Malformed TLS handshake with OpenSSL 3.0 (breaks subversion)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
serf (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
This bug is a regression in libserf-1-1 version 1.3.9-10ubuntu1, which switched to OpenSSL 3.0. Version 1.3.9-10, which uses OpenSSL 1.1, does not have this bug.
Using version 1.3.9-10ubuntu1, Subversion, which is the only dependant of this package in the Ubuntu repository, breaks when using the https protocol. For instance, the command...
svn info https:/
... will no longer work and, depending on the server, may close the connection or return some sort of error.
Attempting to analyze the problem in wireshark, I discovered that the TLS traffic generated by libserf is malformed and cannot be parsed by wireshark's packet disassemblers. At a glance, it appears that libserf is sending a raw TLS Client Hello without first sending a TLS record header. For instance, to use the illustrated handshake example here [1], the handshake that libserf generates appears to be missing the first five bytes (the TLS record header) and instead begins with what the illustrated example calls the TLS handshake header.
tags: | added: transition-openssl3-jj |
Status changed to 'Confirmed' because the bug affects multiple users.