Package: openssl
Version: 1.0.1c-3
Severity: normal
Originally I was trying to do this:
$ python
>>> import urllib2
>>>
urllib2.urlopen("https://myrta.com/regcheck/pages/content/enterVehicleDetails.jsf";)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.7/urllib2.py", line 126, in urlopen
return _opener.open(url, data, timeout)
File "/usr/lib/python2.7/urllib2.py", line 400, in open
response = self._open(req, data)
File "/usr/lib/python2.7/urllib2.py", line 418, in _open
'_open', req)
File "/usr/lib/python2.7/urllib2.py", line 378, in _call_chain
result = func(*args)
File "/usr/lib/python2.7/urllib2.py", line 1215, in https_open
return self.do_open(httplib.HTTPSConnection, req)
File "/usr/lib/python2.7/urllib2.py", line 1177, in do_open
raise URLError(err)
urllib2.URLError: <urlopen error [Errno 1] _ssl.c:504: error:1408F119:SSL
routines:SSL3_GET_RECORD:decryption failed or bad record mac>
Tracing it back, I see python2.7 uses
/usr/lib/x86_64-linux-gnu/libssl.so.1.0.0, so I tred this which
fails with the same error:
$ openssl s_client -connect myrta.com:443
CONNECTED(00000003)
depth=3 C = ZA, ST = Western Cape, L = Cape Town, O = Thawte Consulting cc,
OU = Certification Services Division, CN = Thawte Premium Server CA,
emailAddress = premium-ser...@thawte.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
140092995372712:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed
or bad record mac:s3_pkt.c:480:
---
Certificate chain
0 s:/C=AU/ST=New South Wales/L=Sydney/O=Roads & Traffic Authority of New
South Wales/OU=RTA/CN=myrta.com
i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006
thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006
thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification
Services Division/CN=Thawte Premium Server
CA/emailAddress=premium-ser...@thawte.com
3 s:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification
Services Division/CN=Thawte Premium Server
CA/emailAddress=premium-ser...@thawte.com
i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification
Services Division/CN=Thawte Premium Server
CA/emailAddress=premium-ser...@thawte.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgIQLHaSJK5b0C6VDcLigNgAdTANBgkqhkiG9w0BAQUFADA8
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMRYwFAYDVQQDEw1U
aGF3dGUgU1NMIENBMB4XDTEwMDcwNTAwMDAwMFoXDTEzMDcwNDIzNTk1OVowgZEx
CzAJBgNVBAYTAkFVMRgwFgYDVQQIEw9OZXcgU291dGggV2FsZXMxDzANBgNVBAcU
BlN5ZG5leTE1MDMGA1UEChQsUm9hZHMgJiBUcmFmZmljIEF1dGhvcml0eSBvZiBO
ZXcgU291dGggV2FsZXMxDDAKBgNVBAsUA1JUQTESMBAGA1UEAxQJbXlydGEuY29t
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3n1XjueInNUMpCmkeFi3cJz0Q
qown8uMZk1sH1ServbrmTXawz/lzSTJeeevG2UuhsNtZPRyEHXgCE5Nc1M+zIIZC
XR2UhwpdTv7KCICM7oBZf5Vuvq9mcpr/2TeW1P2yQgJmWN5C313g355djW3Q2+f2
25ez1/VoJR16un+hVwIDAQABo4GgMIGdMAwGA1UdEwEB/wQCMAAwOgYDVR0fBDMw
MTAvoC2gK4YpaHR0cDovL3N2ci1vdi1jcmwudGhhd3RlLmNvbS9UaGF3dGVPVi5j
cmwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDIGCCsGAQUFBwEBBCYw
JDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AudGhhd3RlLmNvbTANBgkqhkiG9w0B
AQUFAAOCAQEAOMW00EDDrP9gq1vDH1S9m0YgkVrorKCXd6/p7rE50L8MCrBC1vGc
kh5AmymCeq6adjpM6LT4CRQvk8DagN+T0eRMH2IXaYmUjCX8DAedJ13cDd9Qrkvt
KPTOyRMWHxjYdnQPNY0BmSCDgemO7BrBKzaHHEDE2AmBDli3/uk4ywFLBN/SNIEq
WWvgjvfo5a4UWEi8iExFy4Crnli5Bz7IIWE+kK2VMjeFn1njfm9JSkKNr0Sz2l64
N3W+D3s2Q8sKM1+GeCmzsB3O71Udp6iprQFYI9SrOVjljRniiWJKuQueuUevOtD4
Ek7KUxBltihRh78oY72+06i6bpD01SrKQQ==
-----END CERTIFICATE-----
subject=/C=AU/ST=New South Wales/L=Sydney/O=Roads & Traffic Authority of New
South Wales/OU=RTA/CN=myrta.com
issuer=/C=US/O=Thawte, Inc./CN=Thawte SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 4064 bytes and written 205 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID:
000039B7D44355DBF50A59F8A4F5049402D0B048585858584FE2863E000009E7
Session-ID-ctx:
Master-Key:
4C860E68617462AB0D15E06B1637A46640A2C3D61F802ECC714191A897DDCF46C6DB37F9089E623C9181FD246BE8455E
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1340245567
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
$
Iceweasel on the same box has no trouble with the URL given to
python. On a squeeze amd64 box on the same LAN, executing the
above statements doesn't return any errors.
This has only happened with myrta.com. https://www.google.com/ for
example works.
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openssl depends on:
ii libc6 2.13-33
ii libssl1.0.0 1.0.1c-3
ii zlib1g 1:1.2.7.dfsg-11+b1
openssl recommends no packages.
Versions of packages openssl suggests:
ii ca-certificates 20120212
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
