Re: SSL appears to be broken in 8-STABLE/RELEASE

Hello Peter, and thank you for the reply.
On 2009-12-18 05:32:41PM -0800, Chris H wrote:

Greetings,
A recent (cvs checkout of src/ports on 2009-12-09) install of 8 seems to
indicate that changes in SSL have made it virtually unusable. I've spent the
past 3 days attempting to (re)create an SSL enabled virtual host that serves
web based access to local mail. Since it's local, I'm using self-signed certs
following a scheme that has always worked flawlessly for the past 9 yrs.
However, now having installed 8,
it isn't working. The browser(s) throw "ssl_error_handshake_failure_alert"
(ff-3.56).
Other gecko based, and non-gecko based UA's throw similar, as well as
openssl's s_client. After immense research, the only thing I can find that
might best explain it is a recent SA patch applied to FreeBSD's src
(SA-09:15). After reading what the
patch provides. I am able to better understand the error messages thrown to
/var/messages when attempting to negotiate a secure session in a UA:


kernel: TCP: [web.server.host.IP]:59735 to [web.server.host.IP]:443 tcpflags
0x18<PUSH,ACK>; tcp_do_segment: FIN_WAIT_2: Received 37 bytes of data after
socket was closed, sending RST and removing tcpcb kernel: TCP:
[web.server.host.IP]:59735 to [web.server.host.IP]:443 tcpflags
0x11<FIN,ACK>; syncache_expand: Segment failed SYNCOOKIE authentication,
segment rejected (probably spoofed) kernel: TCP: [web.server.host.IP]:52153 to
[web.server.host.IP]:443 tcpflags
0x18<PUSH,ACK>; tcp_do_segment: FIN_WAIT_2: Received 37 bytes of data after
socket was closed, sending RST and removing tcpcb kernel: TCP:
[web.server.host.IP]:52153 to [web.server.host.IP]:443 tcpflags
0x11<FIN,ACK>; syncache_expand: Segment failed SYNCOOKIE authentication,
segment rejected (probably spoofed) kernel: TCP: [web.server.host.IP]:60382 to
[web.server.host.IP]:443 tcpflags
0x18<PUSH,ACK>; tcp_do_segment: FIN_WAIT_2: Received 37 bytes of data after
socket was closed, sending RST and removing tcpcb kernel: TCP:
[web.server.host.IP]:60382 to [web.server.host.IP]:443 tcpflags
0x11<FIN,ACK>; syncache_expand: Segment failed SYNCOOKIE authentication,
segment rejected (probably spoofed)

So, if I understand things correctly. The patch prevents (re)negotiation.
Making
the likelihood of a successful "handshake" near null (as the log messages
above show). I'm sure that some may be quick to point the finger at the
self-signed cert being more likely the cause, I should add that while in fact
quite unlikely, I too didn't completely rule that out. So I purchased one from
startssl - money wasted. The results were the same. So it would appear that
until something else is done to overcome the hole in current openssl, my only
recourse is to back the patch out, and rebuild openssl && all affected ports -
no?
On Fri, December 18, 2009 8:43 pm, Peter C. Lai wrote:
This might have something to do with a libthr discussion I was CCed on.
Someone mentioned something about removing a link to libthr in openssl
but I can't remember if this was in the port or base openssl...

Please pardon the pun; but was that /thread/ on _this_ list? Or, did you
mean that you were CC's from a different list? If a different list, which
one?

Thank you again for taking the time to respond.

--Chris H

Thank you for all your time and consideration in this matter.


--Chris H



_______________________________________________
freebsd-stable@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@xxxxxxxxxxx"


--
===========================================================
Peter C. Lai | Bard College at Simon's Rock
Systems Administrator | 84 Alford Rd.
Information Technology Svcs. | Gt. Barrington, MA 01230 USA
peter AT simons-rock.edu | (413) 528-7428
===========================================================


_______________________________________________
freebsd-stable@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@xxxxxxxxxxx"




_______________________________________________
freebsd-stable@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: SSL appears to be broken in 8-STABLE/RELEASE
    ... A recent install of 8 seems to indicate ... that changes in SSL have made it virtually unusable. ... it is a recent SA patch applied to FreeBSD's src. ... server-wide SSLVerifyClient (instead of per-location ones ...
    (freebsd-stable)
  • SSL appears to be broken in 8-STABLE/RELEASE
    ... A recent install of 8 seems to indicate ... that changes in SSL have made it virtually unusable. ... it is a recent SA patch applied to FreeBSD's src. ... sending RST and removing tcpcb ...
    (freebsd-stable)
  • Re: SSL appears to be broken in 8-STABLE/RELEASE
    ... A recent install of 8 ... I've spent the past 3 days attempting to create an SSL ... After reading what the patch provides. ... Custom programming, network design, systems and network consulting services ...
    (freebsd-stable)
  • SSL Stops Working
    ... experiencing the same exact problems as you guys. ... windows 2000 sp3 and have not yet installed ms04-11 patch ... i am going to install the patch and see what ... servicing SSL ...
    (microsoft.public.inetserver.iis.security)
  • Re: Office 2003 Updates error - ouerror.gif (0/1)
    ... it would not let me install ... attempting to install any of the individual, downloaded patch EXE?s? ... No valid sequence could be found for the set of patches. ... Office Professional Edition 2003 Version 11.0.6361.0: ...
    (microsoft.public.officeupdate)