Connecting to TLSv1.2 only servers fails without explicitly specifying protocol
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssl (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Package version: 1.0.1-4ubuntu5.25
Recently one of my IRC networks changed to TLSv1.2 only and I was unable to connect. The version of OpenSSL in precise appears to have problems connecting to servers that only accept TLSv1.2.
ZNC:
<*status> Disconnected from IRC (error:14077410:SSL routines:
irssi:
22:15 -!- Irssi: warning SSL handshake failed: sslv3 alert handshake failure
22:15 -!- Irssi: Connection lost to irc.p2p-network.net
OpenSSL:
$ openssl s_client -connect irc.p2p-
CONNECTED(00000005)
139964049446560
Explicitly specifying TLSv1.2 works:
$ openssl s_client -connect irc.p2p-
CONNECTED(00000005)
...
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
In vivid (openssl 1.0.1f-1ubuntu11):
$ openssl s_client -connect irc.p2p-
CONNECTED(00000003)
...
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
This bug was fixed in the package openssl - 1.0.1-4ubuntu5.27
---------------
openssl (1.0.1-4ubuntu5.27) precise-security; urgency=medium
* debian/ patches/ tls12_client_ env.patch: Re-enable TLSv1.2 support on the NO_CLIENT_ TLS1_2 in the environment during library
client by default. For problematic setups, it can be disabled again by
setting OPENSSL_
initialization. (LP: #1442970)
-- Marc Deslauriers <email address hidden> Mon, 27 Apr 2015 13:13:18 -0400