You are not logged in.
Just upgraded to OpenSSL 1.0.1 that was released today. After rebooting the machine, I'm unable to SSH into it. It does the key exchange, but when ciphering comes on the connection is reset by the server. I'm not sure if this problem is due to PuTTY doing something wrong, or if OpenSSL broke something...
Can anyone running the latest OpenSSL version and using PuTTY confirm this?
Last edited by nullvoid (2012-03-22 15:00:52)
Offline
Turns out the problem was related to which cipher I use... aes256-cbc does not work with PuTTY, however aes256-ctr does. I guess it's PuTTYs fault since other SSH implementations connects just fine regardless of what cipher is used.
Last edited by nullvoid (2012-03-21 22:10:21)
Offline
You know, I have a similar issue...
I wanted to use aes128-cbc for rsync. But the connection would reset after typing the password. So I went with arcfour128 instead. Seems like the newest openssl has non-working cbc ciphers.
Offline
If I remember correctly I started forcing CBC mode because CTR has a flaw which allows an attacker to (theoretically?) decrypt some of the ciphertext. On the other hand, I can connect from other Linux boxes, it's _just_ PuTTY and programs based on PuTTY that fails to connect.
Offline
The problem is more serious than it seems.
After the upgrade to openssh-5.9p1-8 and openssl-1.0.1-1 packages, I can't connect anymore to all Cisco IOS routers.
That's what I got debugging ip ssh on a router:
...
Mar 22 14:20:47 CEST: SSH1: sent protocol version id SSH-2.0-Cisco-1.25
Mar 22 14:20:47 CEST: SSH1: protocol version id is - SSH-2.0-OpenSSH_5.9
...
Mar 22 14:20:57 CEST: SSH2 1: authentication successful for admin
Mar 22 14:20:57 CEST: SSH1: Session disconnected - error 0x07
I tried forcing version 2 of the protocol and different cyphers, but it doesn't solve.
Then I downgraded both packages.
Thanks in advance.
Last edited by smart2128 (2012-03-22 14:58:42)
Offline
Null,
Did you generate your keys using PuTTY? When I did that and I attempted to connect using cipher, it wouldn't connect. Of course, I was using RSA keys, so that may affect the mileage.
Basically, I had to remove the ----BEGIN... and ...END--- lines, make the key one line (used a lot of Shift+J, x, and right arrow) and added ssh-rsa at the beginning of the first line. I am at work right now, so I can't find the link that I used that had that information on it.
Of course, this could be 100% irrelevant to your situation, in which case, ignore me.
Czar.
Laptop: Lenovo X1 Carbon, Core i7 2.0Ghz, 8GB RAM, Gnome 3.16
Offline
Czarcasmo:
No keys were generated in PuTTY, they were all generated in OpenSSL 0.9.8g (if I remember correctly). Also, the RSA key exchange is working fine, it's just AES-{128,256}-CBC that is not working.
smart2128:
Have you tried forcing your SSH client to use another cipher or mode of operation?
Offline
smart2128:
Have you tried forcing your SSH client to use another cipher or mode of operation?
Yes, I tried forcing both with a long list of cyphers.
Thank you for your reply.
Offline
OpenSSL 1.0.1 causes Mutt to fail in a connection to an IMAP server. Gives an error "imap_check_capabilities []?".
Previously when connecting to the server it said:
"SSL connection using TLSv1/SSLv3 (RC4-MD5)"
Now it says:
"SSL connection using TLSv1/SSLv3 (DES-CBC3-SHA)"
Any ideas what could be done?
Offline
Had a similar issue with some screen scraping I do.
Found something that's reporoducable ...
$ links -dump https://www.national-lottery.co.uk/
SSL error
Can't be much more helpful. I afraid. I resolved the issue by downgrading openssl and openssh.
Last edited by prawn (2012-03-22 19:33:33)
Offline
Of course "https://www.blahblah.blah" is not a valid URL. This works fine for me.
