misc/176722: OpenSSL 1.0.1e fails to fallback to TLS1 if the server doesn't allow for anything else
Johannes Meixner
xmj at chaot.net
Thu Mar 7 07:40:01 UTC 2013
>Number: 176722
>Category: misc
>Synopsis: OpenSSL 1.0.1e fails to fallback to TLS1 if the server doesn't allow for anything else
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Mar 07 07:40:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator: Johannes Meixner
>Release: 10.0-CURRENT
>Organization:
>Environment:
FreeBSD xmj.local 10.0-CURRENT FreeBSD 10.0-CURRENT #2 r247490M: Fri Mar 1 19:16:27 EET 2013 root at xmj.local:/usr/obj/usr/src/sys/xmj amd64
>Description:
Error first described by Pablo Almeida on
https://bugs.launchpad.net/openssl/+bug/965371/
--
when trying to `openssl s_client -showcerts -connect coremis-cas.myocean.eu:443' OpenSSL1.0.1e (11 Feb 13 from ports) doesn't fall back (as it does for 0.9.8x 10 May 2012) to TLS1
and, instead of showing certs, gives
CONNECTED(00000004)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 319 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
However, when forcing s_client to use -tls1, the result is as expected, returning the site's certificates.
Why doesn't openssl notice it can't any other method but TLS1 -- and fall back to that one, as in previous versions?
>How-To-Repeat:
Run `openssl s_client -showcerts -connect coremis-cas.myocean.eu:443' on OpenSSL 1.0.1e
versus
openssl s_client -showcerts -tls1 -connect coremis-cas.myocean.eu:443
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list