httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Felt <>
Subject Re: Comparing LibreSSL and OpenSSL based on ApacheTest t/ssl results
Date Fri, 17 Jul 2015 07:22:52 GMT
On 2015-07-16 11:48 PM, Yann Ylavic wrote:
> On Thu, Jul 16, 2015 at 7:02 PM, Michael Felt<>  wrote:
>> A longish read - basically while 2.4.12 had few errors when built against
>> OpenSSL 0.9.8 LibreSSL has quite a few errors - perhaps because it has
>> removed many "unsafe" crypto combinations. The root question is: is this
>> LibreSSL misbehaving, or are the tests needing some work to verify that
>> "weak ciphers and key exchanges are not being used - e.g., via
>> renegotiation.
> Latest commit on test framework ([1]) replaced RC4-{MD5,SHA} with
> AES{128,256}-SHA so that these are more likely to be known by both
> libs (unless LibreSSL also disabled all CBC based chainings).
> So if RC4 was the culprit, the tests (pr12355 and pr43738) should pass now.
I'll pull ApacheTest and check.
> BTW that's not what triggers the renegotiations since keep-alive seems
> not be used for successive requests (that possibly could be another
> test, though logs show Initial connections only here), but rather a
> specific Location's CipherSuite different from the (handshaken)
> VirtualHost's one.
so if I look through the VirtualHost definitions made by ApacheTest I 
should see some "Location CipherSuite" declarations?
>> One test in LibreSSL (first one) from test:
>> [...]
>> [Thu Jul 16 11:47:11.864018 2015] [ssl:debug] [pid 389322:tid 772]
>>   ssl_engine_kernel.c(1908): [client] AH02043: SSL virtual host for
servername loopback found
>> [Thu Jul 16 11:47:11.982116 2015] [ssl:debug] [pid 389322:tid 772]
>>   ssl_engine_kernel.c(1841): [client] AH02041: Protocol: TLSv1.2,
Cipher: ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)
> Is the framework using openssl or libressl here?
> Are PATH or APACHE_TEST_OPENSSL_CMD defined, or maybe the system's default lib?
As it is TLSv1.2 - that is LibreSSL. I'll generate a list of the ciphers 
it supports asap.
>> [Thu Jul 16 11:47:12.051994 2015] [ssl:error] [pid 389322:tid 772]
>>   [client] AH02261: Re-negotiation handshake failed: Not accepted
by client!?
>> [Thu Jul 16 11:47:12.052072 2015] [ssl:info] [pid 389322:tid 772]
>>   [client] AH02008: SSL library error 1 in handshake (server loopback:8532)
>> [Thu Jul 16 11:47:12.052157 2015] [ssl:info] [pid 389322:tid 772]
>>   SSL Library Error: error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message
I had cut out all the debug statements - (grep -v debug 
t/logs/error_log) - for me too much noise.
I'll see about pcap/tcpdump (AIX program name is either tcpdump 
(standard *NIX interface) or iptrace
> That's not an alert (a close?).
> Maybe a higher LogLevel (trace5?) would help, and/or a pcap...
> Regards,
> Yann.
> [1]

View raw message