I am sure the openssl guys would like to hear about such issues. The best thing to do is to make it reproducible and send a mail to theirs users mailing list.
Offline
Of course "https://www.blahblah.blah" is not a valid URL. This works fine for me.
I am sure the openssl guys would like to hear about such issues. The best thing to do is to make it reproducible and send a mail to theirs users mailing list.
Will do. Am trying to find another site that I can reproduce the error with.
Offline
FWIW the openssl 1.0.0.h-1 to 1.0.1-1 breaks my SSL-IMAP connection, too (aka mutt or offlineimap or whatever). Will go poke upstream peoples
Offline
FWIW the openssl 1.0.0.h-1 to 1.0.1-1 breaks my SSL-IMAP connection, too (aka mutt or offlineimap or whatever). Will go poke upstream peoples
Hmm, openssl 1.0.0.h works fine here (fetchmail with 2 IMAPs accounts)...
Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd
Offline
Had a similar issue with some screen scraping I do.
Found something that's reporoducable ...
$ links -dump https://www.national-lottery.co.uk/ SSL error
Can't be much more helpful. I afraid. I resolved the issue by downgrading openssl and openssh.
Same here.
More reproducible examples:
$ curl https://graph.facebook.com/
$ curl https://api-aa-3t.paypal.com/2.0/
Works great in 1.0.0.h, doesn't work in 1.0.1
Offline
Here is an upstream bug report that seems to be related: http://rt.openssl.org/Ticket/Display.html?id=2771
Offline
I've checked the https issues and it looks like they are OpenSSL PR#2771 and the long client hello problem.
I'm not sure about the AES-CBC problems. If AES-CBC was broken I'd expect 'make test' to fail and connecting to servers which use AES-CBC ciphers.
Can anyone experiencing the AES-CBC problem give more details, preferably posting to the OpenSSL request tracker?
For example, include hardware used, if it supports AES-NI etc.
You can disable some optimisation by twiddling bits of the OPENSSL_ia32cap environment variable. Check to see if the problem goes away if you set it to zero.
Offline
found this thread from here:
http://marc.info/?l=openssl-users&m=133295751014931
... bug was preventing me from developing against to Salesforce SOAP API at w3rk (Python) ... lost a whole day trying to debug completely unrelated components ... weak :-(
timesout with arbitrary tools/servers on the cli. sorry no addtl info from me, just a "damn this sucks and maybe we should rollback? :-)" comment.
what am i but an extension of you?
Offline
i am also failing to connect to my companies jabber server, and downgrading openssl alone breaks ssh and prevents gnome3 from starting properly :-(
ugh, in the 2-3 years i've used Arch this is probably the only breakage that's ever *really* disrupted my workflow ... i'll have to rollback with ARM just to move forward. i don't have time to actually debug, but i'm able to test solutions as they surface.
what am i but an extension of you?
Offline
Timeout from the CLI is a symptom of PR#2771 see that text for possible options. I'd be very interested in the software the servers which hang uses and anything else in the chain which might be causing this.
Last edited by shenson (2012-03-29 17:31:16)
Offline
@shenson: Thanks for joining us here. Is there any temporal workaround we could do at the package level (instead of just moving back to 1.0.0)? E.g. disable TLS 1.2 by default?
Offline
Funny you should ask that. I was just testing a horrible hack workaround. If you disable Elliptic curve (ECC) algorithms using no-ec at Configure time it reduces the size of the client hello and it works on several servers I've tested.
Side effect of that is that you lose ECC.
I'm working on something less horrible.
Offline
Offline
Ahh ok, this could be the cause why I can't use some https-sites in my webkit-browsers like rekonq or qupzilla. Hope this get fixed very soon.
Best regards!
Offline
I have built openssl with the proposed workaround. I did some basic tests and it seems to work. Here are some packages for you guys to check out:
EDIT: packages are now in [testing]
Let me know if these fix your issues (and wont break other things); I'll put them into [testing] then.
Last edited by Pierre (2012-03-30 08:29:26)
Offline