[Bug 1144408] [NEW] libssl upgrade causes failure from old clients

Alex Bligh ubuntu at alex.org.uk
Mon Mar 4 13:48:04 UTC 2013 

Public bug reported:

Upgrade of libssl1.0.0 Precise from version 1.0.1-4ubuntu5.5 to version
1.0.1-4ubuntu5.7 causes failure of negotiation by old clients.

I am running apache2 on servers with self-signed certs (I enclose one
such). Before upgrade, I can do a 'curl -k' (insecure) and connect
successfully whether or not the CN in the self-signed certificate
matches the CN in the URL, and irrespective of the version of libssl
running on the client (for this test I am using an IP address and a
domain name mapping to that IP address).

Certs are generated with
  openssl genrsa -out foo.key 1024
  openssl req -new -key foo.key foo.csr -subj "/C=XX/ST=Test/L=Test/O=Test/OU=Test/CN=${ENDPOINT}"
  openssl x509 -req -days 36500 -in foo.csr -signkey foo.key -out foo.crt

After the upgrade, all works fine from the host itself (i.e. curl to the
IP address in the CN, or curl to a DNS name pointing to it but not in
the CN), but connection from older clients report:

Ximines:~ amb$ curl -vvvvvv -k "https://cp.dev2.flexiant.net:4443/?wsdl" ; echo ""
* About to connect() to cp.dev2.flexiant.net port 4443 (#0)
*   Trying 10.20.0.2... connected
* Connected to cp.dev2.flexiant.net (10.20.0.2) port 4443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)
* Closing connection #0
curl: (35) error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)

whereas

$ curl -k "https://10.20.0.2:4443/?wsdl"

works fine

This error is ONLY produced when connecting to a URL not matching the
CN. If I connect to a URL that does match the CN it works fine
(presumably it bails out earlier).

If I force version 3 negotiation with the -3 option, it works fine.

As the version of curl has not changed, I suspect libssl, though it's
possible curl is not checking for all error conditions.


Self-signed cert that errors (private key is worthless so included too):

-----BEGIN CERTIFICATE-----
MIICMzCCAZwCCQCX1VMZB/s5ozANBgkqhkiG9w0BAQUFADBdMQswCQYDVQQGEwJY
WDENMAsGA1UECAwEVGVzdDENMAsGA1UEBwwEVGVzdDENMAsGA1UECgwEVGVzdDEN
MAsGA1UECwwEVGVzdDESMBAGA1UEAwwJMTAuMjAuMC4yMCAXDTEyMTEwMjExNTIz
N1oYDzIxMTIxMDA5MTE1MjM3WjBdMQswCQYDVQQGEwJYWDENMAsGA1UECAwEVGVz
dDENMAsGA1UEBwwEVGVzdDENMAsGA1UECgwEVGVzdDENMAsGA1UECwwEVGVzdDES
MBAGA1UEAwwJMTAuMjAuMC4yMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1
1b1RegfDBSATwP7W5kxY6oB1dgBQDmxU9gOhGo06NEyUt88mZmRCLuw9eI9c3Ho/
2P3DleB1HC+8buFn4b0+1c6Chk+gGifsX+3mHmVgjoeoxxk8+3wOjw848FxJ+RZ1
H/FHFPDSjQPfIg6jFPo5Wab4g7Depb/PoDOjgWQ+nQIDAQABMA0GCSqGSIb3DQEB
BQUAA4GBAArf2LS6G3Mh21qrR0UiAc1ekFw3JQvjRG8MSl+nCX3eHjBk1PDvMYs0
Hfh6HVRCBcleQn7xMHxTXw7wNyaoFeI4hl+GYHwzJONcVVSq+1wfIuzPC0YY6uPi
jUOSgUdnWvbZje0W4VM3/437793wPtP+fUVwEAAOGT70tC65R3CI
-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQC11b1RegfDBSATwP7W5kxY6oB1dgBQDmxU9gOhGo06NEyUt88m
ZmRCLuw9eI9c3Ho/2P3DleB1HC+8buFn4b0+1c6Chk+gGifsX+3mHmVgjoeoxxk8
+3wOjw848FxJ+RZ1H/FHFPDSjQPfIg6jFPo5Wab4g7Depb/PoDOjgWQ+nQIDAQAB
AoGAJgWzuL3Tsav4sSjCIR23CUC/68/o8NSTQpDO4Xkz3t/gw5hL8LOoc05sh84V
7E0OIxu0tJk6fkKOmNB2wcoqUAbcFnyItvi76EirQ2nu7x7zBhVNhJuYBGvTegG9
ByN7+arc+jvRq1Y36c999SN0wYEZpMdIKKOLBO2RgYnmQ+ECQQDoKVd6aH3fOlAC
ufTLH9duOILjeshH+N/Zuedq1eSA7tBTl3pdbHBbtGmim78brjelhqMn1GWqF3Y1
qWgyIq3jAkEAyIGAEb8EUGT/qOfMdvH52PvQGfMn3ZHT7FTC2m2ScV8kJb6UgrCi
mw6ZYDgSbMhm6xA7ow3wxORq4+s9ChEJfwJASEtXak7Po4vNDoxJplcsBq6iU6QQ
ahkd2/cAEUy580xqox0whZcXBfeQTYqiYERIH8tlUynY3rafoOY4BCS4cQJAOcSl
43cHhSo0RrPSQwrgk1Wp1XArMjlLt7GMGmarZKKmxYEtRKIjl00Tf5doJ5Nto5gf
tpDTp8avzU7/XSEffQJBALupHWw2N+OZd1k2XVVp2AKaL1qRzna5xl6SfP9rIhme
LdZdCMkt4nSKJ1f0HGdIYnbUXm8zeffSnOlWwaeCLRg=
-----END RSA PRIVATE KEY-----

