close
Comments you submit will be routed for moderation. If you have an account, please log in first.
Modify

Opened 6 months ago

Closed 5 months ago

Last modified 5 months ago

#559 closed bug (fixed)

Couldn't initialize TLSv1/SSLv3 session with host 'mx.freenet.de'

Reported by: Andreas Wolf <pegasos.morphos@…> Owned by: damato
Priority: high Milestone: YAM 2.10
Component: foreign component Version: nightly build
Severity: major Keywords:
Cc: OS Platform: All
Blocked By: Blocking:
Release Notes:

Description

Steps to reproduce

  1. Start YAM
  2. Click 'Get'

Expected results

Download of new mail

Actual results

Error message:
"Couldn't initialize TLSv1/SSLv3 session with host 'mx.freenet.de' of account 'xxx'."

Notes

See attached debug log and TCP/IP settings screenshot

Attachments (2)

yam_netdebug.txt (5.3 KB) - added by Andreas Wolf <pegasos.morphos@…> 6 months ago.
debug log with 'net' option
tcpip_settings.png (94.4 KB) - added by Andreas Wolf <pegasos.morphos@…> 6 months ago.
TCP/IP settings

Download all attachments as: .zip

Change History (13)

Changed 6 months ago by Andreas Wolf <pegasos.morphos@…>

debug log with 'net' option

Changed 6 months ago by Andreas Wolf <pegasos.morphos@…>

TCP/IP settings

comment:1 follow-ups: Changed 6 months ago by tboeckel

Es scheitert an einem nicht unterstützten message digest:

01:E: ssl.c:876:ERR_get_error()=218665121 stack: 'error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm'
01:E: ssl.c:876:ERR_get_error()=336134278 stack: 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed'

Dummerweise scheint AmiSSL keine genaueren Angaben machen zu können was genau da nicht unterstützt wird. Ich gehe mal davon aus, daß du das aktuellste resource/certificates/ca-bundle.crt installiert hast.

comment:2 in reply to: ↑ 1 ; follow-up: Changed 6 months ago by damato

  • Component changed from TCP/IP interface to foreign component
  • Milestone set to YAM 2.10
  • OS Platform changed from MorphOS to All
  • Owner set to damato
  • Priority changed from undecided to high
  • Status changed from new to assigned

Replying to tboeckel:

Es scheitert an einem nicht unterstützten message digest:

01:E: ssl.c:876:ERR_get_error()=218665121 stack: 'error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm'
01:E: ssl.c:876:ERR_get_error()=336134278 stack: 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed'

Dummerweise scheint AmiSSL keine genaueren Angaben machen zu können was genau da nicht unterstützt wird. Ich gehe mal davon aus, daß du das aktuellste resource/certificates/ca-bundle.crt installiert hast.

This link here seems to explain the reason for the problem:

http://www.tbs-certificates.co.uk/FAQ/en/old_openssl_sha256.html

It seems that the old OpenSSL version (0.9.7) which the latest official AmiSSL version is based on is the reason for that. the SHA256 digest seems to be supported in 0.9.8+ of OpenSSL. Thus the error message. Luckily I am currently working on porting newer OpenSSL versions to AmiSSL. However, this will still take some time. But I think during the next months I will have a newer AmiSSL version ready which will the support SHA256 as well.

So sorry, there is currently nothing we can do about that. However, I will keep that ticket open for the time being until the newer AmiSSL version is released so that you can test it accordingly.

comment:3 follow-up: Changed 6 months ago by damato

Let me add the following technical details after having investigated the issue further:

The line

ssl.c:106:ssl: verify callback @ 1 => 7:'certificate signature failure'

in your debug log corresponds to the X509_V_ERR_CERT_SIGNATURE_FAILURE error code returned by X509_STORE_CTX_get_error() in source:/trunk/src/tcp/ssl.c@7847#L102. So in principle we could catch that error case and put up a requester (or enhancing the certificate warning requester) that notifies users of that error and potentially allow to continue the connection even that the server certificate couldn't be verified. The question, however, remains if we should do that or if this would impose any security problems because I currently don't know what other cases of the X509_V_ERR_CERT_SIGNATURE_FAILURE error are in OpenSSL. This definitely needs more investigation, thought.

comment:4 in reply to: ↑ 1 Changed 6 months ago by Andreas Wolf <pegasos.morphos@…>

Ich gehe mal davon aus, daß du das aktuellste resource/certificates/ca-bundle.crt installiert hast.

