Re: OpenSSL errno=104

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Aug 26, 2022 at 03:59:02AM +0000, Danilo Singh wrote:

> The URL we are trying to connect to is notacarioca.rio.gov.br.  When
> trying to run an openssl s_client -connect, we get error 104, with the
> following return:

> write:errno=104

That is a write system call errno value, which translates to:

    $ perl -le '$! = 104; print "$!"'
    Connection reset by peer

The server is resetting the TCP connection just after receiving the TLS
CLIENT HELLO message.  Or more likely some oddball firewall in front of
the server is doing that.

The server refuses to negotiate any ciphers other RSA key exchange
(which by the way precludes use of TLS 1.3), and is rather sensitive
to the order in which the 'kRSA' ciphers appear in the cipher list.

Removing all 'SHA1' ciphers seems to help, but also removing non
RSA key-exchange ciphers (while leaving SHA1 enabled) helps.

    ... -cipher 'DEFAULT:!SHA1' ...
    ... -cipher 'kRSA:!COMPLEMENTOFDEFAULT' ...

So rather unclear what exactly makes the server unhappy, but it does
when it works, it seems to choose:

    0x00,0x9D - TLS_RSA_WITH_AES_256_GCM_SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD

otherwise known as 'AES256-GCM-SHA384', which also works if you set it
to be the only client cipher.

> Currently the OpenSSL configuration on our server looks like this. We
> tried several ways, but none worked. As we have little experience with
> OpenSSL we don't know what is wrong.
> 
> CipherString = DEFAULT@SECLEVEL=0

The preferred syntax for this is "DEFAULT:@SECLEVEL=0".

> Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:TLS_RSA_WITH_AES_128_CBC_SHA256:TLS_RSA_WITH_AES_256_CBC_SHA256:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384

Perhaps leave these defaulted.

> MinProtocol = TLSv1.0
> MaxProtocol = TLSv1.3

> SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_rsae_sha256:rsa_pss_pss_sha384:rsa_pss_rsae_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1

Perhaps leave these defaulted.

-- 
    Viktor.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux