Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenSSL 3.0.0: TLS 1.0 / 1.1 connections fail with TLSV1_ALERT_INTERNAL_ERROR #87957

Open
tiran opened this issue Apr 9, 2021 · 3 comments
Open
Assignees
Labels
3.8 3.9 3.10 expert-SSL type-bug

Comments

@tiran
Copy link
Member

@tiran tiran commented Apr 9, 2021

BPO 43791
Nosy @tiran, @miss-islington
PRs
  • #25307
  • #25308
  • Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/tiran'
    closed_at = None
    created_at = <Date 2021-04-09.13:08:57.214>
    labels = ['expert-SSL', 'type-bug', '3.8', '3.9', '3.10']
    title = 'OpenSSL 3.0.0: TLS 1.0 / 1.1 connections fail with TLSV1_ALERT_INTERNAL_ERROR'
    updated_at = <Date 2021-04-09.14:02:12.953>
    user = 'https://github.com/tiran'

    bugs.python.org fields:

    activity = <Date 2021-04-09.14:02:12.953>
    actor = 'miss-islington'
    assignee = 'christian.heimes'
    closed = False
    closed_date = None
    closer = None
    components = ['SSL']
    creation = <Date 2021-04-09.13:08:57.214>
    creator = 'christian.heimes'
    dependencies = []
    files = []
    hgrepos = []
    issue_num = 43791
    keywords = ['patch']
    message_count = 3.0
    messages = ['390618', '390623', '390629']
    nosy_count = 2.0
    nosy_names = ['christian.heimes', 'miss-islington']
    pr_nums = ['25307', '25308']
    priority = 'normal'
    resolution = None
    stage = 'patch review'
    status = 'open'
    superseder = None
    type = 'behavior'
    url = 'https://bugs.python.org/issue43791'
    versions = ['Python 3.8', 'Python 3.9', 'Python 3.10']

    @tiran
    Copy link
    Member Author

    @tiran tiran commented Apr 9, 2021

    With OpenSSL 3.0.0-alpha14 several tests for TLS 1.0 and 1.1 connections are failing handshake with "[SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error". OpenSSL is configured with default security level "1". Tests are only passing with @SECLEVEL=0.

    I think the security default callback refuses NID_sha1 and NID_sha1_md5 SSL_SECOP_SIGALG_SUPPORTED because their security bits are lower than minimum of 80 bits.

    ssl_security_default_callback (s=0x7fffdc001840, ctx=0x0, op=327691, bits=67, nid=114, other=0x7fffe8ab194a, ex=0x0) at ssl/ssl_cert.c:969
    ssl_security_default_callback (s=0x7fffdc001840, ctx=0x0, op=327691, bits=64, nid=64, other=0x7fffe8ab188a, ex=0x0) at ssl/ssl_cert.c:969

    #0 tls_choose_sigalg (s=0x7fffdc001840, fatalerrs=1) at ssl/t1_lib.c:3307
    #1 0x00007fffe9cb00f4 in tls_post_process_client_hello (s=0x7fffdc001840, wst=WORK_MORE_B) at ssl/statem/statem_srvr.c:2223
    #2 0x00007fffe9cad560 in ossl_statem_server_post_process_message (s=0x7fffdc001840, wst=WORK_MORE_A) at ssl/statem/statem_srvr.c:1236
    #3 0x00007fffe9c97e3d in read_state_machine (s=0x7fffdc001840) at ssl/statem/statem.c:670
    #4 0x00007fffe9c97723 in state_machine (s=0x7fffdc001840, server=1) at ssl/statem/statem.c:442
    #5 0x00007fffe9c971db in ossl_statem_accept (s=0x7fffdc001840) at ssl/statem/statem.c:270
    #6 0x00007fffe9c5f5ac in SSL_do_handshake (s=0x7fffdc001840) at ssl/ssl_lib.c:3852

                if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
                    if (!fatalerrs)
                        return 1;
                    SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                             SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
                    return 0;
                }

    @tiran tiran self-assigned this Apr 9, 2021
    @tiran tiran added expert-SSL type-bug 3.8 3.9 3.10 labels Apr 9, 2021
    @tiran tiran self-assigned this Apr 9, 2021
    @tiran tiran added expert-SSL type-bug labels Apr 9, 2021
    @tiran
    Copy link
    Member Author

    @tiran tiran commented Apr 9, 2021

    #25304 is merged PR to master.

    @miss-islington
    Copy link
    Contributor

    @miss-islington miss-islington commented Apr 9, 2021

    New changeset 4e710d1 by Miss Islington (bot) in branch '3.8':
    [3.8] bpo-43791: Skip TLS 1.0/1.1 tests under OpenSSL 3.0.0 (GH-25304) (GH-25308)
    4e710d1

    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Labels
    3.8 3.9 3.10 expert-SSL type-bug
    Projects
    None yet
    Development

    No branches or pull requests

    2 participants