touch-packages team mailing list archive

Thread
Date
[Bug 861137] Re: Openssl TLS errors while connecting to SSLv3 sites

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Patrick Helmig <ph@xxxxxxxxxxx>
Date: Wed, 13 May 2015 16:01:06 -0000
Reply-to: Bug 861137 <861137@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Hi,
this Bug is unfortunately still active. Here is how to reproduce it:

$ curl https://auslandsjahr-usa.com --sslv3

$ curl --version
curl 7.35.0 (x86_64-pc-linux-gnu) libcurl/7.35.0 OpenSSL/1.0.1f zlib/1.2.8 libidn/1.28 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP

$ openssl version
OpenSSL 1.0.1f 6 Jan 2014

The issue seems to be SSLv3, since

$ curl https://auslandsjahr-usa.com --ssl

works.

Unfortunately this bug also affects all depending libraries and
scripting languages. (python 2.7.6 in my case):

$ python -c "import sys; import os; import ssl;
print(ssl.OPENSSL_VERSION); sys.path.insert(1,
os.path.abspath(os.path.join(os.getcwd(), 'lib'))); import requests;
requests.get('https://auslandsjahr-usa.com')"

requests.get('https://auslandsjahr-usa.com')"
OpenSSL 1.0.1f 6 Jan 2014
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/python2.7/dist-packages/requests/api.py", line 55, in get
    return request('get', url, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/api.py", line 44, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 455, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 558, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 385, in send
    raise SSLError(e)
requests.exceptions.SSLError: [Errno 1] _ssl.c:510: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

We use Ubuntu 14.04.2 LTS
# lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 14.04.2 LTS
Release:	14.04
Codename:	trusty

A patch would be highly appreciated.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/861137

Title:
  Openssl TLS errors while connecting to SSLv3 sites

Status in openssl package in Ubuntu:
  Confirmed

Bug description:
  I upgraded to Oneiric Ocelot beta1. OpenSSL version is "1.0.0e 6 Sep
  2011"

  Now, when I connect to certain HTTPs servers with wget or curl I get a
  TLS error.

  With wget : OpenSSL: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
  With curl : curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

  In wget, this can be fixed by specifying --secure-protocol=sslv3 option
  In curl, this can be fixed by specifying -sslv3 option

  The issue is that the automatic check for the version seems to be
  failing. This is working fine in Natty systems using older versions of
  openssl.

  The impact of this will be in scripts using curl, wget etc. which will
  start failing after an upgrade.

  Ubuntu version

  Description:	Ubuntu oneiric (development branch)
  Release:	11.10

  OpenSSL version : OpenSSL 1.0.0e 6 Sep 2011

  openssl:
    Installed: 1.0.0e-2ubuntu2
    Candidate: 1.0.0e-2ubuntu2
    Version table:
   *** 1.0.0e-2ubuntu2 0
          500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages
          100 /var/lib/dpkg/status

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/861137/+subscriptions