SSL_connect:unknown state

Bug #1410989 reported by Circa Lucid on 2015-01-14
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Undecided
Unassigned

Bug Description

Running "openssl s_client", I'm getting some websites (www.tm3.com, ws.myfax.com) that cause requests to hang. I compiled openssl-1.0.1k and it seems to be working now. Is there a more correct fix other than compiling the newest openssl?

Download full text (5.2 KiB)

These are my test cases and the final solution

user@test0:~$ uname -a
Linux test0 3.11.0-26-generic #45-Ubuntu SMP Tue Jul 15 04:02:06 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
user@test0:~$ openssl version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Fri Jun 20 18:52:46 UTC 2014
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"
user@test0:~$ openssl s_client -CApath /etc/ssl/certs -connect www.tm3.com:443 -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:unknown state
SSL_connect:SSLv3 read server hello A
(truncated)
    Verify return code: 0 (ok)

user@test1:~$ uname -a
Linux test1 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
user@test1:~$ lsb_release -a | grep Code
Codename: saucy
user@test1:~$ openssl version -a
OpenSSL 1.0.1f 6 Jan 2014
built on: Fri Jun 20 18:54:02 UTC 2014
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"
user@test1:~$ openssl s_client -CApath /etc/ssl/certs -connect www.tm3.com:443 -state
(hangs)
user@test1:~$ openssl s_client -CApath /etc/ssl/certs -connect www.tm3.com:443 -state -ssl3
(hangs)
user@test1:~$ openssl s_client -CApath /etc/ssl/certs -connect www.tm3.com:443 -state -tls1
(hangs)

user@test2:~$ uname -a
Linux test2 3.13.0-44-generic #73-Ubuntu SMP Tue Dec 16 00:22:43 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
user@test2:~$ lsb_release -a | grep Code
Codename: trusty
user@test2:~$ openssl version -a
OpenSSL 1.0.1f 6 Jan 2014
built on: Fri Jan 9 17:52:48 UTC 2015
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA25...

Read more...

Seth Arnold (seth-arnold) wrote :

There are significant problems with the configurations of both sites:

https://www.ssllabs.com/ssltest/analyze.html?d=tm3.com
https://www.ssllabs.com/ssltest/analyze.html?d=ws.myfax.com

That said, I was able to establish a connection to both sites by manually requesting SSL3 on the command line:

The following commands worked fine for me on my 14.04 LTS machine:

openssl s_client -ssl3 -verify 10 -CApath /etc/ssl/certs/ -connect ws.myfax.com:443
openssl s_client -ssl3 -verify 10 -CApath /etc/ssl/certs/ -connect www.tm3.com:443

Thanks

Is there a way to get openssl to negotiate the correct cipher suite? Maybe a retry option? I have squid3 inspecting ssl traffic and it's hanging on these sites. Or would retrying be something that should be implemented in squid3?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers