Ubuntu
openssl package

1.0.1-4ubuntu5.7 breaks a bunch of ciphers

Bug #1153481 reported by Klavs Klavsen
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Incomplete
Undecided
Unassigned

Bug Description

The problem listed in #986147 is still valid for the latest version of openssl :(

I tested with 5.5 and 5.7 - and still it does not work.

I can't visit this site f.ex. https://www.soljerome.com/blog/2011/12/17/mirroring-rhn-with-mrepo-on-rhel6/

From CentOS 6 it works fine.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this issue.

How are you trying to visit that site using openssl?

Please give the steps you are using to reproduce. Thanks.

Changed in openssl (Ubuntu):
status: New → Incomplete
Revision history for this message
Klavs Klavsen (kl-vsen) wrote :

you can use:
openssl s_client -connect www.soljerome.com:443 -showcerts -state

or you could just open up firefox and try to visit the site.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I am unable to reproduce the failure you are having with either openssl s_client or Firefox on Ubuntu 12.04 LTS and openssl 1.0.1-4ubuntu5.7.

Could you please attach the output of your openssl s_client command?

Revision history for this message
Klavs Klavsen (kl-vsen) wrote :

hmm. it works for openssl against that website - but still not in firefox (firefox complains about no common ciphers - and i've just run apt-get distupgrade).

I have other Ubuntu-12.04 servers (which I'm not close to currently), which present the problem as well (running against a weblogic server on a windows 2008r2 server).

Against those webservers, I get the same output (also from my desktop) - as noted here: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/986147/comments/21

I have no public weblogic that you can test against.

Revision history for this message
Klavs Klavsen (kl-vsen) wrote :

The firefox message:
Secure Connection Failed

          An error occurred during a connection to www.soljerome.com.

Cannot communicate securely with peer: no common encryption algorithm(s).

(Error code: ssl_error_no_cypher_overlap)

Revision history for this message
Klavs Klavsen (kl-vsen) wrote :

about:firefox says:
firefox 19.0.2
Mozilla Firefox for Ubuntu Canonical 1.0

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Firefox uses nss, not openssl, so I fail to see how an issue in openssl could prevent you from opening a website with Firefox.
Please open a separate bug for Firefox, since it's a different issue.

For openssl, please attach the output of your openssl command as requested.

Revision history for this message
Klavs Klavsen (kl-vsen) wrote :

It's the exact same output, as the #21 post as I noted:

openssl s_client -connect myweblogicserver:7002
CONNECTED(00000003)
140107426719392:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:724:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 174 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This happens because your server isn't capable of handling clients which attempts to negotiate TLSv1.1. You need to either fix the ssl implementation on the server, or disable tlsv1.1 on your client.

This is a dupe of bug 965371.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.