libssl upgrade causes failure from old clients
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssl (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Upgrade of libssl1.0.0 Precise from version 1.0.1-4ubuntu5.5 to version 1.0.1-4ubuntu5.7 causes failure of negotiation by old clients.
I am running apache2 on servers with self-signed certs (I enclose one such). Before upgrade, I can do a 'curl -k' (insecure) and connect successfully whether or not the CN in the self-signed certificate matches the CN in the URL, and irrespective of the version of libssl running on the client (for this test I am using an IP address and a domain name mapping to that IP address).
Certs are generated with
openssl genrsa -out foo.key 1024
openssl req -new -key foo.key foo.csr -subj "/C=XX/
openssl x509 -req -days 36500 -in foo.csr -signkey foo.key -out foo.crt
After the upgrade, all works fine from the host itself (i.e. curl to the IP address in the CN, or curl to a DNS name pointing to it but not in the CN), but connection from older clients report:
Ximines:~ amb$ curl -vvvvvv -k "https:/
* About to connect() to cp.dev2.
* Trying 10.20.0.2... connected
* Connected to cp.dev2.
* SSLv3, TLS handshake, Client hello (1):
* error:14077458:SSL routines:
* Closing connection #0
curl: (35) error:14077458:SSL routines:
whereas
$ curl -k "https:/
works fine
This error is ONLY produced when connecting to a URL not matching the CN. If I connect to a URL that does match the CN it works fine (presumably it bails out earlier).
If I force version 3 negotiation with the -3 option, it works fine.
As the version of curl has not changed, I suspect libssl, though it's possible curl is not checking for all error conditions.
Self-signed cert that errors (private key is worthless so included too):
-----BEGIN CERTIFICATE-----
MIICMzCCAZwCCQC
WDENMAsGA1UECAw
MAsGA1UECwwEVGV
N1oYDzIxMTIxMDA
dDENMAsGA1UEBww
MBAGA1UEAwwJMTA
1b1RegfDBSATwP7
2P3DleB1HC+
H/FHFPDSjQPfIg6
BQUAA4GBAArf2LS
Hfh6HVRCBcleQn7
jUOSgUdnWvbZje0
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQC
ZmRCLuw9eI9c3Ho
+3wOjw848FxJ+
AoGAJgWzuL3Tsav
7E0OIxu0tJk6fkK
ByN7+arc+
ufTLH9duOILjesh
qWgyIq3jAkEAyIG
mw6ZYDgSbMhm6xA
ahkd2/cAEUy580x
43cHhSo0RrPSQwr
tpDTp8avzU7/
LdZdCMkt4nSKJ1f
-----END RSA PRIVATE KEY-----
Changed in openssl (Ubuntu): | |
status: | New → Won't Fix |
Thanks for reporting this issue.
What do you mean by "old clients"? Do you mean precise clients that have openssl 1.0.1-4ubuntu5.5?