httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: Comparing LibreSSL and OpenSSL based on ApacheTest t/ssl results
Date Fri, 17 Jul 2015 10:39:16 GMT
Michael Felt wrote:
> Yann Ylavic wrote:
>>
>> So if RC4 was the culprit, the tests (pr12355 and pr43738) should pass
>> now.
>
> I'll pull ApacheTest and check.

I assume the attached logs_pr12355_LibreSSL.zip was with the latest
framework (including r1691419), so the RC4 => AES changes did not
work...

>
> so if I look through the VirtualHost definitions made by ApacheTest I should
> see some "Location CipherSuite" declarations?

Yes, t/conf/ssl/ssl.conf.in has a VirtualHost SSLCipherSuite
"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL" which is
overridden for some <Location>s (/require-aes{128,256}-cgi and
/modules/ssl/aes{128,256}/) with SSLCipherSuite "AES{128,256}-SHA".

>>> [Thu Jul 16 11:47:12.052157 2015] [ssl:info] [pid 389322:tid 772]
>>>   SSL Library Error: error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected
message
>>
>> That's not an alert (a close?).
>> Maybe a higher LogLevel (trace5?) would help, and/or a pcap...
>
> So, an attachment again, with both binary and text of iptrace during run of
> test pr12355. I guess (rather hope) you can read what is going on here.

Ouch, quite hard to read TLS in the matrix :)
Maybe "tcpdump -i lo -w dump.pcap -s0 tcp port 8532"?
(dump.pcap would then be readable in wireshark).

But possibly "LogLevel trace5" in httpd.conf (or
t/conf/ssl/ssl.conf.in 's VirtualHost) would be enough to see what's
going on.

Since the "error" (interruption) seems to be on the client side
though, it may also be interesting to start httpd with a configuration
like the framework's generated t/conf/ssl/ssl.conf file, and then use
openssl s_client (or libressl s_client? dunno the name of that binary
in libreSSL...) with -state and -debug to have the client's POV...

Mime
View raw message