[Bug 965371] Re: HTTPS requests fail on sites which immediately close the connection if TLS 1.1 negotiation is attempted, on Ubuntu 12.04

Neil Vergottini 965371 at bugs.launchpad.net
Thu Mar 28 15:24:55 UTC 2013 

It appears now I've been bitten by this bug in Apache.  I run a pair of
reverse proxy servers on 12.04 using Apache.  I built these servers last
year and they were working fine up until last week when I ran a dist-
upgrade to update some packages (specifically apache2 and openssl) to
clear up some vulnerabilities identified in a PCI scan.  Since then, one
of the reverse proxies is unable to connect to an internal WebLogics
server due to SSL errors.  Using openssl s_client -connect fails, but
adding -tls1 works.

According to the Apache 2.2 documentation, I should be able to add
"SSLProxyProtocol All -SSLv2 -TLSv1.1 -TLSv1.2" to my reverse proxy
virtual server config, but it doesn't like the "-TLSv1.1 -TLSv1.2".
I've read that those options are only supported in Apache 2.4.

Now I'm basically stuck.  It appears Ubuntu 12.04 has made a change in
openssl that is impossible to workaround in the version of Apache
provided in Ubuntu 12.04.  Downgrading openssl is not an option because
I specifically needed the current version to pass the PCI scan.  I've
asked about updating the WebLogics server, but considering it is a
PeopleSoft server, I suspect that is going to be a challenge.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/965371

Title:
  HTTPS requests fail on sites which immediately close the connection if
  TLS 1.1 negotiation is attempted, on Ubuntu 12.04

Status in OpenSSL cryptography and SSL/TLS toolkit:
  Confirmed
Status in “openssl” package in Ubuntu:
  Fix Released
Status in “openssl” source package in Precise:
  Triaged
Status in “openssl” package in Debian:
  Fix Released

Bug description:
  This week, HTTPS connections from a Python script I wrote started
  giving me this error:

  urllib2.URLError: <urlopen error [Errno 8] _ssl.c:497: EOF occurred in
  violation of protocol>

  This used to work up until some three days ago and still works on
  other Ubuntu versions, but not in other Python versions on Precise. I
  was suspecting this was a bug in Python, but a guy on AskUbuntu (
  http://askubuntu.com/questions/116020/python-https-requests-urllib2
  -to-some-sites-fail-on-ubuntu-12-04-without-proxy/116059#116059 )
  found out this happens using the openssl command line tool too:

  $ openssl s_client -connect www.mediafire.com:443

  But succeeds if forcing TLS 1 with the -tls1 argument.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/965371/+subscriptions

More information about the foundations-bugs mailing list