kern/155160: [aesni] AES-NI breaks OpenSSL client calls

Hans Duedal hd at onlinecity.dk
Wed Mar 2 11:30:11 UTC 2011 

The following reply was made to PR kern/155160; it has been noted by GNATS.

From: Hans Duedal <hd at onlinecity.dk>
To: bug-followup at FreeBSD.org, Hans Duedal <hd at onlinecity.dk>
Cc:  
Subject: Re: kern/155160: [aesni] AES-NI breaks OpenSSL client calls
Date: Wed, 2 Mar 2011 11:53:32 +0100

 --0016368321b259b945049d7db93e
 Content-Type: text/plain; charset=ISO-8859-1
 
 I should note that the issue does not affect the openssl s_client test
 command.
 
 db3# openssl s_client -quiet -state -CAfile
 /usr/local/share/certs/ca-root-nss.crt -connect twitter.com:443
 SSL_connect:before/connect initialization
 SSL_connect:SSLv2/v3 write client hello A
 SSL_connect:SSLv3 read server hello A
 depth=3 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
 Authority
 verify return:1
 depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
 Certification Authority - G5
 verify return:1
 depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
 https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation
 SSL CA
 verify return:1
 depth=0
 /1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private
 Organization/serialNumber=4337446/C=US/postalCode=94107/ST=California/L=San
 Francisco/street=795 Folsom St, Suite 600/O=Twitter, Inc./OU=Twitter
  Operations
 verify return:1
 SSL_connect:SSLv3 read server certificate A
 SSL_connect:SSLv3 read server done A
 SSL_connect:SSLv3 write client key exchange A
 SSL_connect:SSLv3 write change cipher spec A
 SSL_connect:SSLv3 write finished A
 SSL_connect:SSLv3 flush data
 SSL_connect:SSLv3 read finished A
 aaaa
 Status: 500 Internal Server Error
 Content-Type: text/html
 
 <html><body><h1>500 Internal Server Error</h1></body></html>SSL3 alert
 read:warning:close notify
 SSL3 alert write:warning:close notify
 
 Used the ca-root from security/ca_root_nss package to avoid verify issues.
 
 As you can see from my original report, cURL is affected, and so is puppet
 which is ruby based, but I assume that many more clients are affected.
 
 --0016368321b259b945049d7db93e
 Content-Type: text/html; charset=ISO-8859-1
 Content-Transfer-Encoding: quoted-printable
 
 I should note that the issue does not affect the openssl s_client test comm=
 and.
 <div><br></div><div><div>db3# openssl s_client -quiet -state -CAfile /usr/l=
 ocal/share/certs/ca-root-nss.crt -connect <a href=3D"http://twitter.com:443=
 ">twitter.com:443</a></div><div>SSL_connect:before/connect initialization</=
 div>
 <div>SSL_connect:SSLv2/v3 write client hello A</div><div>SSL_connect:SSLv3 =
 read server hello A</div><div>depth=3D3 /C=3DUS/O=3DVeriSign, Inc./OU=3DCla=
 ss 3 Public Primary Certification Authority</div><div>verify return:1</div>=
 <div>
 depth=3D2 /C=3DUS/O=3DVeriSign, Inc./OU=3DVeriSign Trust Network/OU=3D(c) 2=
 006 VeriSign, Inc. - For authorized use only/CN=3DVeriSign Class 3 Public P=
 rimary Certification Authority - G5</div><div>verify return:1</div><div>dep=
 th=3D1 /C=3DUS/O=3DVeriSign, Inc./OU=3DVeriSign Trust Network/OU=3DTerms of=
  use at <a href=3D"https://www.verisign.com/rpa">https://www.verisign.com/r=
 pa</a> (c)06/CN=3DVeriSign Class 3 Extended Validation SSL CA</div>
 <div>verify return:1</div><div>depth=3D0 /1.3.6.1.4.1.311.60.2.1.3=3DUS/1.3=
 .6.1.4.1.311.60.2.1.2=3DDelaware/businessCategory=3DPrivate Organization/se=
 rialNumber=3D4337446/C=3DUS/postalCode=3D94107/ST=3DCalifornia/L=3DSan Fran=
 cisco/street=3D795 Folsom St, Suite 600/O=3DTwitter, Inc./OU=3DTwitter =A0O=
 perations</div>
 <div>verify return:1</div><div>SSL_connect:SSLv3 read server certificate A<=
 /div><div>SSL_connect:SSLv3 read server done A</div><div>SSL_connect:SSLv3 =
 write client key exchange A</div><div>SSL_connect:SSLv3 write change cipher=
  spec A</div>
 <div>SSL_connect:SSLv3 write finished A</div><div>SSL_connect:SSLv3 flush d=
 ata</div><div>SSL_connect:SSLv3 read finished A</div><div>aaaa</div><div>St=
 atus: 500 Internal Server Error</div><div>Content-Type: text/html</div>
 <div><br></div><div>&lt;html&gt;&lt;body&gt;&lt;h1&gt;500 Internal Server E=
 rror&lt;/h1&gt;&lt;/body&gt;&lt;/html&gt;SSL3 alert read:warning:close noti=
 fy</div><div>SSL3 alert write:warning:close notify</div></div><div><br>
 </div><div>Used the ca-root from security/ca_root_nss package to avoid veri=
 fy issues.</div><div><br></div><div>As you can see from my original report,=
  cURL is affected, and so is puppet which is ruby based, but I assume that =
 many more clients are affected.=A0</div>
 
 --0016368321b259b945049d7db93e--

More information about the freebsd-bugs mailing list