Ubuntu
openssl package

SSL_connect:unknown state

Bug #1410989 reported by Circa Lucid
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

Running "openssl s_client", I'm getting some websites (www.tm3.com, ws.myfax.com) that cause requests to hang. I compiled openssl-1.0.1k and it seems to be working now. Is there a more correct fix other than compiling the newest openssl?

Tags: libssl openssl
Revision history for this message
Circa Lucid (1-launchpad-kitik1-com) wrote :
Download full text (5.2 KiB)

These are my test cases and the final solution

user@test0:~$ uname -a
Linux test0 3.11.0-26-generic #45-Ubuntu SMP Tue Jul 15 04:02:06 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
user@test0:~$ openssl version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Fri Jun 20 18:52:46 UTC 2014
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"
user@test0:~$ openssl s_client -CApath /etc/ssl/certs -connect www.tm3.com:443 -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:unknown state
SSL_connect:SSLv3 read server hello A
(truncated)
    Verify return code: 0 (ok)

user@test1:~$ uname -a
Linux test1 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
user@test1:~$ lsb_release -a | grep Code
Codename: saucy
user@test1:~$ openssl version -a
OpenSSL 1.0.1f 6 Jan 2014
built on: Fri Jun 20 18:54:02 UTC 2014
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"
user@test1:~$ openssl s_client -CApath /etc/ssl/certs -connect www.tm3.com:443 -state
(hangs)
user@test1:~$ openssl s_client -CApath /etc/ssl/certs -connect www.tm3.com:443 -state -ssl3
(hangs)
user@test1:~$ openssl s_client -CApath /etc/ssl/certs -connect www.tm3.com:443 -state -tls1
(hangs)

user@test2:~$ uname -a
Linux test2 3.13.0-44-generic #73-Ubuntu SMP Tue Dec 16 00:22:43 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
user@test2:~$ lsb_release -a | grep Code
Codename: trusty
user@test2:~$ openssl version -a
OpenSSL 1.0.1f 6 Jan 2014
built on: Fri Jan 9 17:52:48 UTC 2015
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA25...

Read more...

Revision history for this message
Seth Arnold (seth-arnold) wrote :

There are significant problems with the configurations of both sites:

https://www.ssllabs.com/ssltest/analyze.html?d=tm3.com
https://www.ssllabs.com/ssltest/analyze.html?d=ws.myfax.com

That said, I was able to establish a connection to both sites by manually requesting SSL3 on the command line:

The following commands worked fine for me on my 14.04 LTS machine:

openssl s_client -ssl3 -verify 10 -CApath /etc/ssl/certs/ -connect ws.myfax.com:443
openssl s_client -ssl3 -verify 10 -CApath /etc/ssl/certs/ -connect www.tm3.com:443

Thanks

Revision history for this message
Circa Lucid (1-launchpad-kitik1-com) wrote :

Is there a way to get openssl to negotiate the correct cipher suite? Maybe a retry option? I have squid3 inspecting ssl traffic and it's hanging on these sites. Or would retrying be something that should be implemented in squid3?

Revision history for this message
Adrien Nader (adrien) wrote (last edit ):

I tried to reproduce this but everything has changed: SSLv3 is completely unsupported, the websites connect successuflly and their ssllabs report is not too bad (at least for tm3.com). I think this will be a WONTFIX for this bug because there is no more appropriate status.

Adrien Nader (adrien)
Changed in openssl (Ubuntu):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.