Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenSSL 3.0.0: TLS 1.0 / 1.1 connections fail with TLSV1_ALERT_INTERNAL_ERROR #87957

Open
tiran opened this issue Apr 9, 2021 · 4 comments
Open
Assignees
Labels
3.8 (EOL) end of life 3.9 only security fixes 3.10 only security fixes topic-SSL type-bug An unexpected behavior, bug, or error

Comments

@tiran
Copy link
Member

tiran commented Apr 9, 2021

BPO 43791
Nosy @tiran, @miss-islington
PRs
  • [3.9] bpo-43791: Skip TLS 1.0/1.1 tests under OpenSSL 3.0.0 (GH-25304) #25307
  • [3.8] bpo-43791: Skip TLS 1.0/1.1 tests under OpenSSL 3.0.0 (GH-25304) #25308
  • Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/tiran'
    closed_at = None
    created_at = <Date 2021-04-09.13:08:57.214>
    labels = ['expert-SSL', 'type-bug', '3.8', '3.9', '3.10']
    title = 'OpenSSL 3.0.0: TLS 1.0 / 1.1 connections fail with TLSV1_ALERT_INTERNAL_ERROR'
    updated_at = <Date 2021-04-09.14:02:12.953>
    user = 'https://github.com/tiran'

    bugs.python.org fields:

    activity = <Date 2021-04-09.14:02:12.953>
    actor = 'miss-islington'
    assignee = 'christian.heimes'
    closed = False
    closed_date = None
    closer = None
    components = ['SSL']
    creation = <Date 2021-04-09.13:08:57.214>
    creator = 'christian.heimes'
    dependencies = []
    files = []
    hgrepos = []
    issue_num = 43791
    keywords = ['patch']
    message_count = 3.0
    messages = ['390618', '390623', '390629']
    nosy_count = 2.0
    nosy_names = ['christian.heimes', 'miss-islington']
    pr_nums = ['25307', '25308']
    priority = 'normal'
    resolution = None
    stage = 'patch review'
    status = 'open'
    superseder = None
    type = 'behavior'
    url = 'https://bugs.python.org/issue43791'
    versions = ['Python 3.8', 'Python 3.9', 'Python 3.10']

    @tiran
    Copy link
    Member Author

    tiran commented Apr 9, 2021

    With OpenSSL 3.0.0-alpha14 several tests for TLS 1.0 and 1.1 connections are failing handshake with "[SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error". OpenSSL is configured with default security level "1". Tests are only passing with @SECLEVEL=0.

    I think the security default callback refuses NID_sha1 and NID_sha1_md5 SSL_SECOP_SIGALG_SUPPORTED because their security bits are lower than minimum of 80 bits.

    ssl_security_default_callback (s=0x7fffdc001840, ctx=0x0, op=327691, bits=67, nid=114, other=0x7fffe8ab194a, ex=0x0) at ssl/ssl_cert.c:969
    ssl_security_default_callback (s=0x7fffdc001840, ctx=0x0, op=327691, bits=64, nid=64, other=0x7fffe8ab188a, ex=0x0) at ssl/ssl_cert.c:969

    #0 tls_choose_sigalg (s=0x7fffdc001840, fatalerrs=1) at ssl/t1_lib.c:3307
    #1 0x00007fffe9cb00f4 in tls_post_process_client_hello (s=0x7fffdc001840, wst=WORK_MORE_B) at ssl/statem/statem_srvr.c:2223
    #2 0x00007fffe9cad560 in ossl_statem_server_post_process_message (s=0x7fffdc001840, wst=WORK_MORE_A) at ssl/statem/statem_srvr.c:1236
    #3 0x00007fffe9c97e3d in read_state_machine (s=0x7fffdc001840) at ssl/statem/statem.c:670
    #4 0x00007fffe9c97723 in state_machine (s=0x7fffdc001840, server=1) at ssl/statem/statem.c:442
    #5 0x00007fffe9c971db in ossl_statem_accept (s=0x7fffdc001840) at ssl/statem/statem.c:270
    #6 0x00007fffe9c5f5ac in SSL_do_handshake (s=0x7fffdc001840) at ssl/ssl_lib.c:3852

                if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
                    if (!fatalerrs)
                        return 1;
                    SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                             SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
                    return 0;
                }

    @tiran tiran added 3.8 (EOL) end of life 3.9 only security fixes 3.10 only security fixes labels Apr 9, 2021
    @tiran tiran self-assigned this Apr 9, 2021
    @tiran tiran added topic-SSL type-bug An unexpected behavior, bug, or error 3.8 (EOL) end of life 3.9 only security fixes 3.10 only security fixes labels Apr 9, 2021
    @tiran tiran self-assigned this Apr 9, 2021
    @tiran tiran added topic-SSL type-bug An unexpected behavior, bug, or error labels Apr 9, 2021
    @tiran
    Copy link
    Member Author

    tiran commented Apr 9, 2021

    #25304 is merged PR to master.

    @miss-islington
    Copy link
    Contributor

    New changeset 4e710d1 by Miss Islington (bot) in branch '3.8':
    [3.8] bpo-43791: Skip TLS 1.0/1.1 tests under OpenSSL 3.0.0 (GH-25304) (GH-25308)
    4e710d1

    @moha-abdi
    Copy link

    Hello, its sill happening to me although i am using OpenSSL 3.1.1 version. It seems to be an issue onlyy for linux distros as it works for me on windows with the same version. any help?

    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Labels
    3.8 (EOL) end of life 3.9 only security fixes 3.10 only security fixes topic-SSL type-bug An unexpected behavior, bug, or error
    Projects
    Status: Todo
    Development

    No branches or pull requests

    3 participants