You are not logged in.

#1 2012-03-21 21:32:18

nullvoid
Member
Registered: 2009-01-18
Posts: 33

OpenSSL 1.0.1 is broken (AES-CBC issue)

Just upgraded to OpenSSL 1.0.1 that was released today. After rebooting the machine, I'm unable to SSH into it. It does the key exchange, but when ciphering comes on the connection is reset by the server. I'm not sure if this problem is due to PuTTY doing something wrong, or if OpenSSL broke something...

Can anyone running the latest OpenSSL version and using PuTTY confirm this?

Last edited by nullvoid (2012-03-22 15:00:52)

Offline

#2 2012-03-21 22:09:57

nullvoid
Member
Registered: 2009-01-18
Posts: 33

Re: OpenSSL 1.0.1 is broken (AES-CBC issue)

Turns out the problem was related to which cipher I use... aes256-cbc does not work with PuTTY, however aes256-ctr does. I guess it's PuTTYs fault since other SSH implementations connects just fine regardless of what cipher is used.

Last edited by nullvoid (2012-03-21 22:10:21)

Offline

#3 2012-03-21 22:18:28

Gusar
Member
Registered: 2009-08-25
Posts: 3,605

Re: OpenSSL 1.0.1 is broken (AES-CBC issue)

You know, I have a similar issue...

I wanted to use aes128-cbc for rsync. But the connection would reset after typing the password. So I went with arcfour128 instead. Seems like the newest openssl has non-working cbc ciphers.

Offline

#4 2012-03-22 10:20:02

nullvoid
Member
Registered: 2009-01-18
Posts: 33

Re: OpenSSL 1.0.1 is broken (AES-CBC issue)

If I remember correctly I started forcing CBC mode because CTR has a flaw which allows an attacker to (theoretically?) decrypt some of the ciphertext. On the other hand, I can connect from other Linux boxes, it's _just_ PuTTY and programs based on PuTTY that fails to connect.

Offline

#5 2012-03-22 14:12:42

smart2128
Member
Registered: 2010-04-09
Posts: 14

Re: OpenSSL 1.0.1 is broken (AES-CBC issue)

The problem is more serious than it seems.
After the upgrade to openssh-5.9p1-8  and openssl-1.0.1-1 packages, I can't connect anymore to all Cisco IOS routers.
That's what I got debugging ip ssh on a router:

...
Mar 22 14:20:47 CEST: SSH1: sent protocol version id SSH-2.0-Cisco-1.25
Mar 22 14:20:47 CEST: SSH1: protocol version id is - SSH-2.0-OpenSSH_5.9
...
Mar 22 14:20:57 CEST: SSH2 1: authentication successful for admin
Mar 22 14:20:57 CEST: SSH1: Session disconnected - error 0x07

I tried forcing version 2 of the protocol and different cyphers, but it doesn't solve.
Then I downgraded both packages.

Thanks in advance.

Last edited by smart2128 (2012-03-22 14:58:42)

Offline

#6 2012-03-22 14:22:41

Czarcasmo
Member
From: Colorado Springs, Colorado
Registered: 2011-04-20
Posts: 82

Re: OpenSSL 1.0.1 is broken (AES-CBC issue)

Null,

Did you generate your keys using PuTTY? When I did that and I attempted to connect using cipher, it wouldn't connect. Of course, I was using RSA keys, so that may affect the mileage.

Basically, I had to remove the ----BEGIN... and ...END--- lines, make the key one line (used a lot of Shift+J, x, and right arrow) and added ssh-rsa at the beginning of the first line. I am at work right now, so I can't find the link that I used that had that information on it.

Of course, this could be 100% irrelevant to your situation, in which case, ignore me. smile

Czar.


Laptop: Lenovo X1 Carbon, Core i7 2.0Ghz, 8GB RAM, Gnome 3.16

Offline

#7 2012-03-22 14:59:50

nullvoid
Member
Registered: 2009-01-18
Posts: 33

Re: OpenSSL 1.0.1 is broken (AES-CBC issue)

Czarcasmo:
No keys were generated in PuTTY, they were all generated in OpenSSL 0.9.8g (if I remember correctly). Also, the RSA key exchange is working fine, it's just AES-{128,256}-CBC that is not working.

smart2128:
Have you tried forcing your SSH client to use another cipher or mode of operation?

