[Bug 1917625] Re: OpenSSL TLS 1.1 handshake fails internal error

Dimitri John Ledkov 1917625 at bugs.launchpad.net
Thu Mar 11 16:21:06 UTC 2021 

** Also affects: openssl (Ubuntu Hirsute)
   Importance: Undecided
       Status: Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1917625

Title:
  OpenSSL TLS 1.1 handshake fails internal error

Status in openssl package in Ubuntu:
  Confirmed
Status in openssl source package in Hirsute:
  Confirmed

Bug description:
  OpenSSL's SSL_do_handshake() method fails with
  TLSV1_ALERT_INTERNAL_ERROR when client side has TLS 1.0 to 1.2 enabled
  but server side has only TLS 1.0 and 1.1 enabled. The issue breaks
  Python's test suite for test_ssl. It looks like the problem is caused
  by an Ubuntu downstream patch. Vanilla OpenSSL, Debian, and Fedora are
  not affected.

  A simple reproducer is:

  import ssl
  import socket
  from test.test_ssl import testing_context, ThreadedEchoServer, HOST

  client_context, server_context, hostname = testing_context()
  # client 1.0 to 1.2, server 1.0 to 1.1
  client_context.minimum_version = ssl.TLSVersion.TLSv1
  client_context.maximum_version = ssl.TLSVersion.TLSv1_2
  server_context.minimum_version = ssl.TLSVersion.TLSv1
  server_context.maximum_version = ssl.TLSVersion.TLSv1_1

  with ThreadedEchoServer(context=server_context) as server:
      with client_context.wrap_socket(socket.socket(),
                                      server_hostname=hostname) as s:
          s.connect((HOST, server.port))
          assert s.version() == 'TLSv1.1'

  
  On Ubuntu 20.04 the code fails with:
  Traceback (most recent call last):
    File "/internalerror.py", line 15, in <module>
      s.connect((HOST, server.port))
    File "/usr/lib/python3.8/ssl.py", line 1342, in connect
      self._real_connect(addr, False)
    File "/usr/lib/python3.8/ssl.py", line 1333, in _real_connect
      self.do_handshake()
    File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
      self._sslobj.do_handshake()
  ssl.SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:1123)

  On Debian testing and Fedora 33 the same test passes with out:
   server:  new connection from ('127.0.0.1', 52346)
   server: connection cipher is now ('ECDHE-RSA-AES256-SHA', 'TLSv1.0', 256)
   server: selected protocol is now None

  You can find Dockerfiles with reproducers at https://github.com/tiran
  /distro-truststore/tree/main/tests/ubuntu-1899878

  Also see:
  * https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878
  * https://bugs.python.org/issue43382
  * https://bugs.python.org/issue41561

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1917625/+subscriptions

More information about the foundations-bugs mailing list