** Affects: openssl (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1144408

Title:
  libssl upgrade causes failure from old clients

Status in “openssl” package in Ubuntu:
  New

Bug description:
  Upgrade of libssl1.0.0 Precise from version 1.0.1-4ubuntu5.5 to
  version 1.0.1-4ubuntu5.7 causes failure of negotiation by old clients.

  I am running apache2 on servers with self-signed certs (I enclose one
  such). Before upgrade, I can do a 'curl -k' (insecure) and connect
  successfully whether or not the CN in the self-signed certificate
  matches the CN in the URL, and irrespective of the version of libssl
  running on the client (for this test I am using an IP address and a
  domain name mapping to that IP address).

  Certs are generated with
    openssl genrsa -out foo.key 1024
    openssl req -new -key foo.key foo.csr -subj "/C=XX/ST=Test/L=Test/O=Test/OU=Test/CN=${ENDPOINT}"
    openssl x509 -req -days 36500 -in foo.csr -signkey foo.key -out foo.crt

  After the upgrade, all works fine from the host itself (i.e. curl to
  the IP address in the CN, or curl to a DNS name pointing to it but not
  in the CN), but connection from older clients report:

  Ximines:~ amb$ curl -vvvvvv -k "https://cp.dev2.flexiant.net:4443/?wsdl" ; echo ""
  * About to connect() to cp.dev2.flexiant.net port 4443 (#0)
  *   Trying 10.20.0.2... connected
  * Connected to cp.dev2.flexiant.net (10.20.0.2) port 4443 (#0)
  * SSLv3, TLS handshake, Client hello (1):
  * error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)
  * Closing connection #0
  curl: (35) error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)

  whereas

  $ curl -k "https://10.20.0.2:4443/?wsdl"

  works fine

  This error is ONLY produced when connecting to a URL not matching the
  CN. If I connect to a URL that does match the CN it works fine
  (presumably it bails out earlier).

  If I force version 3 negotiation with the -3 option, it works fine.

  As the version of curl has not changed, I suspect libssl, though it's
  possible curl is not checking for all error conditions.

  
  Self-signed cert that errors (private key is worthless so included too):

  -----BEGIN CERTIFICATE-----
  MIICMzCCAZwCCQCX1VMZB/s5ozANBgkqhkiG9w0BAQUFADBdMQswCQYDVQQGEwJY
  WDENMAsGA1UECAwEVGVzdDENMAsGA1UEBwwEVGVzdDENMAsGA1UECgwEVGVzdDEN
  MAsGA1UECwwEVGVzdDESMBAGA1UEAwwJMTAuMjAuMC4yMCAXDTEyMTEwMjExNTIz
  N1oYDzIxMTIxMDA5MTE1MjM3WjBdMQswCQYDVQQGEwJYWDENMAsGA1UECAwEVGVz
  dDENMAsGA1UEBwwEVGVzdDENMAsGA1UECgwEVGVzdDENMAsGA1UECwwEVGVzdDES
  MBAGA1UEAwwJMTAuMjAuMC4yMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1
  1b1RegfDBSATwP7W5kxY6oB1dgBQDmxU9gOhGo06NEyUt88mZmRCLuw9eI9c3Ho/
  2P3DleB1HC+8buFn4b0+1c6Chk+gGifsX+3mHmVgjoeoxxk8+3wOjw848FxJ+RZ1
  H/FHFPDSjQPfIg6jFPo5Wab4g7Depb/PoDOjgWQ+nQIDAQABMA0GCSqGSIb3DQEB
  BQUAA4GBAArf2LS6G3Mh21qrR0UiAc1ekFw3JQvjRG8MSl+nCX3eHjBk1PDvMYs0
  Hfh6HVRCBcleQn7xMHxTXw7wNyaoFeI4hl+GYHwzJONcVVSq+1wfIuzPC0YY6uPi
  jUOSgUdnWvbZje0W4VM3/437793wPtP+fUVwEAAOGT70tC65R3CI
  -----END CERTIFICATE-----

  -----BEGIN RSA PRIVATE KEY-----
  MIICXAIBAAKBgQC11b1RegfDBSATwP7W5kxY6oB1dgBQDmxU9gOhGo06NEyUt88m
  ZmRCLuw9eI9c3Ho/2P3DleB1HC+8buFn4b0+1c6Chk+gGifsX+3mHmVgjoeoxxk8
  +3wOjw848FxJ+RZ1H/FHFPDSjQPfIg6jFPo5Wab4g7Depb/PoDOjgWQ+nQIDAQAB
  AoGAJgWzuL3Tsav4sSjCIR23CUC/68/o8NSTQpDO4Xkz3t/gw5hL8LOoc05sh84V
  7E0OIxu0tJk6fkKOmNB2wcoqUAbcFnyItvi76EirQ2nu7x7zBhVNhJuYBGvTegG9
  ByN7+arc+jvRq1Y36c999SN0wYEZpMdIKKOLBO2RgYnmQ+ECQQDoKVd6aH3fOlAC
  ufTLH9duOILjeshH+N/Zuedq1eSA7tBTl3pdbHBbtGmim78brjelhqMn1GWqF3Y1
  qWgyIq3jAkEAyIGAEb8EUGT/qOfMdvH52PvQGfMn3ZHT7FTC2m2ScV8kJb6UgrCi
  mw6ZYDgSbMhm6xA7ow3wxORq4+s9ChEJfwJASEtXak7Po4vNDoxJplcsBq6iU6QQ
  ahkd2/cAEUy580xqox0whZcXBfeQTYqiYERIH8tlUynY3rafoOY4BCS4cQJAOcSl
  43cHhSo0RrPSQwrgk1Wp1XArMjlLt7GMGmarZKKmxYEtRKIjl00Tf5doJ5Nto5gf
  tpDTp8avzU7/XSEffQJBALupHWw2N+OZd1k2XVVp2AKaL1qRzna5xl6SfP9rIhme
  LdZdCMkt4nSKJ1f0HGdIYnbUXm8zeffSnOlWwaeCLRg=
  -----END RSA PRIVATE KEY-----

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1144408/+subscriptions

More information about the foundations-bugs mailing list