On Tuesday, 19 March 2019 14:40:19 CET Perrow, Graeme wrote: > I have an LDAP server that accepts TLS connections, and I can make a > connection to it using "openssl s_client -showcerts -host <host>:<port> > -debug". The output shows this is a TLSv1.2 connection using > ECDHE-RSA-AES128-SHA. This is using OpenSSL version 1.0.2j. > > If I run exactly the same command using the openssl executable built with > 1.1.1, I get errors: > > CONNECTED(00000184) > write to 0x2917b30 [0x2928090] (326 bytes => 326 (0x146)) > 0000 - 16 03 01 01 41 01 00 01-3d 03 03 5a e6 ad 03 79 ....A...=..Z...y > ... > 0140 - cb bb 7f 9c 78 24 ....x$ > read from 0x2917b30 [0x291edf3] (5 bytes => 0 (0x0)) > write:errno=0 > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 0 bytes and written 326 bytes > Verification: OK > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > Early data was not sent > Verify return code: 0 (ok) > --- > read from 0x2917b30 [0x290e960] (8192 bytes => 0 (0x0)) > > The connection is closed by the server, which is reporting an error: > > TLS: error: accept - force handshake failure: errno 11 - moznss error -12162 > TLS: can't accept: TLS error -12162:Unsupported hash algorithm used by TLS > peer.. > > If I add the -no_tls1_2 switch, the openssl 1.1.1 command succeeds. Since > the server didn't change and the client command line didn't change, it > would seem that some default behaviour has changed within OpenSSL for > 1.1.1. I know that some ciphersuites were removed or disabled but the one > used by OpenSSL 1.0.2j (ECDHE-RSA-AES128-SHA) does not seem to be one of > them (it's listed in "openssl ciphers"). Does anyone know what might be > happening here? Thanks the error would indicate that the server is using Mozilla NSS library for the TLS implementation. I recall that some very old NSS versions were intolerant to undefined signature algorithms[1,2]. Which NSS version is the server using? And OpenSSL needs to add rsa_pss_* signature algorithms to the ClientHello - those are the only ones allowed for RSA keys in TLS 1.3 - the bug is in the server. 1 - https://bugzilla.mozilla.org/show_bug.cgi?id=1119983 2 - https://bugzilla.mozilla.org/show_bug.cgi?id=1317857 -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
Attachment:
signature.asc
Description: This is a digitally signed message part.
