From nobody@FreeBSD.org  Thu Mar  7 07:37:54 2013
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
	by hub.freebsd.org (Postfix) with ESMTP id 4446EFF8
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  7 Mar 2013 07:37:54 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 1DC3660F
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  7 Mar 2013 07:37:54 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.5/8.14.5) with ESMTP id r277br4K076713
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 7 Mar 2013 07:37:53 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.5/8.14.5/Submit) id r277brU2076712;
	Thu, 7 Mar 2013 07:37:53 GMT
	(envelope-from nobody)
Message-Id: <201303070737.r277brU2076712@red.freebsd.org>
Date: Thu, 7 Mar 2013 07:37:53 GMT
From: Johannes Meixner <xmj@chaot.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: OpenSSL 1.0.1e fails to fallback to TLS1 if the server doesn't allow for anything else
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         176722
>Category:       kern
>Synopsis:       [openssl] OpenSSL 1.0.1e fails to fallback to TLS1 if the server doesn't allow for anything else
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    benl
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Mar 07 07:40:00 UTC 2013
>Closed-Date:    
>Last-Modified:  Wed Mar 27 01:55:05 UTC 2013
>Originator:     Johannes Meixner
>Release:        10.0-CURRENT
>Organization:
>Environment:
FreeBSD xmj.local 10.0-CURRENT FreeBSD 10.0-CURRENT #2 r247490M: Fri Mar  1 19:16:27 EET 2013     root@xmj.local:/usr/obj/usr/src/sys/xmj  amd64
>Description:
Error first described by Pablo Almeida on 
https://bugs.launchpad.net/openssl/+bug/965371/

--
when trying to
`openssl s_client -showcerts -connect coremis-cas.myocean.eu:443'
 OpenSSL1.0.1e (11 Feb 13 from ports) doesn't fall back (as it does for
0.9.8x 10 May 2012) to TLS1

and, instead of showing certs, gives


CONNECTED(00000004)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 319 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---


However, when forcing s_client to use -tls1, the result is as expected,
returning the site's certificates. 

Why doesn't openssl notice it can't any other method but TLS1 -- and
fall back to that one, as in previous versions?
>How-To-Repeat:
Run `openssl s_client -showcerts -connect coremis-cas.myocean.eu:443'
on OpenSSL 1.0.1e

versus

openssl s_client -showcerts -tls1 -connect coremis-cas.myocean.eu:443
>Fix:


>Release-Note:
>Audit-Trail:

From: "Johannes Meixner" <johannes@meixner.or.at>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: misc/176722: OpenSSL 1.0.1e fails to fallback to TLS1 if the server
 doesn't allow for anything else
Date: Thu,  7 Mar 2013 10:34:38 +0100 (CET)

 The bug I'm experiencing seems related to the one mentioned upstream at 
 
 http://rt.openssl.org/Ticket/Display.html?id=3002&user=guest&pass=guest
 
 
 Johannes Meixner
 http://www.meixner.or.at
 
 
 
 
Responsible-Changed-From-To: freebsd-bugs->jkim 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Mar 10 02:52:57 UTC 2013 
Responsible-Changed-Why:  
Over to maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=176722 
Responsible-Changed-From-To: jkim->benl 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed Mar 27 01:53:45 UTC 2013 
Responsible-Changed-Why:  
Over to new openssl maintainer. 

Requested by:	jkim 

http://www.freebsd.org/cgi/query-pr.cgi?pr=176722 
>Unformatted:
