Quiterss up to 0.8.12 on Mac OS X doesn't negotiate SSL with planet.mysql.com ("SSL handshake failed (6)")

[bgmilne]

I was using Quiterss 0.8.8 on Mac OS X to read a number of RSS feeds, including https://planet.mysql.com/rss20.xml, but the newest article I see in Quiterss is from Wed 11 Jul 2018 09:30 UTC. I definitely clicked the 'update all feeds' button by 16 July (but probably by Thu 12 July 2018 08:00 UTC), and there were new posts since Thu 12 Jul 2018 01:11 UTC.

The status tab for the feed says "SSL handshake failed (6)"

I upgraded to 0.8.12 today, to see if that would help, but the status is the same.

The certificate for planet.mysql.com (actually for www.mysql.com) was issued on 23 Feb 2018, but maybe they changed their SSL config since then.

I can visit the site on Mozilla 52.x and it negotiates "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 128 bit keys, TLS 1.2"

ssllabs (https://www.ssllabs.com/ssltest/analyze.html?d=planet.mysql.com) says it only supports TLS 1.2 (no 1.1, no 1.3) with the following ciphers: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA

I can also visit the site on Qupzilla: Application version 2.1.2 QtWebEngine version 5.8.0 https://www.qupzilla.com Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) QupZilla/2.1.2 Chrome/53.0.2785.148 Safari/537.36

openssl (OpenSSL 0.9.8zh 14 Jan 2016) won't connect: $ openssl s_client -connect planet.mysql.com:443 CONNECTED(00000003) 52720:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.50.7/src/ssl/s23_clnt.c:593:

Qt 5.8 added TLS PSK ciphersuites, maybe updating the Qt version used for the Mac OS builds to 5.8 would help?

I don't normally use Quiterss on other platforms, on Linux I am using Akregator, and I can't test With Quiterss on Lnux right now (maybe later).

[bgmilne]

On Linux (Mageia 6 x86_64), I can retrieve the feed at https://planet.mysql.com/rss20.xml Help->About says: Version 0.18.4 (08.03.2016) QuiteRSS is a open-source cross-platform RSS/Atom news reader Includes: Qt-5.6.0, SQLite-3.11.1, WebKit-602.1

(These seem to be compile-time versions)

Full package versions:

[bgmilne@buchan-desktop ~]$ rpm -qR quiterss|while read req;do rpm -q --whatprovides "$req";done|sort -u
glibc-2.22-28.mga6
lib64qt5core5-5.9.4-1.1.mga6
lib64qt5-database-plugin-sqlite-5.9.4-1.1.mga6
lib64qt5gui5-5.9.4-1.1.mga6
lib64qt5multimedia5-5.9.4-1.mga6
lib64qt5network5-5.9.4-1.1.mga6
lib64qt5printsupport5-5.9.4-1.1.mga6
lib64qt5sql5-5.9.4-1.1.mga6
lib64qt5webkit5-5.212.0-1.alpha2.7.mga6
lib64qt5webkitwidgets5-5.212.0-1.alpha2.7.mga6
lib64qt5widgets5-5.9.4-1.1.mga6
lib64qt5xml5-5.9.4-1.1.mga6
lib64qtsingleapplication-qt5_1-2.6.1-16.mga6
lib64sqlite3_0-3.17.0-2.2.mga6
libgcc1-5.5.0-1.mga6
libstdc++6-5.5.0-1.mga6
no package provides rpmlib(CompressedFileNames) <= 3.0.4-1
no package provides rpmlib(FileDigests) <= 4.6.0-1
no package provides rpmlib(PayloadFilesHavePrefix) <= 4.0-1
no package provides rpmlib(PayloadIsXz) <= 5.2-1

[genodeftest]

According to Wikipedia, OpenSSL 0.9.8 does not have TLS 1.1/1.2 support. This line

52720:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.50.7/src/ssl/s23_clnt.c:593:

indicates that QuiteRSS is bundled with OpenSSL 0.9.8 though. If that is true, this is a highly security critical bug and nobody should use QuiteRSS until this bug is fixed.

[genodeftest]

In case OpenSSL is not shipped with QuiteRSS, you will need to update your system or some other component on that computer which provides the outdated version of OpenSSL.