SSL/TLS connection issue on FreeBSD 10.2

These are old archives. They are kept for historic purposes only.
Post Reply
Zero
Posts: 3
Joined: Fri Jan 08, 2016 8:37 pm

SSL/TLS connection issue on FreeBSD 10.2

Post by Zero » Fri Jan 08, 2016 8:58 pm

I have a FreeBSD 10.2p8 server running UnrealIRCD 3.2.5 compiled from ports with OpenSSL 1.0.1p-freebsd 9 Jul 2015 that seems to have trouble handling SSL connections from some clients.

From what I can tell, it gets hungup in the initial SSL handshake, specifically the server doesn't seem to respond to a ChangeCipherSpec request.

in doing some testing with openssl s_client this is what happens when it fails:

$ openssl version
OpenSSL 1.0.1j-freebsd 15 Oct 2014
$ openssl s_client -connect <hostname>:994 -msg
CONNECTED(00000004)
>>> TLS 1.2 Handshake [length 012e], ClientHello
<<< TLS 1.2 Handshake [length 003a], ServerHello
<<< TLS 1.2 Handshake [length 09d0], Certificate
<<< TLS 1.2 Handshake [length 002a], CertificateRequest
<<< TLS 1.2 Handshake [length 0004], ServerHelloDone
>>> TLS 1.2 Handshake [length 0007], Certificate
>>> TLS 1.2 Handshake [length 0106], ClientKeyExchange
>>> TLS 1.2 ChangeCipherSpec [length 0001]
>>> TLS 1.2 Handshake [length 0010], Finished
(hang until timeout)
34379245432:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_lib.c:184:

From the same client, I get the result even if I try a different tls/ssl version. Of note is that if I try from an OS X client with a much older version of openssl, it seems to work (and also seems to use the SSL 2.0 handshake init:

$ openssl version
OpenSSL 0.9.8zg 14 July 2015
$ openssl s_client -connect <hostname>:6697 -msg
CONNECTED(00000003)
>>> SSL 2.0 [length 0080], CLIENT-HELLO
<<< TLS 1.0 Handshake [length 0031], ServerHello
<<< TLS 1.0 Handshake [length 09d0], Certificate
<<< TLS 1.0 Handshake [length 000a], CertificateRequest
<<< TLS 1.0 Handshake [length 0004], ServerHelloDone
>>> TLS 1.0 Handshake [length 0007], Certificate
>>> TLS 1.0 Handshake [length 0106], ClientKeyExchange
>>> TLS 1.0 ChangeCipherSpec [length 0001]
>>> TLS 1.0 Handshake [length 0010], Finished
<<< TLS 1.0 ChangeCipherSpec [length 0001]
<<< TLS 1.0 Handshake [length 0010], Finished
...
:<hostname> NOTICE AUTH :*** Looking up your hostname...

Syzop
UnrealIRCd head coder
Posts: 1882
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Re: SSL/TLS connection issue on FreeBSD 10.2

Post by Syzop » Sun Jan 10, 2016 5:30 pm

I don't fully recall such an issue, but then again UnrealIRCd 3.2.5 is nearly 10 years old. Several SSL/TLS related issues have been fixed since then, that I do recall. More important, several stability and security fixes have been incorporated. It would be very unwise to run version 3.2.5.

You better upgrade to the latest version, which for the 3.2.x series is 3.2.10.6 at time of writing.

Or, if you are setting up a new IRCd then I suggest UnrealIRCd 4, since support for the 3.2.x series will be dropped 1 year from now.

On a side note, the port you are using, 994, is indeed the IANA asigned IRC over SSL port. It should be noted however that in practice this port is rarely used. In practice port 6667 is used for IRC, and 6697 for IRC+SSL (see also RFC7194).

Zero
Posts: 3
Joined: Fri Jan 08, 2016 8:37 pm

Re: SSL/TLS connection issue on FreeBSD 10.2

Post by Zero » Mon Jan 11, 2016 3:36 pm

fwiw, I don't think there is an issue with Unrealircd itself. We have it running successfully at the same version level on an older 8.2 FreeBSD box with an older version of openssl. I downloaded and installed 3.2.10.6 directly from the site and that version still had the same problem on this new host. I would move us to 4 now, except there are other servers still running 3.2.10.5 that I don't have control over that will need to have a major upgrade coordinated with.

I think my next steps will be to try to see if there is a different version of openssl that I can install that will make it work. I will try installing 4 too.

Syzop
UnrealIRCd head coder
Posts: 1882
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Re: SSL/TLS connection issue on FreeBSD 10.2

Post by Syzop » Wed Jan 13, 2016 12:46 pm

I just looked again at your exact pastes... makes me wonder, is there a real issue?
In the BAD case you say it "hangs until timeout" but.. do you actually send something? It may not hang at all, just waiting for your input. It will close the connection after 30 seconds or so, this is normal. Try sending something, like: VERSION (+ enter).

For your information, the NOTICE AUTH stuff you are seeing in the GOOD case is entirely optional. It is only shown if you enable this via set::options::show-connect-info. It is not mandatory and not important.

Zero
Posts: 3
Joined: Fri Jan 08, 2016 8:37 pm

Re: SSL/TLS connection issue on FreeBSD 10.2

Post by Zero » Fri Jan 15, 2016 10:58 pm

The timeout is in the middle of the ssl handshake -- it never completes so I'm not getting a chance to even provide 'user' input. I strongly suspect it is some kind of issue in the interaction with unrealircd and the newer openssl -- as you point out, we are using a 10 year old version of unreal This week has been busy, but I'm going to try installing 4.0 from source this weekend to see if that fixes it.

Post Reply