[Bug 986147] Re: openssl 1.0.1-4ubuntu2 breaks a bunch of ciphers

Mon Apr 23 19:07:51 UTC 2012

One of our engineers says this:


FWIW, looking at the code, the problematic chunk, added to ssl/s23_clnt.c by tls12_workarounds.patch, was

@@ -467,6 +469,15 @@
                               SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
                               return -1;
                               }
+#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
+                       /* Some servers hang if client hello > 256 bytes
+                        * as hack workaround chop number of supported ciphers
+                        * to keep it well below this if we use TLS v1.2
+                        */
+                       if (TLS1_get_version(s) >= TLS1_2_VERSION
+                               && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
+                               i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
+#endif
                       s2n(i,p);
                       p+=i;

OPENSSL_MAX_TLS1_2_CIPHER_LENGTH is defined to 50, and is actually the
number of bytes to use for the cipher list in the handshake, not the
number of ciphers. Each cipher uses 2 bytes, so we actually get only 25
ciphers.

And somebody that knows openssl might want to double-check that call to
TLS1_get_version(s) - right before this chunk, there's a call to the
function that actually adds the ciphers to the handshake buffer
(ssl_cipher_list_to_bytes). That function compares the return value of
TLS1_get_client_version(s) with TLS1_2_VERSION and then decides to skip
the TLS1.2-only ciphers, which puts RC4-SHA among the first 50.

Either changing OPENSSL_MAX_TLS1_2_CIPHER_LENGTH to 100 (which actually
means 50 ciphers) or changing the TLS1_get_version(s) to
TLS1_get_client_version(s) fixes things, though I have no idea what this
last change means.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/986147

Title:
  openssl 1.0.1-4ubuntu2 breaks a bunch of ciphers

Status in “openssl” package in Ubuntu:
  Confirmed

Bug description:
  in version 1.0.1-4ubuntu2, we see:

  
  openssl (1.0.1-4ubuntu2) precise-proposed; urgency=low

    * Backport more upstream patches to work around TLS 1.2 failures
      (LP #965371):
  ...
      - Truncate the number of ciphers sent in the client hello to 50.  Most
        broken servers should now work.
   ...

   -- Colin Watson <cjwatson at ubuntu.com>  Wed, 18 Apr 2012 15:03:56
  +0100

  We have a server which offers a very small number of ciphers. When
  this change hit, suddenly our hosts could no longer contact this
  server, getting the error:

  
  $ openssl s_client -connect HOSTNAME:9140 
  CONNECTED(00000003) 
  139736292189856:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:724: 

  The problem here was tracked down to a failure to find a matching
  cipher. If we specify -cipher RC4-SSH (the only one essentially which
  the server permits) or -ssl3, the connection succeeds.

  The problem is this truncation of the number of ciphers sent. RC4-SSH
  shows up at something like #74 on our list, so it is getting
  truncated. When we specify exactly the cipher to use, of course it
  works, and if we say -ssl3, then that also reduces the number which
  would be sent, and now RC4-SSH is in the top fifty again.

  This is a pretty disastrous change, in fact; it means that openssl
  basically now supports only fifty ciphers at a time, and then an
  essentially random and unpredictable set. Not only does this mean a
  loss of functionality, it could be a loss in security if clients get
  pushed to less secure ciphers because the more secure ones happened to
  be after number fifty in the list.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/986147/+subscriptions


