[Bug 986147] [NEW] openssl 1.0.1-4ubuntu2 breaks a bunch of ciphers

Fri, 20 Apr 2012 04:45:38 -0700 

Public bug reported:

in version 1.0.1-4ubuntu2, we see:


openssl (1.0.1-4ubuntu2) precise-proposed; urgency=low

  * Backport more upstream patches to work around TLS 1.2 failures
    (LP #965371):
...
    - Truncate the number of ciphers sent in the client hello to 50.  Most
      broken servers should now work.
 ...

 -- Colin Watson <cjwat...@ubuntu.com>  Wed, 18 Apr 2012 15:03:56 +0100

We have a server which offers a very small number of ciphers. When this
change hit, suddenly our hosts could no longer contact this server,
getting the error:


$ openssl s_client -connect HOSTNAME:9140 
CONNECTED(00000003) 
139736292189856:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert 
handshake failure:s23_clnt.c:724: 

The problem here was tracked down to a failure to find a matching
cipher. If we specify -cipher RC4-SSH (the only one essentially which
the server permits) or -ssl3, the connection succeeds.

The problem is this truncation of the number of ciphers sent. RC4-SSH
shows up at something like #74 on our list, so it is getting truncated.
When we specify exactly the cipher to use, of course it works, and if we
say -ssl3, then that also reduces the number which would be sent, and
now RC4-SSH is in the top fifty again.

This is a pretty disastrous change, in fact; it means that openssl
basically now supports only fifty ciphers at a time, and then an
essentially random and unpredictable set. Not only does this mean a loss
of functionality, it could be a loss in security if clients get pushed
to less secure ciphers because the more secure ones happened to be after
number fifty in the list.

** Affects: openssl (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/986147

Title:
  openssl 1.0.1-4ubuntu2 breaks a bunch of ciphers

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/986147/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to