New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSL SSL_connect: SSL_ERROR_SYSCALL #9566
Comments
Hi, |
Hi, |
Its not a real bug. DTLS: no DTLS: no DTLS: no DTLS: no DTLS: no DTLS: no DTLS: no DTLS: no DTLS: no DTLS: no DTLS: no DTLS: no DTLS: no DTLS: no DTLS: no SSL Error: 5 |
Hi, Openssl-1.1.1c do not have support for CBC: The server is out of our access, then the solution is client suppport. |
You need to configure OpenSSL with “enable-weak-ssl-ciphers” CBC mode is bad for HTTPS traffic, tell the server they need to upgrade. A good article on this is at https://blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites/ |
Hi,
Thank you.
I will try.
Best regards
Ranier Vilela
…________________________________________
De: Rich Salz <notifications@github.com>
Enviado: segunda-feira, 19 de agosto de 2019 19:06
Para: openssl/openssl
Cc: raniervf; Comment
Assunto: Re: [openssl/openssl] OpenSSL SSL_connect: SSL_ERROR_SYSCALL (#9566)
You need to configure OpenSSL with “enable-weak-ssl-ciphers”
CBC mode is bad for HTTPS traffic, tell the server they need to upgrade. A good article on this is at https://blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites/
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<#9566?email_source=notifications&email_token=ACWOYP4GSGDWLBHTT245BWDQFLVLLA5CNFSM4IKZOIF2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4T7OCY#issuecomment-522712843>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ACWOYPYWN4VJBIPEBCBU7W3QFLVLLANCNFSM4IKZOIFQ>.
|
Hi
Openssl-1.1.1c configured with enable-weak-ssl-ciphers:
openssl ciphers -s
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
Not enable any CBC ciphers.
Best regards,
Ranier Vilela
…________________________________________
De: Ranier VF <ranier_gyn@hotmail.com>
Enviado: segunda-feira, 19 de agosto de 2019 20:49
Para: openssl/openssl
Assunto: RE: [openssl/openssl] OpenSSL SSL_connect: SSL_ERROR_SYSCALL (#9566)
Hi,
Thank you.
I will try.
Best regards
Ranier Vilela
________________________________________
De: Rich Salz <notifications@github.com>
Enviado: segunda-feira, 19 de agosto de 2019 19:06
Para: openssl/openssl
Cc: raniervf; Comment
Assunto: Re: [openssl/openssl] OpenSSL SSL_connect: SSL_ERROR_SYSCALL (#9566)
You need to configure OpenSSL with “enable-weak-ssl-ciphers”
CBC mode is bad for HTTPS traffic, tell the server they need to upgrade. A good article on this is at https://blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites/
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<#9566?email_source=notifications&email_token=ACWOYP4GSGDWLBHTT245BWDQFLVLLA5CNFSM4IKZOIF2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4T7OCY#issuecomment-522712843>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ACWOYPYWN4VJBIPEBCBU7W3QFLVLLANCNFSM4IKZOIFQ>.
|
Try using ALL not DEFAULT. |
Openssl-11.1.c have TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 support.
I belive thats is cause the error.
|
Is this still an issue? |
Solved with @SECLEVEL=0. |
For some reason when accessing a site load balanced with GKE on Opensuse Tumbleweed the site doesn't load I have tested this on other devices each running older versions of openssl it seems to work fine. Ironically it works without www. but adding www. it fails to load.
Running the following commands gave me the impression it is something to do with openssl
This works fine but
gives the following;
I have tested it on Android Devices, Ubuntu Devices, OpenSuse Devices, IPhones and several different online services that test a websites availability. All devices that I can get the openssl version for that work are using an earlier version of OpenSSL.
The only device that the test failed on was my OpenSuse Tumbleweed Laptop running version OpenSSL 1.1.1c 28 May 2019
I have tested if it was the browser by using chromium, chrome, chrome-unstable, firefox they all failed which made me try the curl command instead.
The text was updated successfully, but these errors were encountered: