kern/155160: [aesni] AES-NI breaks OpenSSL client calls
Hans Duedal
hd at onlinecity.dk
Wed Mar 2 11:30:11 UTC 2011
The following reply was made to PR kern/155160; it has been noted by GNATS.
From: Hans Duedal <hd at onlinecity.dk>
To: bug-followup at FreeBSD.org, Hans Duedal <hd at onlinecity.dk>
Cc:
Subject: Re: kern/155160: [aesni] AES-NI breaks OpenSSL client calls
Date: Wed, 2 Mar 2011 11:53:32 +0100
--0016368321b259b945049d7db93e
Content-Type: text/plain; charset=ISO-8859-1
I should note that the issue does not affect the openssl s_client test
command.
db3# openssl s_client -quiet -state -CAfile
/usr/local/share/certs/ca-root-nss.crt -connect twitter.com:443
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=3 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
verify return:1
depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
Certification Authority - G5
verify return:1
depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation
SSL CA
verify return:1
depth=0
/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private
Organization/serialNumber=4337446/C=US/postalCode=94107/ST=California/L=San
Francisco/street=795 Folsom St, Suite 600/O=Twitter, Inc./OU=Twitter
Operations
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
aaaa
Status: 500 Internal Server Error
Content-Type: text/html
<html><body><h1>500 Internal Server Error</h1></body></html>SSL3 alert
read:warning:close notify
SSL3 alert write:warning:close notify
Used the ca-root from security/ca_root_nss package to avoid verify issues.
As you can see from my original report, cURL is affected, and so is puppet
which is ruby based, but I assume that many more clients are affected.
--0016368321b259b945049d7db93e
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
I should note that the issue does not affect the openssl s_client test comm=
and.
<div><br></div><div><div>db3# openssl s_client -quiet -state -CAfile /usr/l=
ocal/share/certs/ca-root-nss.crt -connect <a href=3D"http://twitter.com:443=
">twitter.com:443</a></div><div>SSL_connect:before/connect initialization</=
div>
<div>SSL_connect:SSLv2/v3 write client hello A</div><div>SSL_connect:SSLv3 =
read server hello A</div><div>depth=3D3 /C=3DUS/O=3DVeriSign, Inc./OU=3DCla=
ss 3 Public Primary Certification Authority</div><div>verify return:1</div>=
<div>
depth=3D2 /C=3DUS/O=3DVeriSign, Inc./OU=3DVeriSign Trust Network/OU=3D(c) 2=
006 VeriSign, Inc. - For authorized use only/CN=3DVeriSign Class 3 Public P=
rimary Certification Authority - G5</div><div>verify return:1</div><div>dep=
th=3D1 /C=3DUS/O=3DVeriSign, Inc./OU=3DVeriSign Trust Network/OU=3DTerms of=
use at <a href=3D"https://www.verisign.com/rpa">https://www.verisign.com/r=
pa</a> (c)06/CN=3DVeriSign Class 3 Extended Validation SSL CA</div>
<div>verify return:1</div><div>depth=3D0 /1.3.6.1.4.1.311.60.2.1.3=3DUS/1.3=
.6.1.4.1.311.60.2.1.2=3DDelaware/businessCategory=3DPrivate Organization/se=
rialNumber=3D4337446/C=3DUS/postalCode=3D94107/ST=3DCalifornia/L=3DSan Fran=
cisco/street=3D795 Folsom St, Suite 600/O=3DTwitter, Inc./OU=3DTwitter =A0O=
perations</div>
<div>verify return:1</div><div>SSL_connect:SSLv3 read server certificate A<=
/div><div>SSL_connect:SSLv3 read server done A</div><div>SSL_connect:SSLv3 =
write client key exchange A</div><div>SSL_connect:SSLv3 write change cipher=
spec A</div>
<div>SSL_connect:SSLv3 write finished A</div><div>SSL_connect:SSLv3 flush d=
ata</div><div>SSL_connect:SSLv3 read finished A</div><div>aaaa</div><div>St=
atus: 500 Internal Server Error</div><div>Content-Type: text/html</div>
<div><br></div><div><html><body><h1>500 Internal Server E=
rror</h1></body></html>SSL3 alert read:warning:close noti=
fy</div><div>SSL3 alert write:warning:close notify</div></div><div><br>
</div><div>Used the ca-root from security/ca_root_nss package to avoid veri=
fy issues.</div><div><br></div><div>As you can see from my original report,=
cURL is affected, and so is puppet which is ruby based, but I assume that =
many more clients are affected.=A0</div>
--0016368321b259b945049d7db93e--
More information about the freebsd-bugs
mailing list