Differences in defaults between 1.0.2 and 1.1.1

Hubert Kario hkario at redhat.com
Tue Mar 19 14:21:50 UTC 2019 

On Tuesday, 19 March 2019 14:40:19 CET Perrow, Graeme wrote:
> I have an LDAP server that accepts TLS connections, and I can make a
> connection to it using "openssl s_client -showcerts -host <host>:<port>
> -debug". The output shows this is a TLSv1.2 connection using
> ECDHE-RSA-AES128-SHA. This is using OpenSSL version 1.0.2j.
> 
> If I run exactly the same command using the openssl executable built with
> 1.1.1, I get errors:
> 
> CONNECTED(00000184)
> write to 0x2917b30 [0x2928090] (326 bytes => 326 (0x146))
> 0000 - 16 03 01 01 41 01 00 01-3d 03 03 5a e6 ad 03 79   ....A...=..Z...y
> ...
> 0140 - cb bb 7f 9c 78 24                                 ....x$
> read from 0x2917b30 [0x291edf3] (5 bytes => 0 (0x0))
> write:errno=0
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 326 bytes
> Verification: OK
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> Verify return code: 0 (ok)
> ---
> read from 0x2917b30 [0x290e960] (8192 bytes => 0 (0x0))
> 
> The connection is closed by the server, which is reporting an error:
> 
> TLS: error: accept - force handshake failure: errno 11 - moznss error -12162
> TLS: can't accept: TLS error -12162:Unsupported hash algorithm used by TLS
> peer..
> 
> If I add the -no_tls1_2 switch, the openssl 1.1.1 command succeeds. Since
> the server didn't change and the client command line didn't change, it
> would seem that some default behaviour has changed within OpenSSL for
> 1.1.1. I know that some ciphersuites were removed or disabled but the one
> used by OpenSSL 1.0.2j (ECDHE-RSA-AES128-SHA) does not seem to be one of
> them (it's listed in "openssl ciphers"). Does anyone know what might be
> happening here? Thanks

the error would indicate that the server is using Mozilla NSS library for the 
TLS implementation.

I recall that some very old NSS versions were intolerant to undefined 
signature algorithms[1,2]. Which NSS version is the server using?

And OpenSSL needs to add rsa_pss_* signature algorithms to the ClientHello - 
those are the only ones allowed for RSA keys in TLS 1.3 - the bug is in the 
server.

 1 - https://bugzilla.mozilla.org/show_bug.cgi?id=1119983
 2 - https://bugzilla.mozilla.org/show_bug.cgi?id=1317857
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190319/e2cbe076/attachment.sig>

More information about the openssl-users mailing list