control: clone -1 -2
control: reassign -2 libio-socket-ssl-perl 2.056-1
control: severity -2 normal
control: tags -2 patch
On 2018-02-27 21:52:23 [+0800], 積丹尼 Dan Jacobson wrote:
> Here is all you need to reproduce it:
>
> $ mech-dump https://mbasic.facebook.com/
> POST
> https://mbasic.facebook.com/login.php?refsrc=https%3A%2F%2Fmbasic.facebook.com%2F&lwv=100&refid=8
>
> Now upgrade libssl1.1:amd64 1.1.0g-2 1.1.1~~pre1-1
>
> $ mech-dump https://mbasic.facebook.com/
> Error GETing https://mbasic.facebook.com/: Can't connect to
> mbasic.facebook.com:443 (SSL connect attempt failed error:141A90B5:SSL
> routines:ssl_cipher_list_to_bytes:no ciphers available) at /usr/bin/mech-dump
> line 68.
> $ dlocate mech-dump
> libwww-mechanize-perl: /usr/bin/mech-dump
Thank you. This was helpfull.
The problem is that libio-socket-ssl-perl has a predefined cipher list
which does not include any TLS1.3 cipher (yes, it has its own). The
patch attached adds TLS1.3 cipher which means that it is possible to
negotiate a TLS1.3 connection if the remote side supports it.
I cloned the bug and hope that openssl falls back to TLS1.2 only
connection if the ciphers are missing especially if the remote side does
not support 1.3. Lets see about that…
Sebastian
diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm
index ac56aaad4035..8544811d16d6 100644
--- a/lib/IO/Socket/SSL.pm
+++ b/lib/IO/Socket/SSL.pm
@@ -149,6 +149,11 @@ my %DEFAULT_SSL_CLIENT_ARGS = (
SSL_cipher_list => join(" ",
+ 'TLS13-CHACHA20-POLY1305-SHA256',
+ 'TLS13-AES-256-GCM-SHA384',
+ 'TLS13-AES-128-GCM-SHA256',
+ 'TLS13-AES-128-CCM-8-SHA256',
+ 'TLS13-AES-128-CCM-SHA256',
# SSLabs report for Chrome 48/OSX.
# This also includes the fewer ciphers Firefox uses.
'ECDHE-ECDSA-AES128-GCM-SHA256',
