You are not logged in.

#26 2013-02-17 08:26:55

k2_8191
Member
Registered: 2012-10-18
Posts: 20

Re: OpenSSL 1.0.0 issue

@Azriel

Thank you for reply and sorry for my late response.
But I have some news which solve or clarify the issue of this topic here and my issue.

First, the official package of openssl is updated to 1.0.1.e-2 and PKGBUILD used in official package now contains the lines discussed here.
I've confirmed that my environments successfully communicates to WCG servers, so looks like no more user-side package building is needed for our issue smile

Second, I've noticed I hadn't precisely followed your instruction... I'm sorry for confusing you.
I cloned the files for package building and, instead of copying your PKGBUILD on pastebin, I altered the file and appended the lines for fix manually.
Your PKGBUILD on pastebin is for 1.0.1c, and the PKGBUILD in official repository was for 1.0.1d in the time I tried to build the package.
I believe there was wrong checksum for Fix-IV-check-and-padding-removal.patch in the PKGBUILD for 1.0.0d, because I repeated package building from scratch twice so I don't think my files were corrupted.
However I can't provide proof because I don't know if I can get old files in repository...

Third, sadly, your troubleshooting is now obsolete...
The directory structure of official repository has changed and fix-manpages.patch doesn't exist now.
However that helps me to understand the issue. Thank you again!

Offline

#27 2013-02-17 14:34:37

sknd
Member
From: Brzeszcze, Poland
Registered: 2011-01-20
Posts: 62

Re: OpenSSL 1.0.0 issue

true, everything works fine for me, well done!


Jaki koniec świata.Ziemia to nie cały świat ,a tylko mały Wąchock we wszechświecie.

Offline

#28 2013-02-17 14:52:47

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: OpenSSL 1.0.0 issue

k2_8191 wrote:

now contains the lines discussed here

But they didn't last long wink

Offline

#29 2013-02-17 15:33:36

k2_8191
Member
Registered: 2012-10-18
Posts: 20

Re: OpenSSL 1.0.0 issue

brebs wrote:
k2_8191 wrote:

now contains the lines discussed here

But they didn't last long wink

Thanks for heads-up and... oh... sad
The commit message says "Remove all workarounds for broken servers as this breaks more than it helps"... so are WCG servers' SSL connections broken?

Offline

#30 2013-02-18 03:15:26

Azriel
Member
Registered: 2008-01-23
Posts: 58

Re: OpenSSL 1.0.0 issue

k2_8191 wrote:

The commit message says "Remove all workarounds for broken servers as this breaks more than it helps"... so are WCG servers' SSL connections broken?

No idea, but this bug doesn't seem to make a lot of noise, so it'll be hard for WCG to know that there is something wrong with their server... Not sure how we could do something to get them to fix that.

This being said, the fix not remaining into the community package isn't that big a deal, we know where the bug is and we know how to fix it, I just redid the wiki manoeuver, and the only thing we need to amend is the PKGBUILD, and since we have the diff from the "fixed" PKGBUILD and the current, it's easy as pie. I've updated the wiki for that.

Offline

#31 2013-02-20 06:06:53

k2_8191
Member
Registered: 2012-10-18
Posts: 20

Re: OpenSSL 1.0.0 issue

@Azuriel
Thanks for updating wiki smile

Azriel wrote:
k2_8191 wrote:

The commit message says "Remove all workarounds for broken servers as this breaks more than it helps"... so are WCG servers' SSL connections broken?

No idea, but this bug doesn't seem to make a lot of noise, so it'll be hard for WCG to know that there is something wrong with their server... Not sure how we could do something to get them to fix that.

Hmm, I hope I won't get any problem regarding the fix for WCG. It's a little bit creepy...
I wish I would have deep knowledge of SSL connection so that I can ask where the problem originates for help.

Offline

#32 2013-02-20 19:16:53

Peaceseeker
Member
Registered: 2012-04-27
Posts: 23

Re: OpenSSL 1.0.0 issue

I'm unsure if this workaround is needed with the openssl 1.0.1.e release?, I've been checking my logs after I installed 1.0.1.e-3, and there don't seem to be any problems. I do have a self compiled boinc 7.0.52 installed though, so I'm unsure what might have fixed it for me.

Offline

#33 2013-02-22 07:19:46

k2_8191
Member
Registered: 2012-10-18
Posts: 20

Re: OpenSSL 1.0.0 issue

I've also confirmed that my PCs which BOINC 7.0.28-2 from community repo and OpenSSL 1.0.1.e-3 are installed communicates with WCG servers successfully...
Why does it work without the fix? I'm confused...

Offline

#34 2013-02-22 17:27:59

Peaceseeker
Member
Registered: 2012-04-27
Posts: 23

Re: OpenSSL 1.0.0 issue

k2_8191 wrote:

Why does it work without the fix? I'm confused...

Well I have 3 idea's why:
1) openssl has received quite a few fixe's in this area.
2) WCG could have 'fixed' their servers, although I don't think this is likely the real reason.
3) Archlinux package 'openssl 1.0.1.e-3' is the first package I've actually tried without any of the TLS workarounds, this is most likely I think, although I can't confirm it for sure as I haven't tested it.

So it could have been the inclusion of the option '-DOPENSSL_NO_TLS1_2_CLIENT', in the main openssl package that was causing problems all along, and as these options have been removed for causing more problems than fixing, the maintainer really did mean that. But we'll need a few more confirmations and a few more days testing before anything can be certain.

Offline

#35 2013-02-24 13:11:03

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: OpenSSL 1.0.0 issue

Opensuse are using, in openssl-1.0.1e-2.1.src.rpm, some interesting configure options that could be worth trying for people still having problems:

-DTERMIO \
-DPURIFY \
-DSSL_FORBID_ENULL

Offline

#36 2013-02-27 10:34:20

Azriel
Member
Registered: 2008-01-23
Posts: 58

Re: OpenSSL 1.0.0 issue

k2_8191 wrote:

I've also confirmed that my PCs which BOINC 7.0.28-2 from community repo and OpenSSL 1.0.1.e-3 are installed communicates with WCG servers successfully...
Why does it work without the fix? I'm confused...

If it ain't broke, don't try fixin' it wink

Generally speaking, if someone wasn't working and now does, you just make a prayer to the computer gods and thank them for their kindness. I haven't checked whether I'm still downloading new work unit after upgrading or not (not on linux at the moment), but if it's fixed for everyone we should edit the wiki one last time.

Offline

Board footer

Powered by FluxBB