| Comment |
Date |
By |
| should be fixed by dirihle in rev. 2545 (2747 - is number of the patch, not revision number ;-))) ) | 2009-May-01 16:23 | shaplov |
| should be fixed by dirihle in rev. 2747 | 2009-May-01 16:19 | shaplov |
| Just test, please ignore | 2008-Aug-27 11:01 | shaplov |
Looks like I was looking at the wrong place. Sorry about it.
Thanks caster! | 2008-May-29 20:55 | anton_kg |
anton_kg: what you posted here is selection of method based on some command line option, so basically what I said about the checkbox. But I still believe the patch should be universal solution. Read "man SSL_CTX_new" or http://www.openssl.org/docs/ssl/SSL_CTX_new.html :
SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)
A TLS/SSL connection established with these methods will understand the SSLv2, SSLv3, and TLSv1 protocol. A client will send out SSLv2 client hello messages and will indicate that it also understands SSLv3 and TLSv1. A server will understand SSLv2, SSLv3, and TLSv1 client hello messages. This is the best choice when compatibility is a concern.
So this should basically work anywhere, while TLSv1_method "will only understand the TLSv1 protocol". | 2008-May-29 16:23 | caster |
Shaplov:
Sorry for the lag. I don't know if I subscribe to this bug report.
Could you please keep us up posted in the bug
https://bugs.gentoo.org/show_bug.cgi?id=224095
Thank you.
| 2008-May-29 15:35 | anton_kg |
shaplov:
yes, the patch works but I still think itэs more a workaround or single case solution.
I suggest you to have a look at the code of stunnel, they do more work about it:
stunnel-4.21/src/options.c:
/* sslVersion */
switch(cmd) {
case CMD_INIT:
section->client_method=SSLv3_client_method;
break;
case CMD_EXEC:
if(strcasecmp(opt, "sslVersion"))
break;
if(!strcasecmp(arg, "all")) {
section->client_method=SSLv23_client_method;
} else if(!strcasecmp(arg, "SSLv2")) {
section->client_method=SSLv2_client_method;
} else if(!strcasecmp(arg, "SSLv3")) {
section->client_method=SSLv3_client_method;
} else if(!strcasecmp(arg, "TLSv1")) {
section->client_method=TLSv1_client_method;
} else
return "Incorrect version of SSL protocol";
It looks more universal solution for me, but it's better to double check.
Thank you.
| 2008-May-29 15:13 | anton_kg |
| Sorry for the late response. The patch works fine. According to openssl docs, SSLv23_client_method() includes TLSv1 as well and should be the most compatible one, so hopefully this won't break connecting to some other server. In the worst case there could be a checkbotx or something to specify the method per jabber connection. | 2008-May-29 12:10 | caster |
Added anton_kg's patch at rev 2152.
Did it helped? | 2008-Apr-29 15:30 | shaplov |
Matthew Stapleton suggested the following patch to fix the problem:
--- sim/sslclient.cpp.orig 2006-02-01 04:24:25.000000000 +0800
+++ sim/sslclient.cpp 2008-04-23 20:59:47.000000000 +0800
@@ -406,7 +406,7 @@
bool SSLClient::initTLS1(bool bDH)
{
- mpCTX = SSL_CTX_new(TLSv1_method());
+ mpCTX = SSL_CTX_new(SSLv23_client_method());
if (mpCTX == NULL)
return false;
if (bDH){
| 2008-Apr-23 15:29 | anton_kg |
The openssl bug has been fixed and patch has been included in 0.9.8g-r1 ebuild, however I still can't connect to gtalk using sim-im.
See gentoo bug as a reference:
http://bugs.gentoo.org/show_bug.cgi?id=198914
| 2008-Apr-14 07:27 | anton_kg |
True, the openssl bug is here http://rt.openssl.org/index.html?q=1629
On gentoo, tlsext is enabled since 0.9.8g which triggered the issue.
And my commandline openssl client test didn't catch it because I didn't pass -ssl3 - with this option it breaks too.
So you can probably close this, not much you can do, sorry for the spam :) | 2008-Mar-24 13:49 | caster |
this isnt a bug in Sim-IM, it's a bug in openssl when using SSLv3 with tlsext
upstream openssl is aware of the issue | 2008-Mar-23 18:53 | vapier |
> Let me know if I can help by providing any logs, testing etc.
I do not know how to help by logs and testing. The only way is to find the place in code where auth is failed and try to find out why it is failed. If you can do it that would be great. If not, I hope that somebody (may be I) would do it sooner or later. | 2008-Jan-30 20:23 | shaplov |
| Yes, same problem, Gentoo + openssl 0.9.8g. I downgraded it and works. | 2008-Jan-30 20:04 | smajchl |
| I have exactly the same problem on Gentoo with openssl 0.9.8g. Let me know if I can help by providing any logs, testing etc. BTW I tried connecting to talk.google.com:5223 with openssl s_client command, and both openssl versions connected fine and gave the same output. | 2008-Jan-04 22:33 | caster |
