← Back to team overview

linuxdcpp-team team mailing list archive

  1. linuxdcpp-team team
  2. Mailing list archive
  3. Message #09103

[Bug 1965620] [NEW] Secure HTTP connection stopped working for certain servers, including sourceforge.io

  Thread PreviousDate PreviousThread Next 
Public bug reported:

[2022-02-17 08:50] <eMTee> I am getting TLS error accessing sf.io/version.xml and geoip files hosted there with DC++'s httpconnection. Do any of you? Web browsers seem to work well.
[2022-02-17 09:33] <iceman50> i get a tls error as well
[2022-02-17 10:22] <eMTee> Well, most of the old DC++ versions don't work anymore due to https/TLS 1.2+ requirement of sf but this is unexpected. If it isn't a bug at sf's side then we're in trouble.
...
[2022-02-18 12:42] <eMTee> For
dcdebug("TLS error: call ret = %d, SSL_get_error = %d, ERR_get_error = %d\n, ERR_error_string = %s", ret, err, sys_err, _error.c_str());
I get
TLS error: call ret = -1, SSL_get_error = 1, ERR_get_error = 336151568, ERR_error_string = error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
when connecting to sf.io
[2022-02-18 12:42] <eMTee> This is actually SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE in the OpenSSL defines list.
...
[2022-02-18 15:53] <eMTee> Well, SF is behind cloudflare so I thought it worth checking another cloudflare protected server. E.g. https://dcbase.org/ gives the same error. Wtf?
[2022-02-18 19:15:10] <iceman50> https://stackoverflow.com/questions/36370656/solving-sslv3-alert-handshake-failure-when-trying-to-use-a-client-certificate
[2022-02-19 08:36] <eMTee> Yeah, I've seen that but wasn't sure how is it related to this problem. But yeah it can also be a certificate issue.
[2022-02-19 08:40] <eMTee> It must be some server configuration change, which happened along with a server sofware update or indeed new certs. 
[2022-02-19 15:39] <eMTee> It doesn't seem to be cloudflare related, either. I tried ~50 random domains, mix of web pages I frequently visit and the most known big tech, social and global media, streaming and IT manufacturer companies' homepages even ovh.com itself. Found 6 more stes that give the same error with DC++ but nothing much common in between them...
[2022-02-19 15:41] <eMTee> Sites I found not working with DC++ are: dcbase.org, www.espn.com, www.shutterstock.com, forums.mydigitallife.net, www.wsj.com, formula1.com and acer.com .
[2022-02-19 15:48] <eMTee> Whatever is this we possibly lost the upgrade nag feature of DC++ for all the recently released versions as well which will cause substantially less usage of any future releases for a longer period of time.
...
[2022-02-23 16:41:53] <eMTee> Checked AirDC++ with downloading sf.io/version.xml, it seems to work fine in it. So again, wtf.
...
[2022-03-01 16:15:32] <eMTee> https://sourceforge.net/p/forge/site-support/23234/ shows a similar problem/error message to our issue. At least some more bits of information/log like how 'sslv3 alert handshake failure' can happen and also "What changed is now we are forwarding the sourceforge.io traffic through cloudflare."
...
[2022-03-17 15:14:56] <eMTee> Okay, so I started investigating myself the SSL issue. I started checking what AirDC++ has committed regarding crypto recently (https://github.com/airdcpp/airdcpp-windows/commits/master/airdcpp/airdcpp/CryptoManager.cpp ) and I think I found our problem. It is actually a standout in the commit list : https://github.com/airdcpp/airdcpp-windows/commit/5e4a58982efa3b1d0086a04601cff5fe027f6c26
- [2022-03-17 15:16:55] <eMTee> The openssl issue linked inside the committed code ( https://github.com/openssl/openssl/issues/7147 ) is perfectly fitting to the phenomenon what we see in DC++.

