From owner-freebsd-bugs@FreeBSD.ORG Wed Mar 2 11:30:11 2011 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 33F921065670 for ; Wed, 2 Mar 2011 11:30:11 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 2241B8FC18 for ; Wed, 2 Mar 2011 11:30:11 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p22BUBgw061234 for ; Wed, 2 Mar 2011 11:30:11 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p22BUA8R061231; Wed, 2 Mar 2011 11:30:10 GMT (envelope-from gnats) Date: Wed, 2 Mar 2011 11:30:10 GMT Message-Id: <201103021130.p22BUA8R061231@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Hans Duedal Cc: Subject: Re: kern/155160: [aesni] AES-NI breaks OpenSSL client calls X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Hans Duedal List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2011 11:30:11 -0000 The following reply was made to PR kern/155160; it has been noted by GNATS. From: Hans Duedal To: bug-followup@FreeBSD.org, Hans Duedal Cc: Subject: Re: kern/155160: [aesni] AES-NI breaks OpenSSL client calls Date: Wed, 2 Mar 2011 11:53:32 +0100 --0016368321b259b945049d7db93e Content-Type: text/plain; charset=ISO-8859-1 I should note that the issue does not affect the openssl s_client test command. db3# openssl s_client -quiet -state -CAfile /usr/local/share/certs/ca-root-nss.crt -connect twitter.com:443 SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=3 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority verify return:1 depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 verify return:1 depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA verify return:1 depth=0 /1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446/C=US/postalCode=94107/ST=California/L=San Francisco/street=795 Folsom St, Suite 600/O=Twitter, Inc./OU=Twitter Operations verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A aaaa Status: 500 Internal Server Error Content-Type: text/html

500 Internal Server Error

SSL3 alert read:warning:close notify SSL3 alert write:warning:close notify Used the ca-root from security/ca_root_nss package to avoid verify issues. As you can see from my original report, cURL is affected, and so is puppet which is ruby based, but I assume that many more clients are affected. --0016368321b259b945049d7db93e Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable I should note that the issue does not affect the openssl s_client test comm= and.

db3# openssl s_client -quiet -state -CAfile /usr/l= ocal/share/certs/ca-root-nss.crt -connect twitter.com:443

SSL_connect:before/connect initialization

SSL_connect:SSLv2/v3 write client hello A

SSL_connect:SSLv3 = read server hello A

depth=3D3 /C=3DUS/O=3DVeriSign, Inc./OU=3DCla= ss 3 Public Primary Certification Authority

verify return:1

=

depth=3D2 /C=3DUS/O=3DVeriSign, Inc./OU=3DVeriSign Trust Network/OU=3D(c) 2= 006 VeriSign, Inc. - For authorized use only/CN=3DVeriSign Class 3 Public P= rimary Certification Authority - G5

verify return:1

dep= th=3D1 /C=3DUS/O=3DVeriSign, Inc./OU=3DVeriSign Trust Network/OU=3DTerms of= use at https://www.verisign.com/r= pa (c)06/CN=3DVeriSign Class 3 Extended Validation SSL CA

verify return:1

depth=3D0 /1.3.6.1.4.1.311.60.2.1.3=3DUS/1.3= .6.1.4.1.311.60.2.1.2=3DDelaware/businessCategory=3DPrivate Organization/se= rialNumber=3D4337446/C=3DUS/postalCode=3D94107/ST=3DCalifornia/L=3DSan Fran= cisco/street=3D795 Folsom St, Suite 600/O=3DTwitter, Inc./OU=3DTwitter =A0O= perations

verify return:1

SSL_connect:SSLv3 read server certificate A<= /div>

SSL_connect:SSLv3 read server done A

SSL_connect:SSLv3 = write client key exchange A

SSL_connect:SSLv3 write change cipher= spec A

SSL_connect:SSLv3 write finished A

SSL_connect:SSLv3 flush d= ata

SSL_connect:SSLv3 read finished A

aaaa

St= atus: 500 Internal Server Error

Content-Type: text/html

<html><body><h1>500 Internal Server E= rror</h1></body></html>SSL3 alert read:warning:close noti= fy

SSL3 alert write:warning:close notify

Used the ca-root from security/ca_root_nss package to avoid veri= fy issues.

As you can see from my original report,= cURL is affected, and so is puppet which is ruby based, but I assume that = many more clients are affected.=A0

--0016368321b259b945049d7db93e--