httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 29744] - CONNECT does not work over existing SSL connection
Date Mon, 20 Mar 2006 20:58:29 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=29744>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=29744





------- Additional Comments From apache@nagilum.org  2006-03-20 20:58 -------
Ok, back to the subject, 
the good news first, s_client can connect through the proxy, no patch needed,
but ONLY with ssl2!
Then I tried sslwrap:
(sslwrap  -nocert -state -bugs -debug -ssl2 -port 443 -addr 10.1.1.1 -accept 2001)
which yielded:

SSL_accept:before/accept initialization
SSL_accept:error in SSLv2 read client hello B
ERROR
2411:error:140EC0AF:SSL routines:SSL2_READ_INTERNAL:non sslv2 initial
packet:/cakebox/src/secure/lib/libssl/../../../crypto/openssl/ssl/s2_pkt.c:187:

or similary for ssl3:

SSL_accept:before/accept initialization
SSL_accept:error in SSLv3 read client hello B
ERROR
2416:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:/cakebox/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:297:

I also tried stunnel3:
(stunnel3 -f -D 7 -c -d 2001 -r ns:443)

2006.03.20 21:35:12 LOG6[2378:134633472]: SSL connected: previous session reused
2006.03.20 21:35:17 LOG7[2378:134633472]: SSL alert (write): fatal: handshake
failure
2006.03.20 21:35:17 LOG3[2378:134633472]: SSL_read: 1408F10B: error:1408F10B:SSL
routines:SSL3_GET_RECORD:wrong version number
2006.03.20 21:35:17 LOG5[2378:134633472]: Connection reset: 44 bytes sent to
SSL, 0 bytes sent to socket
2006.03.20 21:35:17 LOG7[2378:134633472]: stunnel3 finished (0 left)

and finally s_client:
(openssl s_client -connect cakebox:443 -tls1 -bugs -state -debug)
fter sucessfully conting, requesting the tunnel aborts with:
SSL3 alert write:fatal:protocol version
2431:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:/cakebox/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:286:
write to 0808D700 [080B4000] (37 bytes => 37 (0x25))
0000 - 15 54 54 00 20 01 6e f3-14 fc bb f8 fc 4b 1e 3e   .TT. .n......K.>
0010 - 7e 73 89 3a cb 3e f0 d2-43 e2 45 01 9b 12 88 dc   ~s.:.>..C.E.....
0020 - ff 3e 90 5a ed                                    .>.Z.
SSL3 alert write:warning:close notify

and very similar with ssl3:
(openssl s_client -connect cakebox:443 -ssl3 -bugs -state -debug)
SSL3 alert write:fatal:handshake failure
2451:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:/cakebox/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:286:
write to 0808D700 [080B4000] (37 bytes => 37 (0x25))
0000 - 15 54 54 00 20 14 70 c4-f8 7e b4 9d bc 18 5b a2   .TT. .p..~....[.
0010 - a4 66 33 43 7b 89 00 b8-75 25 7f 92 8e 8e 0a 64   .f3C{...u%.....d
0020 - b7 03 f3 46 80                                    ...F.
SSL3 alert write:warning:close notify

All of this was tested against Apache2.0.55 (FreeBSD) PHP/4.4.2 mod_ssl/2.0.55
running FreeBSD 6.1-PRERELEASE on the server and the client.
OpenSSL 0.9.7e-p1 25 Oct 2004 was installed on both systems.
I also applied the patch for 2.0.52 which still applies just fine on 2.0.55, but
the behaviour didnt change.
I hope this helps.


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message