** Affects: dcplusplus
     Importance: High
         Status: Confirmed


** Tags: https sslsocket tls

-- 
You received this bug notification because you are a member of
Dcplusplus-team, which is subscribed to DC++.
https://bugs.launchpad.net/bugs/1965620

Title:
  Secure HTTP connection stopped working for certain servers, including
  sourceforge.io

Status in DC++:
  Confirmed

Bug description:
  [2022-02-17 08:50] <eMTee> I am getting TLS error accessing sf.io/version.xml and geoip files hosted there with DC++'s httpconnection. Do any of you? Web browsers seem to work well.
  [2022-02-17 09:33] <iceman50> i get a tls error as well
  [2022-02-17 10:22] <eMTee> Well, most of the old DC++ versions don't work anymore due to https/TLS 1.2+ requirement of sf but this is unexpected. If it isn't a bug at sf's side then we're in trouble.
  ...
  [2022-02-18 12:42] <eMTee> For
  dcdebug("TLS error: call ret = %d, SSL_get_error = %d, ERR_get_error = %d\n, ERR_error_string = %s", ret, err, sys_err, _error.c_str());
  I get
  TLS error: call ret = -1, SSL_get_error = 1, ERR_get_error = 336151568, ERR_error_string = error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
  when connecting to sf.io
  [2022-02-18 12:42] <eMTee> This is actually SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE in the OpenSSL defines list.
  ...
  [2022-02-18 15:53] <eMTee> Well, SF is behind cloudflare so I thought it worth checking another cloudflare protected server. E.g. https://dcbase.org/ gives the same error. Wtf?
  [2022-02-18 19:15:10] <iceman50> https://stackoverflow.com/questions/36370656/solving-sslv3-alert-handshake-failure-when-trying-to-use-a-client-certificate
  [2022-02-19 08:36] <eMTee> Yeah, I've seen that but wasn't sure how is it related to this problem. But yeah it can also be a certificate issue.
  [2022-02-19 08:40] <eMTee> It must be some server configuration change, which happened along with a server sofware update or indeed new certs. 
  [2022-02-19 15:39] <eMTee> It doesn't seem to be cloudflare related, either. I tried ~50 random domains, mix of web pages I frequently visit and the most known big tech, social and global media, streaming and IT manufacturer companies' homepages even ovh.com itself. Found 6 more stes that give the same error with DC++ but nothing much common in between them...
  [2022-02-19 15:41] <eMTee> Sites I found not working with DC++ are: dcbase.org, www.espn.com, www.shutterstock.com, forums.mydigitallife.net, www.wsj.com, formula1.com and acer.com .
  [2022-02-19 15:48] <eMTee> Whatever is this we possibly lost the upgrade nag feature of DC++ for all the recently released versions as well which will cause substantially less usage of any future releases for a longer period of time.
  ...
  [2022-02-23 16:41:53] <eMTee> Checked AirDC++ with downloading sf.io/version.xml, it seems to work fine in it. So again, wtf.
  ...
  [2022-03-01 16:15:32] <eMTee> https://sourceforge.net/p/forge/site-support/23234/ shows a similar problem/error message to our issue. At least some more bits of information/log like how 'sslv3 alert handshake failure' can happen and also "What changed is now we are forwarding the sourceforge.io traffic through cloudflare."
  ...
  [2022-03-17 15:14:56] <eMTee> Okay, so I started investigating myself the SSL issue. I started checking what AirDC++ has committed regarding crypto recently (https://github.com/airdcpp/airdcpp-windows/commits/master/airdcpp/airdcpp/CryptoManager.cpp ) and I think I found our problem. It is actually a standout in the commit list : https://github.com/airdcpp/airdcpp-windows/commit/5e4a58982efa3b1d0086a04601cff5fe027f6c26
  - [2022-03-17 15:16:55] <eMTee> The openssl issue linked inside the committed code ( https://github.com/openssl/openssl/issues/7147 ) is perfectly fitting to the phenomenon what we see in DC++.

To manage notifications about this bug go to:
https://bugs.launchpad.net/dcplusplus/+bug/1965620/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next