Offline

#8 2012-03-22 15:31:15

smart2128
Member
Registered: 2010-04-09
Posts: 14

Re: OpenSSL 1.0.1 is broken (AES-CBC issue)

nullvoid wrote:

smart2128:
Have you tried forcing your SSH client to use another cipher or mode of operation?

Yes, I tried forcing both with a long list of cyphers.

Thank you for your reply.

Offline

#9 2012-03-22 17:00:26

iipe
Member
From: Finland
Registered: 2011-09-13
Posts: 11

Re: OpenSSL 1.0.1 is broken (AES-CBC issue)

OpenSSL 1.0.1 causes Mutt to fail in a connection to an IMAP server. Gives an error "imap_check_capabilities []?".

Previously when connecting to the server it said:
"SSL connection using TLSv1/SSLv3 (RC4-MD5)"

Now it says:
"SSL connection using TLSv1/SSLv3 (DES-CBC3-SHA)"

Any ideas what could be done?

Offline

#10 2012-03-22 19:04:08

prawn
Member
Registered: 2011-11-24
Posts: 10

Re: OpenSSL 1.0.1 is broken (AES-CBC issue)

Had a similar issue with some screen scraping I do.

Found something that's reporoducable ...

$ links -dump https://www.national-lottery.co.uk/
SSL error

Can't be much more helpful. I afraid. I resolved the issue by downgrading openssl and openssh.

Last edited by prawn (2012-03-22 19:33:33)

Offline

#11 2012-03-22 19:13:58

Pierre
Developer
From: Bonn
Registered: 2004-07-05
Posts: 1,964
Website

Re: OpenSSL 1.0.1 is broken (AES-CBC issue)

Of course "https://www.blahblah.blah" is not a valid URL. This works fine for me.

I am sure the openssl guys would like to hear about such issues. The best thing to do is to make it reproducible and send a mail to theirs users mailing list.

Offline

#12 2012-03-22 19:19:03

prawn
Member
Registered: 2011-11-24
Posts: 10

Re: OpenSSL 1.0.1 is broken (AES-CBC issue)

Pierre wrote:

Of course "https://www.blahblah.blah" is not a valid URL. This works fine for me.

I am sure the openssl guys would like to hear about such issues. The best thing to do is to make it reproducible and send a mail to theirs users mailing list.

Will do. Am trying to find another site that I can reproduce the error with.

Offline

#13 2012-03-23 15:41:21

yitzle
Member
Registered: 2008-10-19
Posts: 18

Re: OpenSSL 1.0.1 is broken (AES-CBC issue)

FWIW the openssl 1.0.0.h-1 to 1.0.1-1 breaks my SSL-IMAP connection, too (aka mutt or offlineimap or whatever). Will go poke upstream peoples

Offline

#14 2012-03-23 16:09:30

Leonid.I
Member
From: Aethyr
Registered: 2009-03-22
Posts: 999

Re: OpenSSL 1.0.1 is broken (AES-CBC issue)

yitzle wrote:

FWIW the openssl 1.0.0.h-1 to 1.0.1-1 breaks my SSL-IMAP connection, too (aka mutt or offlineimap or whatever). Will go poke upstream peoples

Hmm, openssl 1.0.0.h works fine here (fetchmail with 2 IMAPs accounts)...


Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd

Offline

#15 2012-03-26 14:05:09

SoapSeller
Member
Registered: 2009-09-13
Posts: 3

Re: OpenSSL 1.0.1 is broken (AES-CBC issue)

prawn wrote:

Had a similar issue with some screen scraping I do.

Found something that's reporoducable ...

$ links -dump https://www.national-lottery.co.uk/
SSL error

Can't be much more helpful. I afraid. I resolved the issue by downgrading openssl and openssh.

Same here.

More reproducible examples:

$ curl https://graph.facebook.com/
$ curl https://api-aa-3t.paypal.com/2.0/

Works great in 1.0.0.h, doesn't work in 1.0.1

Offline

#16 2012-03-26 14:12:31

Pierre
Developer
From: Bonn
Registered: 2004-07-05
Posts: 1,964
Website

Re: OpenSSL 1.0.1 is broken (AES-CBC issue)

Here is an upstream bug report that seems to be related: http://rt.openssl.org/Ticket/Display.html?id=2771

Offline

#17 2012-03-28 18:37:44

shenson
Member
Registered: 2012-03-28
Posts: 4

Re: OpenSSL 1.0.1 is broken (AES-CBC issue)

I've checked the https issues and it looks like they are OpenSSL PR#2771 and the long client hello problem.

