Page 1 of 2
Weird SSL problems
Posted: Wed Jun 01, 2005 2:39 pm
by paul.smith
Hi,
to begin with, yes i searched the forum and i have rtfm'd
Have been running unrealircd for quite some time now and it runs smoothly no problems sofar. As of Openssl version 0.9.7e the problems started. I found this only out recently. I have a good runnign 3.2.3 wich is stable, but it i run it with openssl then i get constantly:
SSL_accept(): internal openssl or protocol error. In non ssl connex all works fine, but with openssl 0.9.7e and up its nothing but trouble. 0.9.7.d works fine (the same problem is with older versions of unreal as well). I even went tru sources to try to solve this issue myself, but no results sofar. Can any one throw me a few pointers of what might have changed ? seems all other apps work fine with the new openssl libs (0.9.7.g atm).
Thx for your attention...
Posted: Wed Jun 01, 2005 3:22 pm
by Dukat
If you update OpenSSL on your system, you have to recompile UnrealIRCd...
Posted: Wed Jun 01, 2005 6:07 pm
by paul.smith
I know, it tells you loud and clear if you dont
sorry i forgot to mention that, unreal has been recompiled for all the versions of the opsnssl's i tested with. Thx for the tip tho
Posted: Wed Jun 01, 2005 6:27 pm
by Dukat
What's the exact error you get? It isn't this one I guess?
http://www.vulnscan.org/UnrealIrcd/faq/#65
Posted: Wed Jun 01, 2005 6:30 pm
by r3mbr4ndt
I have compiled Unreal with all of the versions of openssl you listed and they all work fine for me
exact error messages
Posted: Wed Jun 01, 2005 8:12 pm
by paul.smith
-***- Exiting ssl client [@192.168.1.3.2104]: SSL_accept(): Internal OpenSSL error or protocol error
It happens at connection, an uncrypted connection works flawlessly. I made sure boht versions of mirc dll's and openssl on my linux (gentoo hardened) system match, and that unreal is compiled against this version (0.9.7g). Atm im diggin tru the sources of openssl looking for answers, but that would be out of the scope of this forum. The reason i pose thw question here tho is that all other apps (openssh, lftp, irssi, and a bunch of others) work perfectly. Currently im looking to different return codes from openssl functions or watever. What im trying to do for now is locate were the problem lies. If the outcome is that its openssl related, ill go over there immideately and put the topic there.
For now i tried to compile openssl with no-asm (./Configure) to see if the culprit is some faulty assembly code. Kinda shows i think how desperate im looking for the answer
A packet dump of the initial phase shows that not even a keyexchange is initiated. It stalls at the first "HELO a" exchange.
I really hope to find a solution guys, sorry for all the headaches im causing you...
Posted: Wed Jun 01, 2005 8:36 pm
by Stealth
http://www.vulnscan.org/UnrealIrcd/faq/#65
Like the FAQ says, it is nothing to worry about, just
Posted: Wed Jun 01, 2005 9:10 pm
by paul.smith
errm did you read what the issue really is ? the issue is trying to connect a server with openssl in it. The server has 2 listeners, 1 uncrypted 1 with SSL. I cant connect to the ssl one, since openssl 0.97e (d works). Im not some noob who doenst know about snowmasks. Its a connectivity issue im trying to get resolved here. Im not wanking about some snomasks here... so PLS read this thread carefully b4 refencing to the faq, i have read it a more then once, same for the forums (where i saw the same answer "read the faq"), and manuals. If it were that easy i wouldnt come forward with this problem here.
Dont feel offended, im having a possible REAL problem or bug here, not some wrong set snomask. Pls read the thread carefully. I cant get any more detailed then this unless of course you want me to post a lengthy ssl packet dump (wich is out of the scope here).
Posted: Thu Jun 02, 2005 7:22 am
by Dukat
Sorry Paul, but you NEVER said ANYTHING about linking servers. No one could know that - even by reading the thread carefully...
You were even talking about clients (mirc dlls?)...
Stupid question... but... are you using the correct port when linking?
