b-etch: воспроизведение проблемы (fwd)

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

b-etch: воспроизведение проблемы (fwd)

Dmitry Belyavsky
Greetings!

We use openssl 0.9.8a, apache 1.3.34 with mod_ssl 2.8.25 (Debian etch).
The URL we request requires client certificate.

The command is:

zsh% openssl s_client -cipher DHE-DSS-AES256-SHA -cert U_x_dsa_dsaparams.pem/cert.pem -key U_x_dsa_dsaparams.pem/seckey.pem -CAfile ca_dsa.pem -connect b-etch.vm.cryptocom.ru:444 -ign_eof

The result is:

CONNECTED(00000003)
depth=1 /C=RU/L=Moscow/CN=DSA Test CA/O=Cryptocom/OU=OpenSSL CA/emailAddress=[hidden email]
verify return:1
depth=0 /C=RU/O=Cryptocom/OU=OpenSSL team/CN=b-etch.vm.cryptocom.ru/emailAddress=[hidden email]
verify return:1
---
Certificate chain
 0 s:/C=RU/O=Cryptocom/OU=OpenSSL team/CN=b-etch.vm.cryptocom.ru/emailAddress=[hidden email]
   i:/C=RU/L=Moscow/CN=DSA Test CA/O=Cryptocom/OU=OpenSSL CA/emailAddress=[hidden email]
 1 s:/C=RU/L=Moscow/CN=DSA Test CA/O=Cryptocom/OU=OpenSSL CA/emailAddress=[hidden email]
   i:/C=RU/L=Moscow/CN=DSA Test CA/O=Cryptocom/OU=OpenSSL CA/emailAddress=[hidden email]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDMDCCAvCgAwIBAgICAPYwCQYHKoZIzjgEAzCBgDELMAkGA1UEBhMCUlUxDzAN
BgNVBAcTBk1vc2NvdzEUMBIGA1UEAxMLRFNBIFRlc3QgQ0ExEjAQBgNVBAoTCUNy
eXB0b2NvbTETMBEGA1UECxMKT3BlblNTTCBDQTEhMB8GCSqGSIb3DQEJARYSdml0
dXNAY3J5cHRvY29tLnJ1MB4XDTA1MTEyODEzMzUxNVoXDTA2MTEyODEzMzUxNVow
fDELMAkGA1UEBhMCUlUxEjAQBgNVBAoTCUNyeXB0b2NvbTEVMBMGA1UECxMMT3Bl
blNTTCB0ZWFtMR8wHQYDVQQDExZiLWV0Y2gudm0uY3J5cHRvY29tLnJ1MSEwHwYJ
KoZIhvcNAQkBFhJ2aXR1c0BjcnlwdG9jb20ucnUwggG3MIIBLAYHKoZIzjgEATCC
AR8CgYEAyBVEivTrdfcSjI7eva1z9iuzeJphZ3BCkvR3HIEAiDHDZrMLqTjTs/cn
UbfzVsTELUE+OHp6k+GCa1ejqnHEvA2TlofU3kY2KnvCDsbOZkkL1EltnT/Tvrpm
gtMDWZqlJNKTEun5Y7+rvZ7c7WKcd/WDTfNxwQVlczoB+hnkozUCFQCiqb/SJFJ5
CykhPPOQ4eyXad4eTwKBgQCtzKpmgy6+4NEAaVt5qP0CaqqysBTslwdiyzJ7iuc/
SCBpzd2tur4ntBg6X3vPkU7nckJluXUudwc+wvCoXzE6cKAZkUdxEUwVTg8NW2dD
B7FXgMglr0gCWb373wc+f9xlX6zk8g1rKKmgouxk2Cq180Kpqevhk3RV9hWw66bP
bQOBhAACgYAxvt282siMxPPNIJzK/tN8qG11PFfnYLkH94GjKSS30NY8zwnK0W+s
VrsHNyComxnp3MqHLVq+KH/6WAGETwCLtH5FepcRxp+hwib6wki7Kklj1xXx24Kr
Nd0iLSLJovOBrXfWFJrEK31YU/qp7ROS/hSdGORMvc3+9IlUye2LJjAJBgcqhkjO
OAQDAy8AMCwCFCPEhKtJ35S1RhKscutAmmrVSX40AhQEZKhZG1Pg6mTP8kO4CHet
cr4jhA==
-----END CERTIFICATE-----
subject=/C=RU/O=Cryptocom/OU=OpenSSL team/CN=b-etch.vm.cryptocom.ru/emailAddress=[hidden email]
issuer=/C=RU/L=Moscow/CN=DSA Test CA/O=Cryptocom/OU=OpenSSL CA/emailAddress=[hidden email]
---
No client certificate CA names sent
---
SSL handshake has read 2126 bytes and written 247 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-DSS-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-DSS-AES256-SHA
    Session-ID: E3EAF6401AF1F8157A2653118728FE9A15322C97FDCC8AFCB084326CE1C9C227
    Session-ID-ctx:
    Master-Key: DABB6DC00DA8A621316F9711263F13D9ED8DE59CC6A5F33800A4D7DCE0135132FF8D30148363A33CDF1C978CD4B974E2
    Key-Arg   : None
    Start Time: 1133270656
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
GET /ssl_auth_test.html
depth=1 /C=RU/L=Moscow/CN=DSA Test CA/O=Cryptocom/OU=OpenSSL CA/emailAddress=[hidden email]
verify return:1
depth=0 /C=RU/O=Cryptocom/OU=OpenSSL team/CN=b-etch.vm.cryptocom.ru/emailAddress=[hidden email]
verify return:1
4119:error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:s3_pkt.c:426:

The bug is reproduced about 4 times from 5.

When I add -ssl3 key to command line, I successfully get the page I
request.

openssl-0.9.7 s_client doesn't get an error anyway.

What's wrong?

Thank you!

--
SY, Dmitry Belyavsky (ICQ UIN 11116575)


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: b-etch: ??????????????? ???????? (fwd)

Victor Duchovni
On Tue, Nov 29, 2005 at 05:32:45PM +0300, Dmitry Belyavsky wrote:

> Greetings!
>
> We use openssl 0.9.8a, apache 1.3.34 with mod_ssl 2.8.25 (Debian etch).
> The URL we request requires client certificate.
>
> 4119:error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:s3_pkt.c:426:
>
> The bug is reproduced about 4 times from 5.
>
> When I add -ssl3 key to command line, I successfully get the page I
> request.
>
> openssl-0.9.7 s_client doesn't get an error anyway.
>
> What's wrong?
>

http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/2005-November/000418.html

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: b-etch: problems with openssl-0.9.8a

Dmitry Belyavsky
Greetings!

On Tue, 29 Nov 2005, Victor Duchovni wrote:

> On Tue, Nov 29, 2005 at 05:32:45PM +0300, Dmitry Belyavsky wrote:
>
> > Greetings!
> >
> > We use openssl 0.9.8a, apache 1.3.34 with mod_ssl 2.8.25 (Debian etch).
> > The URL we request requires client certificate.
> >
> > 4119:error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:s3_pkt.c:426:
> >
> > The bug is reproduced about 4 times from 5.
> >
> > When I add -ssl3 key to command line, I successfully get the page I
> > request.
> >
> > openssl-0.9.7 s_client doesn't get an error anyway.
> >
> > What's wrong?
> >
>
> http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/2005-November/000418.html

Thank you!
Whether debian team or openssl team has plans to fix it?

--
SY, Dmitry Belyavsky (ICQ UIN 11116575)
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: b-etch: problems with openssl-0.9.8a

Victor Duchovni
On Tue, Nov 29, 2005 at 09:21:19PM +0300, Dmitry Belyavsky wrote:

> > > 4119:error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:s3_pkt.c:426:
> > >
> > > What's wrong?
> > >
> >
> > http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/2005-November/000418.html
>
> Thank you!
> Whether debian team or openssl team has plans to fix it?
>

I am neither a Debian developer nor an OpenSSL developer, perhaps someone
else will answer this question...

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]