40 Bit and export ciphers throw a handshake error

[drwetter]

Hi Peter,

I thought this is a better place maybe others can contribute/help resolving:

prompt$ ./openssl64-1.0.2pm-krb5.chacha+poly s_client -cipher EXPORT -connect rechnung.dsl.o2online.de:443 -servername rechnung.dsl.o2online.de </dev/null
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
151926820:error:140D1044:SSL routines:tls1_change_cipher_state:internal error:t1_enc.c:652:
[..]
prompt$ echo $?
1
prompt$ ./.openssl64-1.0.2pm-krb5.chacha+poly version -a                                                                    
OpenSSL 1.0.2-chacha (1.0.2a-dev)
built on: reproducible build, date unspecified
platform: linux-x86_64
options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) 
compiler: gcc -I. -I.. -I../include  -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN   -DHAVE_DLFCN_H -DKRB5_MIT -Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_EXPERIMENTAL_JPAKE -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/etc/ssl"

See "SSL routines:tls1_change_cipher_state:internal error" . The return value 1 is affecting testssl.sh (https://github.com/drwetter/testssl.sh) as I test the return value. That happens with all my Linux builds (Ubuntu 12.04 64/32 Bit and Opensuse).

[PeterMosmans]

Hi Dirk @drwetter, thanks for reporting this issue. I can reproduce the error (unfortunately). Connecting succeeds when using the -ssl3 flag, so I'm guessing that it's a fallback/downgrade issue. I will look into it, although this probably will take me a while (think in weeks, not days). Hopefully that's not going to be a problem for you...

Cheers,

Peter

[drwetter]

Hi Peter,

thx! If I'll can spare a few cycles next week I'll look what changed in t1_enc.c . Maybe that gives us a clue. Thx for all your work!

Cheers, Dirk

[PeterMosmans]

I just checked an older build (95b3228) from November 23rd 2014, and it has the same issue. So it seems that the bug isn't introduced in this version. Do you know which version of the 1.0.2-chacha branch has NOT got this bug ? That would help in tracking this issue down...

Thanks!

Peter

[drwetter]

It's also in the build before July (OpenSSL 1.0.2-chacha (beta2-dev)), see https://github.com/drwetter/testssl.sh/issues/38

[drwetter]

No real understanding about the sources. but...

In your tree tree the code with the hiccup (t1_enc.c:652) is some kind of an addon against the vanilla tree -- fucntion "int tls1_change_cipher_state()". See attached the side-by-side-view (vim -d, left: vanilla 1.0.2 stable, right: yours).

[PeterMosmans]

Thanks for the diffs. I'm on it...

[PeterMosmans]

See above referenced commit (https://github.com/PeterMosmans/openssl/commit/005d8364d789d5a8eef0e6c3eb2af7b06b4116e6) where the issue is fixed. Please note that the TLS handling still isn't completely merged with the official 1.0.2 branch. I'll do this in a later stage

[drwetter]

Thx! Looked good so far. :) Will do more tests on 64 bit.

[drwetter]

Thx a lot, Peter.