Thursday, June 06, 2019

Re: SSL_ERROR_DECODE_ERROR_ALERT in Fedora 30 Firefox when connecting to some OpenBSD servers

Stuart Henderson писал 2019-06-05 17:10:
> On 2019-06-05, Frank Groeneveld <frank@frankgroeneveld.nl> wrote:
>> On Wed, Jun 5, 2019, at 08:07, Frank Groeneveld wrote:
>>> After updating to Firefox 67.0 on Fedora 30 it seems some OpenBSD
>>> servers cannot be reached over HTTPS anymore. The error produced is
>>> SSL_ERROR_DECODE_ERROR_ALERT. I get this with some of my own servers,
>>> but also with https://cvsweb.openbsd.org/
>>> Anybody know what is going on? Chromium and openssl s_client on the
>>> same system works fine and the same Firefox version in Ubuntu, Mac OS
>>> and Windows don't have this problem.
>>>
>>> Thanks in advance.
>>
>> Sorry for the noise, apparently there is a bug in the Fedora side when
>> connecting with newer versions of LibreSSL. Related bug report:
>> https://bugzilla.redhat.com/show_bug.cgi?id=1713777
>
> The bug is server-side not client, looks like it would have been
> introduced
> around January, and fixed in lib/libssl/ssl_tlsext.c r1.49
>
> ----------------------------
> revision 1.49
> date: 2019/05/29 17:28:37; author: jsing; state: Exp; lines: +2 -5;
> commitid: DLpHk0vyoFEK0Baa;
> Relax parsing of TLS key share extensions on the server.
>
> The RFC does not require X25519 and it also allows clients to send an
> empty
> key share when the want the server to select a group. The current
> behaviour
> results in handshake failures where the client supports TLS 1.3 and
> sends a
> TLS key share extension that does not contain X25519.
>
> Issue reported by Hubert Kario via github.
>
> ok tb@
> ----------------------------

Excuse me, can this issue also break dovecot and latest thunderbird?
With the latest thunderbird 60.7.0 (on fedora) my dovecot (and
opensmtpd) suddenly refuse to log me in.
Dovecot shows something like this in logs:

TLS handshaking: SSL_accept() failed: error:140270E3:SSL
routines:ACCEPT_SR_CLNT_HELLO_C:parse tlsext

I found workarond for this, by switching from "STARTTLS" to SLL/TLS for
imap. But OpenSMTPD still not working.
As I said, this behavior appeared in latest thunderbird 60.7.0. Older
versions of thunderbird work.

No comments:

Post a Comment