My customer(Government) wants to block use of SSLv2 with the INN server due to security vulnerabilities. I recompiled the INNews source and specify the SSL option of no SSLv2. I had tried just compiling OpenSSL without SSLv2, but that caused problems as well. The issue I am having is that it works with OpenSSL 0.9.8k, but not with 0.9.8r. It gets the following error with a SSL alert number 20, alert bad record mac.
Using the openssl on the server I was able to get the following info as well: # /usr/local/ssl/bin/openssl s_client -connect vbnews:563 CONNECTED(00000004) depth=0 /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=DISA/CN=vbnews.vb.c2fse.northgrum.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=DISA/CN=vbnews.vb.c2fse.northgrum.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=DISA/CN=vbnews.vb.c2fse.northgrum.com verify error:num=21:unable to verify the first certificate verify return:1 22555:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:1102:SSL alert number 20 22555:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: I have checked all of the obvious issues with certificates (It is issued from a real CA and the trusts and CAcerts are all in place). The server is in DNS correctly. My development network does not have outside connectivity, but is a VLAN (You can get in, but not out). Everything worked fine with INN 2.5.1 and openssl-0.9.8k, but I decided to use the newer version for updates and bug fixes. Has anyone seen any problems with INN 2.5.1 or another application and the newer openssl versions? Is 0.9.8r doing more strict verification? I am using the INNews opensource so it is possible to make changes to how it creates it’s SSL context, like specifying the no SSLv2, but I am not familiar with the source, we just repackage it. Thank you for the help. Darren Evans Software Engineer -- View this message in context: http://old.nabble.com/Using-OpenSSL-0.9.8-issue-between-version-k-and-r-with-Application-tp32759494p32759494.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
