The following reply was made to PR kern/155160; it has been noted by GNATS.
From: Hans Duedal <h...@onlinecity.dk> To: bug-follo...@freebsd.org, Hans Duedal <h...@onlinecity.dk> Cc: Subject: Re: kern/155160: [aesni] AES-NI breaks OpenSSL client calls Date: Wed, 2 Mar 2011 11:53:32 +0100 --0016368321b259b945049d7db93e Content-Type: text/plain; charset=ISO-8859-1 I should note that the issue does not affect the openssl s_client test command. db3# openssl s_client -quiet -state -CAfile /usr/local/share/certs/ca-root-nss.crt -connect twitter.com:443 SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=3 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority verify return:1 depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 verify return:1 depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA verify return:1 depth=0 /1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446/C=US/postalCode=94107/ST=California/L=San Francisco/street=795 Folsom St, Suite 600/O=Twitter, Inc./OU=Twitter Operations verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A aaaa Status: 500 Internal Server Error Content-Type: text/html <html><body><h1>500 Internal Server Error</h1></body></html>SSL3 alert read:warning:close notify SSL3 alert write:warning:close notify Used the ca-root from security/ca_root_nss package to avoid verify issues. As you can see from my original report, cURL is affected, and so is puppet which is ruby based, but I assume that many more clients are affected. --0016368321b259b945049d7db93e Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable I should note that the issue does not affect the openssl s_client test comm= and. <div><br></div><div><div>db3# openssl s_client -quiet -state -CAfile /usr/l= ocal/share/certs/ca-root-nss.crt -connect <a href=3D"http://twitter.com:443= ">twitter.com:443</a></div><div>SSL_connect:before/connect initialization</= div> <div>SSL_connect:SSLv2/v3 write client hello A</div><div>SSL_connect:SSLv3 = read server hello A</div><div>depth=3D3 /C=3DUS/O=3DVeriSign, Inc./OU=3DCla= ss 3 Public Primary Certification Authority</div><div>verify return:1</div>= <div> depth=3D2 /C=3DUS/O=3DVeriSign, Inc./OU=3DVeriSign Trust Network/OU=3D(c) 2= 006 VeriSign, Inc. - For authorized use only/CN=3DVeriSign Class 3 Public P= rimary Certification Authority - G5</div><div>verify return:1</div><div>dep= th=3D1 /C=3DUS/O=3DVeriSign, Inc./OU=3DVeriSign Trust Network/OU=3DTerms of= use at <a href=3D"https://www.verisign.com/rpa";>https://www.verisign.com/r= pa</a> (c)06/CN=3DVeriSign Class 3 Extended Validation SSL CA</div> <div>verify return:1</div><div>depth=3D0 /1.3.6.1.4.1.311.60.2.1.3=3DUS/1.3= .6.1.4.1.311.60.2.1.2=3DDelaware/businessCategory=3DPrivate Organization/se= rialNumber=3D4337446/C=3DUS/postalCode=3D94107/ST=3DCalifornia/L=3DSan Fran= cisco/street=3D795 Folsom St, Suite 600/O=3DTwitter, Inc./OU=3DTwitter =A0O= perations</div> <div>verify return:1</div><div>SSL_connect:SSLv3 read server certificate A<= /div><div>SSL_connect:SSLv3 read server done A</div><div>SSL_connect:SSLv3 = write client key exchange A</div><div>SSL_connect:SSLv3 write change cipher= spec A</div> <div>SSL_connect:SSLv3 write finished A</div><div>SSL_connect:SSLv3 flush d= ata</div><div>SSL_connect:SSLv3 read finished A</div><div>aaaa</div><div>St= atus: 500 Internal Server Error</div><div>Content-Type: text/html</div> <div><br></div><div><html><body><h1>500 Internal Server E= rror</h1></body></html>SSL3 alert read:warning:close noti= fy</div><div>SSL3 alert write:warning:close notify</div></div><div><br> </div><div>Used the ca-root from security/ca_root_nss package to avoid veri= fy issues.</div><div><br></div><div>As you can see from my original report,= cURL is affected, and so is puppet which is ruby based, but I assume that = many more clients are affected.=A0</div> --0016368321b259b945049d7db93e-- _______________________________________________ freebsd-bugs@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
