[Bug 986147] Re: openssl 1.0.1-4ubuntu2 breaks a bunch of ciphers

Colin Watson cjwatson at canonical.com
Tue Apr 24 11:27:20 UTC 2012 

I do understand the severity, and I don't mean to minimise it; the
difficulty is that OpenSSL 1.0.1 has been problematic from the start,
and every change fixes some cases while breaking others.  Rolling back
all the way to 1.0.0, while perhaps the safest option in some cases, is
by now too invasive a change to attempt; rolling back libraries to
earlier ABIs is in general problematic once they've been widely
deployed.

It's not true that the buggy servers in question always failed.  These
were regressions and they were reported to me as such.  You can find the
details in bug 965371, its duplicates, and the linked Debian bug.

Every change that I have made in an attempt to fix it has been directly
backported from upstream CVS and/or recommended by upstream developers.
Here's the commit where they recommend 50:

  http://cvs.openssl.org/chngview?cn=22408

I haven't done the packet arithmetic in detail, but a quick capture here
against cs3-api.salesforce.com (one of the servers previously reported
as failing, though I haven't checked if it was for this reason) shows
that the client hello is currently 240 bytes.  If that's true across the
board, then we can only fit in eight more ciphers before exceeding 255
bytes, which isn't enough for you.

As such, I'm happier with the suggested workaround to use
TLS1_get_client_version than with adjusting the workaround than with
tweaking the number.  The client version is supposed to be what was sent
by the client in the hello, so in general I think I'd expect s->version
and s->client_version to be the same while *sending* the client hello,
but that's evidently not the case and I have a suspicion that the
version downgrades applied in the current set of backported workarounds
are only applied to s->client_version.  I'm going to try this in
-proposed and see how it goes; but this has been so delicate that I
really want to get as widespread testing as possible before promoting it
to general use.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/986147

Title:
  openssl 1.0.1-4ubuntu2 breaks a bunch of ciphers

Status in “openssl” package in Ubuntu:
  Confirmed

Bug description:
  in version 1.0.1-4ubuntu2, we see:

  
  openssl (1.0.1-4ubuntu2) precise-proposed; urgency=low

    * Backport more upstream patches to work around TLS 1.2 failures
      (LP #965371):
  ...
      - Truncate the number of ciphers sent in the client hello to 50.  Most
        broken servers should now work.
   ...

   -- Colin Watson <cjwatson at ubuntu.com>  Wed, 18 Apr 2012 15:03:56
  +0100

  We have a server which offers a very small number of ciphers. When
  this change hit, suddenly our hosts could no longer contact this
  server, getting the error:

  
  $ openssl s_client -connect HOSTNAME:9140 
  CONNECTED(00000003) 
  139736292189856:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:724: 

  The problem here was tracked down to a failure to find a matching
  cipher. If we specify -cipher RC4-SSH (the only one essentially which
  the server permits) or -ssl3, the connection succeeds.

  The problem is this truncation of the number of ciphers sent. RC4-SSH
  shows up at something like #74 on our list, so it is getting
  truncated. When we specify exactly the cipher to use, of course it
  works, and if we say -ssl3, then that also reduces the number which
  would be sent, and now RC4-SSH is in the top fifty again.

  This is a pretty disastrous change, in fact; it means that openssl
  basically now supports only fifty ciphers at a time, and then an
  essentially random and unpredictable set. Not only does this mean a
  loss of functionality, it could be a loss in security if clients get
  pushed to less secure ciphers because the more secure ones happened to
  be after number fifty in the list.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/986147/+subscriptions

More information about the foundations-bugs mailing list