Posted: Thu Jun 02, 2005 10:00 pm
by paul.smith
Nope im not linking 2 servers. again... I have:
1 Standalone Server with 2 ports for clients
Port A: SSL (7000)
Port B: NO SSL (6667)
Both ports lead to the same server. There is no linking with other servers, its a standalone IRCD.
Then the client i have:
mirc client on doze box
Problem:
1) mirc CANNOT connect to port 7000, but mirc CAN connect to 6667. when i use openssl 0.97e or later.
2) mirc CAN connect to port 7000, AND mirc CAN connect to 6667. when i use openssl 0.97d or earlier.
I hope this clears things up a bit
Thx for your replies tho.
Posted: Thu Jun 02, 2005 10:13 pm
by r3mbr4ndt
Where did you get the libeay32.dll and ssleay32.dll from because I've seen different builds of those dlls work for some programs and not others. If you haven't, you may want to try getting those files from a different source and replace the ones in the mIRC directory.
Posted: Thu Jun 02, 2005 10:18 pm
by Stealth
I have noticed with OpenSSL 0.9.7e and later, with mIRC they will not work if they are installed to BOTH the OS and the .dll's are in the mIRC directory.
With 0.9.7e or newer, restart mIRC and type this before connecting anywhere:
If the result is $true, then there was no problem with mIRC loading the SSL dll's. If you get an error or $false, mIRC did not correctly load the SSL dll's.
Posted: Thu Jun 02, 2005 10:37 pm
by paul.smith
I tried what you said and indeed it shows $true. the mirc client seems to load correctly, i checked to make sure al versions on the doze box are the same.
Still the connection problem remains. But the fact you mention 0.97e also, where did you get this info ? It might as well give me the pointers to look for to solve this problem.
Another extra explanation:
- Mirc (0.97g or earlier) -> IRCD (0.97d and earlier) works
- Mirc (0.97g or earlier) -> IRCD (0.97e and later) fails
Thx much for the info, problem is not resolved (yet) but now we are getting somewere
Additonal info's
Posted: Thu Jun 02, 2005 11:05 pm
by paul.smith
I run this agaisnt the SSL port on the 097d and 097g:
Code: Select all
openssl s_client -connect 192.168.1.1:7000 -state > /097d.log 2>&1
(worked as exspected)
openssl s_client -connect 192.168.1.1:7000 -state > /097g.log 2>&1
(did not work, since it uses 097g)
here is the dump of the working connection (097d.log)
Code: Select all
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 /OU=IRCd
verify error:num=18:self signed certificate
verify return:1
depth=0 /OU=IRCd
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
CONNECTED(00000003)
---
Certificate chain
0 s:/OU=IRCd
i:/OU=IRCd
---
Server certificate
-----BEGIN CERTIFICATE-----
<<< SNIP >>>
-----END CERTIFICATE-----
subject=/OU=IRCd
issuer=/OU=IRCd
---
No client certificate CA names sent
---
SSL handshake has read 651 bytes and written 358 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
Session-ID-ctx:
Master-Key: 6DCEE673E06E9DC5AFCAB702EED591A0340252361EEA78614A2CB4170970EAA
Key-Arg : None
Start Time: 1117752959
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
And here is the non working log: (097g.log)
Code: Select all
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:failed in SSLv3 read server hello A
18654:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.
c:529:
CONNECTED(00000003)
in the ircd this shows up as:
Code: Select all
[00:56] -dvlp.private.ircd- Exiting ssl client [@192.168.1.3.34338]: SSL_accept(): Internal OpenSSL error or protocol error
Hope this helps ....
Posted: Thu Jun 02, 2005 11:20 pm
by Stealth
The info was found by myself about 0.9.7e... I am unsure if it is the same with any other version before 0.9.7e and mIRC. I found this out one night at school, where I have my own harddrive there, and mIRC installed on a flash drive. I had the OpenSSL dll's in the directory on the flash drive, and also the same version of OpenSSL installed (with the installer in the link in the mIRC help file) on the harddrive with Windows 2000. When I ran mIRC, it failed to load OpenSSL when it had been installed in both places, but worked fine when I removed the dll's from the directory on the flash drive. I don't know how useful that info is to you... but it may be useful to someone.