Ja, "Certificate data from Mozilla as of: Tue Jan 28 09:38:07 2014", Dateigröße: 244954 Bytes.

comment:5 in reply to: ↑ 2 Changed 6 months ago by Andreas Wolf <pegasos.morphos@…>

Luckily I am currently working on porting newer OpenSSL versions to AmiSSL. However, this will still take some time. But I think during the next months I will have a newer AmiSSL version ready which will the support SHA256 as well.

Thanks. I am looking forward to it.

I will keep that ticket open for the time being until the newer AmiSSL version is released so that you can test it accordingly.

Thanks.

comment:6 in reply to: ↑ 3 Changed 6 months ago by Andreas Wolf <pegasos.morphos@…>

So in principle we could catch that error case and put up a requester (or enhancing the certificate warning requester) that notifies users of that error and potentially allow to continue the connection even that the server certificate couldn't be verified. The question, however, remains if we should do that or if this would impose any security problems

Out of pure self interest I'd opt for doing that, of course, so that I (and all others with a Freenet mail account, I suppose) can use YAM again for mail*. I kind of understand the implications such a compromise would entail, though.

*) It stopped working around April 28th. That was obviously when Freenet changed to SHA256 digest after some weeks of reverting to unencrpyted connections again in the aftermath of the Heartbleed disclosure in early April (that's my explanation for this at least, I didn't find any statement from Freenet). Some months before that, Freenet had changed to mandatory encryption in the aftermath of the NSA surveillance disclosures, which worked well with YAM.

comment:7 Changed 5 months ago by damato

In 7976:

  • YAM.c: slightly changed the OpenSSL/AmiSSL initialization and added a call to OpenSSL_add_all_algorithms(). This hopefully improves verbosity of error output and perhaps improves cipher/digest handling. This refs #530 and #559.

comment:8 Changed 5 months ago by damato

  • Resolution set to fixed
  • Status changed from assigned to closed

In 7977:

  • tcp/ssl.c, Requesters.c: the SSL certificate check now also catches cases where the certificate signature was found to be invalid which was otherwise throwing a connection error immediately. This case recently happens for connections to servers which use certifcates with SHA256-based signatures which are not supported by the latest AmiSSL 3.6 version. Now a user is warned instead about these invalid signatures and can continue the connection if he still believes he is trusting the server. This closes #559.

comment:9 follow-up: Changed 5 months ago by damato

As noted by the latest change to this ticket, the issue should be fixed/worked-around now. So please try with the next nightly build and see if you are now able to connect to mx.freenet.de. Please reopen this ticket if you still have problems with connecting to it.

comment:10 Changed 5 months ago by damato

In 8002:

  • tcp/ssl.c: Now all possible X509_V_ERR_#? error defines are catched in our certificate verification routines. This should make sure that we don't have any uncritical case which otherwise would cause YAM to abort the connection initialization. This refs #559.

comment:11 in reply to: ↑ 9 Changed 5 months ago by Andreas Wolf <pegasos.morphos@…>

the issue should be fixed/worked-around now. So please try with the next nightly build and see if you are now able to connect to mx.freenet.de.

Fetching mail from the server works fine now. Thanks :-)

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.

This list contains all users that will be notified about changes made to this ticket.

These roles will be notified: Reporter, Owner, Subscriber

  • Andreas Wolf(Reporter, Participant)
  • Jens Maus(Owner, Participant)