#1037 SSL23_GET_SERVER_HELLO when connecting to OpenSSL 1.0.0

closed
https (67)
5
2015-01-06
2011-08-21
Jan-E
No

Same behaviour as in the closed bug 3165773.

Additional info: fails when connectiing to https://www.domain.tld, but connects correctly to https://domain.tld

E:\utils>curl --version
curl 7.19.4 (i386-pc-win32) libcurl/7.19.4 OpenSSL/0.9.8j zlib/1.2.3 libidn/1.11 libssh2/1.0
Protocols: tftp ftp telnet dict ldap http file https ftps scp sftp
Features: IDN Largefile NTLM SSL SSPI libz

E:\utils>curl -k -I https://sessionportal.net/
HTTP/1.1 200 OK
Date: Sat, 20 Aug 2011 23:59:23 GMT
Server: Apache/2.2.19 (Win32) DAV/2 mod_fcgid/2.3.6 mod_ssl/2.2.19 OpenSSL/1.0.0d PHP/5.3.6
[snip]

E:\utils>curl -k -I https://www.sessionportal.net/
curl: (35) error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)

Discussion

<< < 1 2 (Page 2 of 2)
  • Daniel Stenberg

    Daniel Stenberg - 2011-11-29

    So far we've not seen anyone provide any actual fix, so discussing which fix is the best seems a bit premature...

     
  • Daniel Stenberg

    Daniel Stenberg - 2012-04-01
    • status: open --> pending
     
  • Daniel Stenberg

    Daniel Stenberg - 2012-04-01

    I still consider this to be an OpenSSL problem and nobody seems to work on it anyway. Setting this to pending now and will close later unless someone comes up with something convincing for me to keep it here.

     
  • Daniel Stenberg

    Daniel Stenberg - 2012-05-06
    • status: pending --> closed
     
  • mancha

    mancha - 2013-05-03

    Hello. The analysis above is correct - it is due to how OpenSSL 0.9.8 handles (mishandles) warning-level alerts in SSL23 mode.

    I submitted a fix to OpenSSL for their review which you can track here.

     
  • Jan-E

    Jan-E - 2013-05-03

    Old bugs will ever die. At last ;-)

     
  • Jan-E

    Jan-E - 2013-08-06

    @mancha: was this patch ever applied? Even with Apache 2.4.6 VC11, OpenSSL 1.0.1e (from Apachelounge) I am running into the same problems.

    Edit: I now see it is a patch for OpenSSL 0.9.8 = the client (which I did not upgrade yet). Time to do that now...

    OK, recompiled OpenSSl 0.9.8 and I can confirm your patch solves the problem. I applied your patch against OpenSSL 0.9.8r because I've still got some Apaches with that version.

    S:\utils>curl --version
    curl 7.31.0 (i386-pc-win32) libcurl/7.31.0 OpenSSL/0.9.8r zlib/1.2.8 libssh2/1.4.3

    S:\utils>curl -k -I https://adapt.sessionportal.net/
    HTTP/1.1 200 OK
    Date: Tue, 06 Aug 2013 20:13:13 GMT
    Server: Apache/2.4.4 (Win32) PHP/5.4.13 mod_fcgid/2.3.7 OpenSSL/1.0.1e
    X-Powered-By: PHP/5.3.27

     
    Last edit: Jan-E 2013-08-06
    • mancha

      mancha - 2013-08-13

      @Jan-E

      Hi. I'm glad my patch worked for you against 0.9.8r. FYI, I have
      been using it on 0.9.8y systems for several months now without any
      issues.

      As far as upstream, I've sent a follow-up email to the openssl
      dev mailing list but have not received any response. 0.9.8 might
      just be very low on their priority list. I'll let you know if I
      hear anything.

      --mancha

       
<< < 1 2 (Page 2 of 2)

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks