Ubuntu
openssl package

openssl failed when interacting with sslv2 server

Bug #899464 reported by Finjon Kiang
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

Reference:
https://bugs.launchpad.net/ubuntu/+source/php5/+bug/592442

Initially it's found when using php5 to interact with the site https://aquarius.neweb.com.tw using the code below:
<?php file_get_contents('https://aquarius.neweb.com.tw');

Then Clint found the server doesn't support sslv3. So I tested it again with the commands below:
$ openssl s_client -ssl2 -host aquarius.neweb.com.tw -port 443

One more problem I met:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=589706

---

$ uname -a
Linux xxx 3.0.0-13-generic #22-Ubuntu SMP Wed Nov 2 13:27:26 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
$ openssl s_client -host aquarius.neweb.com.tw -port 443
CONNECTED(00000003)
140055608010400:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:591:

Tags: openssl ssl2
Clint Byrum (clint-fewbar)
Changed in openssl (Ubuntu):
status: New → Confirmed
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Finjon, if you can confirm that the server only supports SSLv2, then this is not a bug, as SSLv2 is disabled by default. However if its just a broken SSLv3.. that might be something else.

Revision history for this message
Finjon Kiang (kiange) wrote :

I haven't gotten response from that site. But if it's disabled by default, how to open it? The option '-ssl2' had been removed from the program in the latest version.

The following results were fetched from 0.9.8g-4ubuntu3.13 @ Ubuntu 8.04.4 LTS:

:~$ openssl s_client -ssl3 -host aquarius.neweb.com.tw -port 443
CONNECTED(00000003)
15872:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

:~$ openssl s_client -ssl2 -host aquarius.neweb.com.tw -port 443
CONNECTED(00000003)
depth=0 /C=TW/postalCode=11510/ST=Taiwan/L=Taipei/streetAddress=7F., No.52, Sec. 3, Nangang Rd., Nangang Dist., Taipei City 11510, Taiwan (R.O.C.)/O=Neweb Technologies Co., Ltd./OU=MIS/OU=Provided by Global Digital Inc./OU=GlobalTrustSSLWildcard/CN=*.neweb.com.tw
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=TW/postalCode=11510/ST=Taiwan/L=Taipei/streetAddress=7F., No.52, Sec. 3, Nangang Rd., Nangang Dist., Taipei City 11510, Taiwan (R.O.C.)/O=Neweb Technologies Co., Ltd./OU=MIS/OU=Provided by Global Digital Inc./OU=GlobalTrustSSLWildcard/CN=*.neweb.com.tw
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=TW/postalCode=11510/ST=Taiwan/L=Taipei/streetAddress=7F., No.52, Sec. 3, Nangang Rd., Nangang Dist., Taipei City 11510, Taiwan (R.O.C.)/O=Neweb Technologies Co., Ltd./OU=MIS/OU=Provided by Global Digital Inc./OU=GlobalTrustSSLWildcard/CN=*.neweb.com.tw
verify error:num=21:unable to verify the first certificate
verify return:1
subject=/C=TW/postalCode=11510/ST=Taiwan/L=Taipei/streetAddress=7F., No.52, Sec. 3, Nangang Rd., Nangang Dist., Taipei City 11510, Taiwan (R.O.C.)/O=Neweb Technologies Co., Ltd./OU=MIS/OU=Provided by Global Digital Inc./OU=GlobalTrustSSLWildcard/CN=*.neweb.com.tw
issuer=/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
---
No client certificate CA names sent
---
Ciphers common between both SSL endpoints:
DES-CBC3-MD5
---
SSL handshake has read 1720 bytes and written 364 bytes
---
New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol : SSLv2
    Cipher : DES-CBC3-MD5
    Session-ID: 00005DCC0C925C974EDD756D00001C76
    Session-ID-ctx:
    Master-Key: 139E982728ACA06528E2A5C276029BA0E5E25BD6F3E85B84
    Key-Arg : C4A1588E79FC18C8
    Start Time: 1323136366
    Timeout : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)

Revision history for this message
Finjon Kiang (kiange) wrote :

I got a response from them. They said their website sure support SSLv3. I have no idea how to identify the version SSL.

Revision history for this message
Clint Byrum (clint-fewbar) wrote :

seems like an upstream issue, verified that the site also fails from openssl on CentOS 6

$ openssl s_client -host aquarius.neweb.com.tw -port 443
CONNECTED(00000003)
139957001901896:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 113 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

Revision history for this message
Rex Tsai (chihchun) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. Please execute the following command, as it will automatically gather debugging information, in a terminal:

apport-collect 899464

When reporting bugs in the future please use apport by using 'ubuntu-bug' and the name of the package affected. You can learn more about this functionality at https://wiki.ubuntu.com/ReportingBugs.

Changed in openssl (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for openssl (Ubuntu) because there has been no activity for 60 days.]

Changed in openssl (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.