On Sun, Apr 07, 2013 at 12:44:22AM +0200, Kurt Roeckx wrote: > On Sat, Apr 06, 2013 at 06:25:42PM -0400, John Morrissey wrote: > > On Sat, Apr 06, 2013 at 09:07:50PM +0200, Kurt Roeckx wrote: > > > On Sat, Apr 06, 2013 at 01:47:51PM -0400, John Morrissey wrote: > > > > On Fri, Jan 11, 2013 at 03:10:32PM +0100, Clement Hermann (nodens) > > > > wrote: > > > > > With some more test and some help from a friend, we made some > > > > > progress. > > > > > > > > > > It *does* work when adding -no_tls1_1 option to openssl s_client. > > > > > > > > > > It works if the server allows renegociation : I can connect to > > > > > freenode. > > > > > > > > > > It seems to be #665452 again, or a variant. > > > > > > > > > > Anyway, that explains why it works in ubuntu. The patch > > > > > tls12_workarounds.patch (attached) works around it (but I'm not > > > > > qualified to tell whether this is an acceptable solution or not). > > > > > > > > I noticed the same thing with ircd-hybrid (rebuilt per the package's > > > > instructions to enable SSL support) after upgrading to wheezy recently. > > > > > > > > wheezy's irssi refused to connect to the ircd, which was running on the > > > > local host and linked to the same version of OpenSSL: > > > > > > > > 140308295767720:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no > > > > shared cipher:s3_srvr.c:1355: > > > > > > Can you reproduce this problem with s_client trying to connect to > > > the irc server? > > > > > > Looking at the hybrid source, it doesn't seem to contain any > > > calls to something like OpenSSL_add_all_algorithms(). My > > > guess would be that adding that call would fix the problem. > > > > Hm, I tried just now, but couldn't reproduce with s_client. However, the > > issue was still reproducible with irssi+openssl 1.0.1e. > > I tried conneting with irssi to something and that gave me a > working TLS 1.2 connection. I currently don't see irssi doing > anything wrong. > > Do you have a public irc server I can try and connect to?
I dug into this a little more, and it turns out I *can't* reproduce it now, even with 1.0.1e installed. When I checked earlier today, I wasn't connecting to the ircd with the right password. I have a super low reconns interval, so the initial connection scrolled past, and subsequent connections failed with a handshake error. I'm guessing that's due to irssi's misbehavior, since when I put gdb on the ircd, it seemed to be working properly given the input irssi was sending. I got the 'no shared ciphers' error above by modifying the ircd-hybrid source to call ERR_print_errors_fp() in ssl_handshake(), so it was definitely a problem at one point. I'm not sure why I can't reproduce now. john -- John Morrissey _o /\ ---- __o j...@horde.net _-< \_ / \ ---- < \, www.horde.net/ __(_)/_(_)________/ \_______(_) /_(_)__ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
