Public bug reported:
Upgrade of libssl1.0.0 Precise from version 1.0.1-4ubuntu5.5 to version
1.0.1-4ubuntu5.7 causes failure of negotiation by old clients.
I am running apache2 on servers with self-signed certs (I enclose one
such). Before upgrade, I can do a 'curl -k' (insecure) and connect
successfully whether or not the CN in the self-signed certificate
matches the CN in the URL, and irrespective of the version of libssl
running on the client (for this test I am using an IP address and a
domain name mapping to that IP address).
Certs are generated with
openssl genrsa -out foo.key 1024
openssl req -new -key foo.key foo.csr -subj
"/C=XX/ST=Test/L=Test/O=Test/OU=Test/CN=${ENDPOINT}"
openssl x509 -req -days 36500 -in foo.csr -signkey foo.key -out foo.crt
After the upgrade, all works fine from the host itself (i.e. curl to the
IP address in the CN, or curl to a DNS name pointing to it but not in
the CN), but connection from older clients report:
Ximines:~ amb$ curl -vvvvvv -k "https://cp.dev2.flexiant.net:4443/?wsdl"; ; echo
""
* About to connect() to cp.dev2.flexiant.net port 4443 (#0)
* Trying 10.20.0.2... connected
* Connected to cp.dev2.flexiant.net (10.20.0.2) port 4443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)
* Closing connection #0
curl: (35) error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)
whereas
$ curl -k "https://10.20.0.2:4443/?wsdl";
works fine
This error is ONLY produced when connecting to a URL not matching the
CN. If I connect to a URL that does match the CN it works fine
(presumably it bails out earlier).
If I force version 3 negotiation with the -3 option, it works fine.
As the version of curl has not changed, I suspect libssl, though it's
possible curl is not checking for all error conditions.
Self-signed cert that errors (private key is worthless so included too):
-----BEGIN CERTIFICATE-----
MIICMzCCAZwCCQCX1VMZB/s5ozANBgkqhkiG9w0BAQUFADBdMQswCQYDVQQGEwJY
WDENMAsGA1UECAwEVGVzdDENMAsGA1UEBwwEVGVzdDENMAsGA1UECgwEVGVzdDEN
MAsGA1UECwwEVGVzdDESMBAGA1UEAwwJMTAuMjAuMC4yMCAXDTEyMTEwMjExNTIz
N1oYDzIxMTIxMDA5MTE1MjM3WjBdMQswCQYDVQQGEwJYWDENMAsGA1UECAwEVGVz
dDENMAsGA1UEBwwEVGVzdDENMAsGA1UECgwEVGVzdDENMAsGA1UECwwEVGVzdDES
MBAGA1UEAwwJMTAuMjAuMC4yMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1
1b1RegfDBSATwP7W5kxY6oB1dgBQDmxU9gOhGo06NEyUt88mZmRCLuw9eI9c3Ho/
2P3DleB1HC+8buFn4b0+1c6Chk+gGifsX+3mHmVgjoeoxxk8+3wOjw848FxJ+RZ1
H/FHFPDSjQPfIg6jFPo5Wab4g7Depb/PoDOjgWQ+nQIDAQABMA0GCSqGSIb3DQEB
BQUAA4GBAArf2LS6G3Mh21qrR0UiAc1ekFw3JQvjRG8MSl+nCX3eHjBk1PDvMYs0
Hfh6HVRCBcleQn7xMHxTXw7wNyaoFeI4hl+GYHwzJONcVVSq+1wfIuzPC0YY6uPi
jUOSgUdnWvbZje0W4VM3/437793wPtP+fUVwEAAOGT70tC65R3CI
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQC11b1RegfDBSATwP7W5kxY6oB1dgBQDmxU9gOhGo06NEyUt88m
ZmRCLuw9eI9c3Ho/2P3DleB1HC+8buFn4b0+1c6Chk+gGifsX+3mHmVgjoeoxxk8
+3wOjw848FxJ+RZ1H/FHFPDSjQPfIg6jFPo5Wab4g7Depb/PoDOjgWQ+nQIDAQAB
AoGAJgWzuL3Tsav4sSjCIR23CUC/68/o8NSTQpDO4Xkz3t/gw5hL8LOoc05sh84V
7E0OIxu0tJk6fkKOmNB2wcoqUAbcFnyItvi76EirQ2nu7x7zBhVNhJuYBGvTegG9
ByN7+arc+jvRq1Y36c999SN0wYEZpMdIKKOLBO2RgYnmQ+ECQQDoKVd6aH3fOlAC
ufTLH9duOILjeshH+N/Zuedq1eSA7tBTl3pdbHBbtGmim78brjelhqMn1GWqF3Y1
qWgyIq3jAkEAyIGAEb8EUGT/qOfMdvH52PvQGfMn3ZHT7FTC2m2ScV8kJb6UgrCi
mw6ZYDgSbMhm6xA7ow3wxORq4+s9ChEJfwJASEtXak7Po4vNDoxJplcsBq6iU6QQ
ahkd2/cAEUy580xqox0whZcXBfeQTYqiYERIH8tlUynY3rafoOY4BCS4cQJAOcSl
43cHhSo0RrPSQwrgk1Wp1XArMjlLt7GMGmarZKKmxYEtRKIjl00Tf5doJ5Nto5gf
tpDTp8avzU7/XSEffQJBALupHWw2N+OZd1k2XVVp2AKaL1qRzna5xl6SfP9rIhme
LdZdCMkt4nSKJ1f0HGdIYnbUXm8zeffSnOlWwaeCLRg=
-----END RSA PRIVATE KEY-----
** Affects: openssl (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1144408
Title:
libssl upgrade causes failure from old clients
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1144408/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
