From owner-freebsd-stable@FreeBSD.ORG Sat Dec 19 07:48:26 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2EBBF106566C for ; Sat, 19 Dec 2009 07:48:26 +0000 (UTC) (envelope-from chris#@1command.com) Received: from mail.1command.com (dsl081-172-045.sea1.dsl.speakeasy.net [64.81.172.45]) by mx1.freebsd.org (Postfix) with ESMTP id D58488FC28 for ; Sat, 19 Dec 2009 07:48:25 +0000 (UTC) Received: from webmail.1command.com (localhost.1command.com [127.0.0.1]) by mail.1command.com (8.13.3/8.13.3) with ESMTP id nBJ7lqXL069494; Fri, 18 Dec 2009 23:47:59 -0800 (PST) (envelope-from chris#@1command.com) Received: from udns.ultimatedns.net ([64.81.172.214]) (Local authenticated user inf0s) by webmail.1command.com with HTTP; Fri, 18 Dec 2009 23:48:22 -0800 (PST) Message-ID: <33656a3f4df6ab58b59883a55124ca11.HRCIM@webmail.1command.com> In-Reply-To: <20091219044352.GO88081@cesium.hyperfine.info> References: <20091219044352.GO88081@cesium.hyperfine.info> Date: Fri, 18 Dec 2009 23:48:22 -0800 (PST) From: "Chris H" To: freebsd-stable@freebsd.org User-Agent: HRC Internet Messaging/1.5.2 [SVN] MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit Cc: "Peter C. Lai" Subject: Re: SSL appears to be broken in 8-STABLE/RELEASE X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Dec 2009 07:48:26 -0000 Hello Peter, and thank you for the reply. > On 2009-12-18 05:32:41PM -0800, Chris H wrote: > >> Greetings, >> A recent (cvs checkout of src/ports on 2009-12-09) install of 8 seems to >> indicate that changes in SSL have made it virtually unusable. I've spent the >> past 3 days attempting to (re)create an SSL enabled virtual host that serves >> web based access to local mail. Since it's local, I'm using self-signed certs >> following a scheme that has always worked flawlessly for the past 9 yrs. >> However, now having installed 8, >> it isn't working. The browser(s) throw "ssl_error_handshake_failure_alert" >> (ff-3.56). >> Other gecko based, and non-gecko based UA's throw similar, as well as >> openssl's s_client. After immense research, the only thing I can find that >> might best explain it is a recent SA patch applied to FreeBSD's src >> (SA-09:15). After reading what the >> patch provides. I am able to better understand the error messages thrown to >> /var/messages when attempting to negotiate a secure session in a UA: >> >> >> kernel: TCP: [web.server.host.IP]:59735 to [web.server.host.IP]:443 tcpflags >> 0x18; tcp_do_segment: FIN_WAIT_2: Received 37 bytes of data after >> socket was closed, sending RST and removing tcpcb kernel: TCP: >> [web.server.host.IP]:59735 to [web.server.host.IP]:443 tcpflags >> 0x11; syncache_expand: Segment failed SYNCOOKIE authentication, >> segment rejected (probably spoofed) kernel: TCP: [web.server.host.IP]:52153 to >> [web.server.host.IP]:443 tcpflags >> 0x18; tcp_do_segment: FIN_WAIT_2: Received 37 bytes of data after >> socket was closed, sending RST and removing tcpcb kernel: TCP: >> [web.server.host.IP]:52153 to [web.server.host.IP]:443 tcpflags >> 0x11; syncache_expand: Segment failed SYNCOOKIE authentication, >> segment rejected (probably spoofed) kernel: TCP: [web.server.host.IP]:60382 to >> [web.server.host.IP]:443 tcpflags >> 0x18; tcp_do_segment: FIN_WAIT_2: Received 37 bytes of data after >> socket was closed, sending RST and removing tcpcb kernel: TCP: >> [web.server.host.IP]:60382 to [web.server.host.IP]:443 tcpflags >> 0x11; syncache_expand: Segment failed SYNCOOKIE authentication, >> segment rejected (probably spoofed) >> >> So, if I understand things correctly. The patch prevents (re)negotiation. >> Making >> the likelihood of a successful "handshake" near null (as the log messages >> above show). I'm sure that some may be quick to point the finger at the >> self-signed cert being more likely the cause, I should add that while in fact >> quite unlikely, I too didn't completely rule that out. So I purchased one from >> startssl - money wasted. The results were the same. So it would appear that >> until something else is done to overcome the hole in current openssl, my only >> recourse is to back the patch out, and rebuild openssl && all affected ports - >> no? On Fri, December 18, 2009 8:43 pm, Peter C. Lai wrote: > This might have something to do with a libthr discussion I was CCed on. > Someone mentioned something about removing a link to libthr in openssl > but I can't remember if this was in the port or base openssl... > Please pardon the pun; but was that /thread/ on _this_ list? Or, did you mean that you were CC's from a different list? If a different list, which one? Thank you again for taking the time to respond. --Chris H >> >> Thank you for all your time and consideration in this matter. >> >> >> --Chris H >> >> >> >> _______________________________________________ >> freebsd-stable@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-stable >> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" >> > > -- > =========================================================== > Peter C. Lai | Bard College at Simon's Rock > Systems Administrator | 84 Alford Rd. > Information Technology Svcs. | Gt. Barrington, MA 01230 USA > peter AT simons-rock.edu | (413) 528-7428 > =========================================================== > > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" > >