Re: SSL problem/help

To: debian-user@lists.debian.org
Subject: Re: SSL problem/help
From: Markus Schönhaber <debian-user@list-post.mks-mail.de>
Date: Wed, 01 Aug 2012 15:59:54 +0200
Message-id: <[🔎] 5019365A.10002@list-post.mks-mail.de>
Reply-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 5019217E.90203@venda.com>
References: <[🔎] 5019217E.90203@venda.com>

01.08.2012 14:30, Benjamin Martin:

> I am having trouble connecting to a https url from machine A but not 
> from machine B.
> 
> Both machines are on the same network, but machine A is debian-testing 
> and machine B is ubuntu 10.04. (both 64bit)

The important difference between the two machines is probably the
different versions of OpenSSL. Wheezy has OpenSSL 1.0.1 which introduces
new TLS protocols (TLS v1.1, v1.2).
The server seems to be unable to cope with those new protocols.

> It is a perl script that is doing the connecting (same script on both 
> machines), on machine A it was reporting:
>    "500 Can't connect to api.channeladvisor.com:443 "
>   ... but not failing at all on B
> 
> After doing some investigating, it seems the error message is abit 
> misleading, as I CAN connect to the host on port 443 .. some more 
> investigation shows that when I run this:
> 
>    openssl s_client -host api.channeladvisor.com -port 443
> 
> .. on machine B, I see nothing worrying and I can "GET /" the html page. 
> (it's a forbidden page, but it returns none the less)
> 
> .. but on machine A, I get the following error:
> 
>    write:errno=104
>    ---
>    no peer certificate available
> 
> After some more investigation I found that if I add "-cipher 3DES" to 
> the command so it becomes:
> 
>    openssl s_client -host api.channeladvisor.com -port 443 -cipher 3DES
> 
> It works! :)

As would adding -tls1 which sets the protocol to TLSv1 (which means v1.x
is not offered).

> So this leaves me with a few questions/concerns.
> 
> Why do I have to add the "-cipher" switch to get this to work?
> 
> I am guessing there is slight problem with the cert at 
> "api.channeladvisor.com" as not all https sites have this problem ... 
> with that in mind I guess "testing" has been updated with stricter SSL 
> processing.... or is this a bug?
> 
> If this is a bug I would like to report it
> .. or ...
> Does anyone know how to the "loosen" the SSL processing rules so the 
> cert at api.channeladvisor.com is deemed valid?

As said above, it's probably not a cert but a protocol issue.
I don't know how to tell Perl to not use specific TLS versions, sorry.

> I don't really know what I am doing but I can use google and the command 
> line.. so sorry if I missed any important detail or broke a list rule 
> somehow... i am just abit stuck :(

You have obviously tried to understand the problem, you have even come
up with a workaround, you have described pretty decently what exactly
you did - I don't see what else could be expected from you.

> PS. I have tried this on gentoo and centos and all seem to be ok .. just 
> "testing" seems to display this problem

I'd bet the Gentoo and CentOS systems you tried that on, come with an
OpenSSL version < 1.0.1.

-- 
Regards
  mks

Reply to:

Follow-Ups:
- Re: SSL problem/help
  - From: Benjamin Martin <benmartin@venda.com>

References:
- SSL problem/help
  - From: Benjamin Martin <benmartin@venda.com>

Prev by Date: Re: slow hibernate after upgrade
Next by Date: Re: Shockwave Flash
Previous by thread: SSL problem/help
Next by thread: Re: SSL problem/help
Index(es):
- Date
- Thread