[Pkg-openssl-devel] Bug#680137: irssi: Can't connect to SSL-enabled server after upgrading libssl

Clement Hermann (nodens) clement.hermann at free.fr
Fri Jan 11 14:10:32 UTC 2013 

Hi,

With some more test and some help from a friend, we made some progress.

It *does* work when adding -no_tls1_1 option to openssl s_client.

It works if the server allows renegociation : I can connect to freenode.

It seems to be #665452 again, or a variant.

Anyway, that explains why it works in ubuntu. The patch 
tls12_workarounds.patch (attached) works around it (but I'm not 
qualified to tell whether this is an acceptable solution or not).

The patch headers give some more information, I'll copy it here for 
readability of the report :

-----patch header-----
Description: Work around TLS 1.2 failures for some broken servers that
  "hang" if a client hello record length exceeds 255 bytes.
  .
     1. Set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50. This will truncate
        the number of ciphers sent in the client hello.
     2. Set OPENSSL_NO_TLS1_2_CLIENT to disable TLS 1.2 client support
        entirely.
  
  Also, check TLS_get_client_version() rather than TLS1_get_versions() to avoid
  improper truncation of client hello cipher lists. This change has been
  forwarded upstream in rt #2881.
Bug-Ubuntu:https://bugs.launchpad.net/bugs/965371
Bug-Debian:http://bugs.debian.org/665452
Bug:http://rt.openssl.org/Ticket/Display.html?id=2771
Bug:http://rt.openssl.org/Ticket/Display.html?id=2881
Forwarded: not-needed
Last-Update: 2012-10-04

-----End of patch header-----


Cheers.

- -- 
Clement Hermann (nodens)
- - "L'air pur ? c'est pas en RL, ça ? c'est pas hors charte ?"
Jean in L'Histoire des Pingouins, http://tnemeth.free.fr/fmbl/linuxsf/

Vous trouverez ma clef publique sur le serveur public pgp.mit.edu.
Please find my public key on the public keyserver pgp.mit.edu.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tls12_workarounds.patch
Type: text/x-patch
Size: 2333 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20130111/1916c42c/attachment.bin>

More information about the Pkg-openssl-devel mailing list