I'm not sure about the AES-CBC problems. If AES-CBC was broken I'd expect 'make test' to fail and connecting to servers which use AES-CBC ciphers.

Can anyone experiencing the AES-CBC problem give more details, preferably posting to the OpenSSL request tracker?
For example, include hardware used, if it supports AES-NI etc.

You can disable some optimisation by twiddling bits of the OPENSSL_ia32cap environment variable. Check to see if the problem goes away if you set it to zero.

Offline

#18 2012-03-29 15:12:31

extofme
Member
From: here + now
Registered: 2009-10-10
Posts: 174
Website

Re: OpenSSL 1.0.1 is broken (AES-CBC issue)

found this thread from here:

http://marc.info/?l=openssl-users&m=133295751014931

... bug was preventing me from developing against to Salesforce SOAP API at w3rk (Python) ... lost a whole day trying to debug completely unrelated components ... weak :-(

timesout with arbitrary tools/servers on the cli.  sorry no addtl info from me, just a "damn this sucks and maybe we should rollback? :-)" comment.


what am i but an extension of you?

Offline

#19 2012-03-29 15:29:44

extofme
Member
From: here + now
Registered: 2009-10-10
Posts: 174
Website

Re: OpenSSL 1.0.1 is broken (AES-CBC issue)

i am also failing to connect to my companies jabber server, and downgrading openssl alone breaks ssh and prevents gnome3 from starting properly :-(

ugh, in the 2-3 years i've used Arch this is probably the only breakage that's ever *really* disrupted my workflow ... i'll have to rollback with ARM just to move forward.  i don't have time to actually debug, but i'm able to test solutions as they surface.


what am i but an extension of you?

Offline

#20 2012-03-29 17:23:20

shenson
Member
Registered: 2012-03-28
Posts: 4

Re: OpenSSL 1.0.1 is broken (AES-CBC issue)

Timeout from the CLI is a symptom of PR#2771 see that text for possible options. I'd be very interested in the software the servers which hang uses and anything else in the chain which might be causing this.

Last edited by shenson (2012-03-29 17:31:16)

Offline

#21 2012-03-29 17:45:57

Pierre
Developer
From: Bonn
Registered: 2004-07-05
Posts: 1,964
Website

Re: OpenSSL 1.0.1 is broken (AES-CBC issue)

@shenson: Thanks for joining us here. Is there any temporal workaround we could do at the package level (instead of just moving back to 1.0.0)? E.g. disable TLS 1.2 by default?

Offline

#22 2012-03-29 18:14:37

shenson
Member
Registered: 2012-03-28
Posts: 4

Re: OpenSSL 1.0.1 is broken (AES-CBC issue)

Funny you should ask that. I was just testing a horrible hack workaround. If you disable Elliptic curve (ECC) algorithms using no-ec at Configure time it reduces the size of the client hello and it works on several servers I've tested.

Side effect of that is that you lose ECC.

I'm working on something less horrible.

Offline

#23 2012-03-29 19:13:12

shenson
Member
Registered: 2012-03-28
Posts: 4

Re: OpenSSL 1.0.1 is broken (AES-CBC issue)

Here is a slightly less horrible hack.

1 Apply the following two patches to OpenSSL 1.0.1:

Patch 1
Patch 2


2. configure it with -DOPENSSL_NO_TLS1_2_CLIENT it will disable TLS v1.2 for TLS clients, which should stop this bug being triggered.

Investigations are continuing.

Offline

#24 2012-03-29 19:18:25

Lothium
Member
Registered: 2009-10-10
Posts: 192

Re: OpenSSL 1.0.1 is broken (AES-CBC issue)

Ahh ok, this could be the cause why I can't use some https-sites in my webkit-browsers like rekonq or qupzilla. Hope this get fixed very soon.

Best regards!

Offline

#25 2012-03-29 20:10:26

Pierre
Developer
From: Bonn
Registered: 2004-07-05
Posts: 1,964
Website

Re: OpenSSL 1.0.1 is broken (AES-CBC issue)

I have built openssl with the proposed workaround. I did some basic tests and it seems to work. Here are some packages for you guys to check out:

EDIT: packages are now in [testing]

Let me know if these fix your issues (and wont break other things); I'll put them into [testing] then.

Last edited by Pierre (2012-03-30 08:29:26)

Offline

Board footer

Powered by FluxBB