Ubuntu
openssl package

Bug #965371
Comment #11

Comment 11 for bug 965371

Revision history for this message

Pablo Almeida (pabloalmeidaff9) wrote on 2012-03-30: Re: [Bug 965371] Re: HTTPS requests fail on some sites on Ubuntu 12.04

#11

Hey! After the update that introduced the workaround, my python program
(which uses mediafire) works again, even though the openssl command doesn't
yet.

2012/3/30 Colin Watson <email address hidden>

> I've uploaded upstream's suggested workaround for most of the problems
> here. It isn't complete, and in particular it doesn't deal with the
> server in the bug description (see the Debian bug for a categorisation
> of the problems here), which is why I've left this bug open at a lowered
> importance.
>
> openssl (1.0.1-2ubuntu3) precise; urgency=low
>
> * Temporarily work around TLS 1.2 failures as suggested by upstream
> (LP #965371):
> - Use client version when deciding whether to send supported signature
> algorithms extension.
> - Experimental workaround to large client hello issue: if
> OPENSSL_NO_TLS1_2_CLIENT is set then TLS v1.2 is disabled for clients
> only.
> - Compile with -DOPENSSL_NO_TLS1_2_CLIENT.
> This fixes most of the reported problems, but does not fix the case of
> servers that reject version numbers they don't support rather than
> trying to negotiate a lower version (e.g. www.mediafire.com).
>
> -- Colin Watson <email address hidden> Fri, 30 Mar 2012 17:11:45 +0100
>
> ** Changed in: openssl (Ubuntu Precise)
> Importance: High => Medium
>
> ** Changed in: openssl (Ubuntu Precise)
> Status: Confirmed => Triaged
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/965371
>
> Title:
> HTTPS requests fail on some sites on Ubuntu 12.04
>
> Status in OpenSSL cryptography and SSL/TLS toolkit:
> Confirmed
> Status in “openssl” package in Ubuntu:
> Triaged
> Status in “openssl” source package in Precise:
> Triaged
> Status in “openssl” package in Debian:
> New
>
> Bug description:
> This week, HTTPS connections from a Python script I wrote started
> giving me this error:
>
> urllib2.URLError: <urlopen error [Errno 8] _ssl.c:497: EOF occurred in
> violation of protocol>
>
> This used to work up until some three days ago and still works on
> other Ubuntu versions, but not in other Python versions on Precise. I
> was suspecting this was a bug in Python, but a guy on AskUbuntu (
> http://askubuntu.com/questions/116020/python-https-requests-urllib2
> -to-some-sites-fail-on-ubuntu-12-04-without-proxy/116059#116059 )
> found out this happens using the openssl command line tool too:
>
> $ openssl s_client -connect www.mediafire.com:443
>
> But succeeds if forcing TLS 1 with the -tls1 argument.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/openssl/+bug/965371/+subscriptions
>

--
Pablo Almeida
http://www.google.com/profiles/pabloalmeidaff9

Hey! After the update that introduced the workaround, my python program
(which uses mediafire) works again, even though the openssl command doesn't
yet.

2012/3/30 Colin Watson <cjwatson@canonical.com>

> I've uploaded upstream's suggested workaround for most of the problems
> here.  It isn't complete, and in particular it doesn't deal with the
> server in the bug description (see the Debian bug for a categorisation
> of the problems here), which is why I've left this bug open at a lowered
> importance.
>
> openssl (1.0.1-2ubuntu3) precise; urgency=low
>
>  * Temporarily work around TLS 1.2 failures as suggested by upstream
>    (LP #965371):
>    - Use client version when deciding whether to send supported signature
>      algorithms extension.
>    - Experimental workaround to large client hello issue: if
>      OPENSSL_NO_TLS1_2_CLIENT is set then TLS v1.2 is disabled for clients
>      only.
>    - Compile with -DOPENSSL_NO_TLS1_2_CLIENT.
>    This fixes most of the reported problems, but does not fix the case of
>    servers that reject version numbers they don't support rather than
>    trying to negotiate a lower version (e.g. www.mediafire.com).
>
>  -- Colin Watson <cjwatson@ubuntu.com>  Fri, 30 Mar 2012 17:11:45 +0100
>
> ** Changed in: openssl (Ubuntu Precise)
>    Importance: High => Medium
>
> ** Changed in: openssl (Ubuntu Precise)
>        Status: Confirmed => Triaged
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/965371
>
> Title:
>  HTTPS requests fail on some sites on Ubuntu 12.04
>
> Status in OpenSSL cryptography and SSL/TLS toolkit:
>  Confirmed
> Status in “openssl” package in Ubuntu:
>   Triaged
> Status in “openssl” source package in Precise:
>   Triaged
> Status in “openssl” package in Debian:
>   New
>
> Bug description:
>  This week, HTTPS connections from a Python script I wrote started
>  giving me this error:
>
>  urllib2.URLError: <urlopen error [Errno 8] _ssl.c:497: EOF occurred in
>  violation of protocol>
>
>  This used to work up until some three days ago and still works on
>  other Ubuntu versions, but not in other Python versions on Precise. I
>  was suspecting this was a bug in Python, but a guy on AskUbuntu (
>  http://askubuntu.com/questions/116020/python-https-requests-urllib2
>  -to-some-sites-fail-on-ubuntu-12-04-without-proxy/116059#116059 )
>  found out this happens using the openssl command line tool too:
>
>  $ openssl s_client -connect www.mediafire.com:443
>
>  But succeeds if forcing TLS 1 with the -tls1 argument.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/openssl/+bug/965371/+subscriptions
>

-- 
Pablo Almeida
http://www.google.com/profiles/pabloalmeidaff9

Ubuntuopenssl package

Comment 11 for bug 965371

Ubuntu
openssl package