haze:~] # openssl s_client foobar 2>&1 | grep ssl2
   -ssl2         - just use SSLv2
   -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol

  [root at haze:~] # openssl s_client -ssl2 -connect bitkeys.bit.nl:443
  unknown option -ssl2
  usage: s_client args
  [ .. ]


  Tshark logs for 'openssl s_client -connect www.paypal.com:443':
    0.000000 192.168.0.55 -> 66.211.169.2 TCP 74 39271 > 443 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=55150170 TSecr=0 WS=64
    0.154815 66.211.169.2 -> 192.168.0.55 TCP 78 443 > 39271 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 WS=1 TSval=1488937822 TSecr=55150170 SACK_PERM=1
    0.154856 192.168.0.55 -> 66.211.169.2 TCP 66 39271 > 443 [ACK] Seq=1 Ack=1 Win=14656 Len=0 TSval=55150209 TSecr=1488937822
    0.155119 192.168.0.55 -> 66.211.169.2 SSL 386 Client Hello
    0.409902 66.211.169.2 -> 192.168.0.55 TCP 66 443 > 39271 [ACK] Seq=1 Ack=321 Win=4700 Len=0 TSval=1488938077 TSecr=55150209
   53.554408 192.168.0.55 -> 66.211.169.2 TCP 66 39271 > 443 [FIN, ACK] Seq=321 Ack=1 Win=14656 Len=0 TSval=55163559 TSecr=1488938077
   53.709382 66.211.169.2 -> 192.168.0.55 TCP 66 443 > 39271 [ACK] Seq=1 Ack=322 Win=4700 Len=0 TSval=1488991376 TSecr=55163559
   53.709428 66.211.169.2 -> 192.168.0.55 TCP 66 443 > 39271 [FIN, ACK] Seq=1 Ack=322 Win=4700 Len=0 TSval=1488991376 TSecr=55163559
   53.709453 192.168.0.55 -> 66.211.169.2 TCP 66 39271 > 443 [ACK] Seq=322 Ack=2 Win=14656 Len=0 TSval=55163598 TSecr=1488991376

  
  Tshark logs for 'openssl s_client -ssl3 -connect www.paypal.com:443':
   79.458256 192.168.0.55 -> 66.211.169.2 TCP 74 39272 > 443 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=55170035 TSecr=0 WS=64
   79.616839 66.211.169.2 -> 192.168.0.55 TCP 78 443 > 39272 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 WS=1 TSval=1489017524 TSecr=55170035 SACK_PERM=1
   79.616881 192.168.0.55 -> 66.211.169.2 TCP 66 39272 > 443 [ACK] Seq=1 Ack=1 Win=14656 Len=0 TSval=55170075 TSecr=1489017524
   79.617183 192.168.0.55 -> 66.211.169.2 SSL 229 Client Hello
   79.776232 66.211.169.2 -> 192.168.0.55 SSLv3 1514 Server Hello
   79.776323 192.168.0.55 -> 66.211.169.2 TCP 66 39272 > 443 [ACK] Seq=164 Ack=1449 Win=17536 Len=0 TSval=55170115 TSecr=1489017683
   79.776476 66.211.169.2 -> 192.168.0.55 TCP 2962 [TCP segment of a reassembled PDU]
   79.776537 192.168.0.55 -> 66.211.169.2 TCP 66 39272 > 443 [ACK] Seq=164 Ack=4345 Win=20416 Len=0 TSval=55170115 TSecr=1489017683
   79.934822 66.211.169.2 -> 192.168.0.55 SSLv3 201 Certificate, Server Hello Done
   79.934920 192.168.0.55 -> 66.211.169.2 TCP 66 39272 > 443 [ACK] Seq=164 Ack=4480 Win=23296 Len=0 TSval=55170154 TSecr=1489017842
   79.936254 192.168.0.55 -> 66.211.169.2 SSLv3 406 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
   80.097971 66.211.169.2 -> 192.168.0.55 SSLv3 141 Change Cipher Spec, Encrypted Handshake Message
   80.136340 192.168.0.55 -> 66.211.169.2 TCP 66 39272 > 443 [ACK] Seq=504 Ack=4555 Win=23296 Len=0 TSval=55170205 TSecr=1489018005
  [ .. session is open .. ]


  Downgrading the libssl / openssl binaries to pkg version 1.0.0[gh]
  resolves the problem too.


  More information by request.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/966980/+subscriptions

More information about the foundations-bugs mailing list