[Pkg-openssl-devel] Bug#665452: Bug#665452: openssl: 'upgrade' also breaks https://www.paypal.com

[Kurt Roeckx]

On Tue, Mar 27, 2012 at 10:42:18AM +0200, Louis-David Mitterrand wrote:
> Package: openssl
> Version: 1.0.1-2
> Followup-For: Bug #665452
> 
> I can no longer contact paypal on its ssl port with that 'upgrade' with
> perl, wget, w3m, etc. (all clients using openssl).

This seems to be a different issue that has the same effect.

> Going back to 1.0.0h fixes it.
> 
> Dear Maintainer,
> *** Please consider answering these questions, where appropriate ***
> 
>    * What led up to the situation?
>    * What exactly did you do (or not do) that was effective (or
>      ineffective)?
>    * What was the outcome of this action?
>    * What outcome did you expect instead?
> 
> *** End of the template - remove these lines ***

Why are you asking me those questions?

Anyway, there seems to be 3 different problems:
- Servers that report BigIP as server.  They don't reply to
  ClientHello requests that are bigger than 255 bytes.  Examples
  include sourceforge.net and owa.mit.edu.
- Servers that don't tolerate verion numbers they don't support
  while they are supposed to negiotate a lower version.  Examples
  include boekhuis.nl
- paypal which currently isn't clear what the problem really is,
  it seems to support TLS1.2, but reacts weird to 1.1.

All problems can be worked around by disabling the TLS
1.1 and 1.2 protocols.

The first can also be worked around by disabling ciphersuites that
are send, so you get a smaller ClientHello.  It can also be triggered
by the 1.0.0h version by adding extra options like -servername.

Due to a bug fixed upstream disabling TLS 1.1 and 1.2 might
currently not fix the first issue, but that should get fixed
in the next version.

In any case you should contact affected sites or venders about
this issue, else we're never going to get those protocols
deployed.


Kurt