On Tue, May 29, 2012 at 2:38 PM, Andreas Metzler <ametz...@downhill.at.eu.org> wrote: > On 2012-05-29 John Jetmore <j...@pobox.com> wrote: >> FWIW I haven't been able to reproduce this anywhere yet (on a stock >> squeeze server, with newer and older versions of swaks, and with an >> older mac os x server). I installed a copy of perl 5.14 and >> Net::SSLeay 1.48 and couldn't reproduce it there either. I haven't >> tried compiling a newer version of openssl yet, still using the >> squeeze server's 0.9.8o. > [...] > > I think you need a rather new OpenSSL to show the bug. - With openssl > s_client (and GnuTLS) there are problems with this server if the > client tries to use TLS1.1 or TLS1.2. > > See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674990#35
OK, I finally got an unstable server up (slow network connection) and I can reproduce the bug in swaks. I don't know why the handshake isn't happening properly (I don't think it's my problem) but lack of error checking in swaks is the cause of the seg fault. The funny thing is I refactored some TLS stuff for the next release and, while doing so, added a bunch of error checking. If I test this server with the latest swaks in SVN I get this instead of the segfault: -> STARTTLS <- 220 Go ahead *** TLS startup failed (error:00000000:lib(0):func(0):reason(0)) *** STARTTLS attempted but failed -> QUIT I'll spend some time seeing if I can get a more descriptive error, but I think the basic part of the fix is already there. I see what you are seeing regarding tls1 working but not tls1_1 or tls1_2. I don't know enough to understand whether this is something I need to address in swaks itself. I could probably force specific setting similar to how s_client is working, but I've never had to get my hands that dirty before. Any thoughts on whether this is a problem somewhere else that I can ignore (other than preventing the segfault) or that I should address somehow? Thanks --John -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
