Package: libengine-gost-openssl1.1
Version: 1.1.0.1-1
Followup-For: Bug #898823
I have verified gost.so against new OpenSSL 1.1.0i (using self-built
packages for OpenSSL). Now connection fails with the following log.
Wireshark reports that client is sending Illegal Parameter alert after
receiving ServerHello+Certificate+ServerHelloDone package.
===== CUT =====
$ openssl s_client -CAfile ~/Projects/GOST/testca2.cer -connect
tlsgost-256.cryptopro.ru:443
CONNECTED(00000003)
depth=1 emailAddress = supp...@cryptopro.ru, C = RU, L = Moscow, O = CRYPTO-PRO
LLC, CN = CRYPTO-PRO Test Center 2
verify return:1
depth=0 CN = id-GostR3410-2001-CryptoPro-XchA-ParamSet_256noauth
verify return:1
139955978510528:error:0306B067:bignum routines:BN_div:div by
zero:../crypto/bn/bn_div.c:179:
139955978510528:error:8006B010:lib(128):GOST_EC_COMPUTE_PUBLIC:EC
lib:/build/libengine-gost-openssl1.1-1.1.0.1/gost_ec_sign.c:463:
139955978510528:error:80077068:lib(128):PKEY_GOST_ECCP_ENCRYPT:error computing
shared key:/build/libengine-gost-openssl1.1-1.1.0.1/gost_ec_keyx.c:192:
139955978510528:error:14196112:SSL routines:tls_construct_cke_gost:library
bug:../ssl/statem/statem_clnt.c:2436:
---
Certificate chain
0 s:/CN=id-GostR3410-2001-CryptoPro-XchA-ParamSet_256noauth
i:/emailAddress=supp...@cryptopro.ru/C=RU/L=Moscow/O=CRYPTO-PRO
LLC/CN=CRYPTO-PRO Test Center 2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDujCCA2mgAwIBAgITEgAqTVYSv2af/UXViQAAACpNVjAIBgYqhQMCAgMwfzEj
MCEGCSqGSIb3DQEJARYUc3VwcG9ydEBjcnlwdG9wcm8ucnUxCzAJBgNVBAYTAlJV
MQ8wDQYDVQQHEwZNb3Njb3cxFzAVBgNVBAoTDkNSWVBUTy1QUk8gTExDMSEwHwYD
VQQDExhDUllQVE8tUFJPIFRlc3QgQ2VudGVyIDIwHhcNMTgwNjMwMTk1MDI1WhcN
MTgwOTMwMjAwMDI1WjA+MTwwOgYDVQQDDDNpZC1Hb3N0UjM0MTAtMjAwMS1Dcnlw
dG9Qcm8tWGNoQS1QYXJhbVNldF8yNTZub2F1dGgwZjAfBggqhQMHAQEBATATBgcq
hQMCAiQABggqhQMHAQECAgNDAARAHZW8qzlewv3CAtN2LaGHgvbmB0iwaZL8Tcs3
A2H9YsFk10gd2aySGNZegklntJN8exhfUQDmV2xiONlQycsRS6OCAfgwggH0MBMG
A1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDCBiAYDVR0RBIGAMH6CFHRs
c2dvc3QuY3J5cHRvcHJvLnJ1ghh0bHNnb3N0LTI1Ni5jcnlwdG9wcm8ucnWCF3Rs
c2dvc3QtdjYuY3J5cHRvcHJvLnJ1ght0bHNnb3N0LXY2LTI1Ni5jcnlwdG9wcm8u
cnWHBMElnWCHECACwSWdYAAAAAAAAMElnWAwHQYDVR0OBBYEFLUwG+/I89xIkNnu
LNZDpYCb7oSfMB8GA1UdIwQYMBaAFBUxfLCNGt5m1xWcSVKXFyS5AXqDMFkGA1Ud
HwRSMFAwTqBMoEqGSGh0dHA6Ly90ZXN0Y2EuY3J5cHRvcHJvLnJ1L0NlcnRFbnJv
bGwvQ1JZUFRPLVBSTyUyMFRlc3QlMjBDZW50ZXIlMjAyLmNybDCBqQYIKwYBBQUH
AQEEgZwwgZkwYQYIKwYBBQUHMAKGVWh0dHA6Ly90ZXN0Y2EuY3J5cHRvcHJvLnJ1
L0NlcnRFbnJvbGwvdGVzdC1jYS0yMDE0X0NSWVBUTy1QUk8lMjBUZXN0JTIwQ2Vu
dGVyJTIwMi5jcnQwNAYIKwYBBQUHMAGGKGh0dHA6Ly90ZXN0Y2EuY3J5cHRvcHJv
LnJ1L29jc3Avb2NzcC5zcmYwCAYGKoUDAgIDA0EAE/MsT7WRhTX4gFzLF6qq+NOm
Jgg0IIIKYlio5sAcQyUA5LZGM7ZkFIEoiyEIaac+ZdiWsU0J50KWHElzGXT2Dw==
-----END CERTIFICATE-----
subject=/CN=id-GostR3410-2001-CryptoPro-XchA-ParamSet_256noauth
issuer=/emailAddress=supp...@cryptopro.ru/C=RU/L=Moscow/O=CRYPTO-PRO
LLC/CN=CRYPTO-PRO Test Center 2
---
No client certificate CA names sent
---
SSL handshake has read 1058 bytes and written 193 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID: A8ECCD5F45DC04A0B35A85EDDC33346FD1AAAA84653B23E488283F5F62051F7D
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1534762669
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
===== CUT =====
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.17.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8), LANGUAGE=en_GB:en
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libengine-gost-openssl1.1 depends on:
ii libc6 2.27-5
iu libssl1.1 1.1.0i-1lumag1
libengine-gost-openssl1.1 recommends no packages.
libengine-gost-openssl1.1 suggests no packages.
-- no debconf information
