0005068: Problems negotiating SSL with updates.oracle.com

Mantis - wget

Viewing Issue Advanced Details

ID:

Category:

Severity:

Reproducibility:

Date Submitted:

Last Update:

5068

regular use

minor

always

2013-04-19 11:58

2014-01-24 20:30

Reporter:

beezly

Platform:

Assigned To:

dam

OS:

Priority:

normal

OS Version:

Status:

assigned

Product Version:

Product Build:

Resolution:

open

Projection:

none

ETA:

none

Fixed in Version:

Summary:

0005068: Problems negotiating SSL with updates.oracle.com

Description:

with wget 1.14 I am experiencing problems connecting to updates.oracle.com (as PCA does when it pulls down the patchdiag.xref file).

If I do;

/opt/csw/bin/wget -d --progress=dot:binary --ca-certificate=/opt/csw/bin/pca -O /var/tmp/patchdiag.xref "https://getupdates.oracle.com/reports/patchdiag.xref" [^]

I get;

Setting --progress (progress) to dot:binary
Setting --ca-certificate (cacertificate) to /opt/csw/bin/pca
Setting --output-document (outputdocument) to /var/tmp/patchdiag.xref
DEBUG output created by Wget 1.14 on solaris2.10.

URI encoding = 'ISO8859-1'
--2013-04-19 10:54:03-- https://getupdates.oracle.com/reports/patchdiag.xref [^]
Resolving getupdates.oracle.com (getupdates.oracle.com)... 141.146.44.51
Caching getupdates.oracle.com => 141.146.44.51
Connecting to getupdates.oracle.com (getupdates.oracle.com)|141.146.44.51|:443... connected.
Created socket 5.
Releasing 0x000e8a18 (new refcount 1).
Initiating SSL handshake.
SSL handshake failed.
Closed fd 5
Unable to establish SSL connection.

The same works if I use /usr/sfw/bin/wget instead (1.12 on this system).

Steps To Reproduce:

Additional Information:

Relationships

has duplicate

0005076

closed

dam

pca

Unable to establish SSL connection

Attached Files:

Issue History

Date Modified

Username

Field

Change

2013-04-19 11:58

beezly

New Issue

2013-04-19 15:58

dam

Status

new => assigned

2013-04-19 15:58

dam

Assigned To

=> dam

2013-04-19 16:01

dam

Assigned To

dam =>

2013-04-19 16:05

dam

Note Added: 0010339

2013-04-19 23:15

dam

Assigned To

=> dam

2013-04-19 23:18

dam

Note Added: 0010340

2013-04-20 10:36

yann

Note Added: 0010343

2013-05-16 13:21

dam

Relationship added

has duplicate 0005076

2013-06-07 22:39

yann

Note Added: 0010422

2014-01-24 20:30

dam

Note Added: 0010688

Notes

Ok, quick answer: you must add --secure-protocol=TLSv1

Long answer: the server at Oracles side is broken. Here is the analysis from my colleague Yann Roulliard:

Am 19.04.2013 um 23:10 schrieb Yann Rouillard <yann@xxx>:
Ok, I thing I got it.
It is not directly related to the tls protocol version, nor the cipher list.
As soon as the "client hello" packet is bigger to equal to 256, the Oracle webserver doesn't respond anymore.

It is triggered with tls 1.2 because it supports a lot more ciphers which is why the packet easily reaches the 256 size.

I put some tests I made at the end of this mail.

This is rather a bug on the oracle server side.
It there a lot of ssl implementations which have this bug, I could open a ticket upstream and maybe patch.

Now the question is how to submit this problem to Oracle, I wonder if they will accept that kind of bug on "My Oracle Support". I will try.

Yann

To reproduce:

# openssl s_client -bugs -tls1_2 -cipher ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:CAMELLIA128-SHA -connect getupdates.oracle.com:443
CONNECTED(00000005)

Packet size 256 -> the connection is stucked.

Let's remove just one cipher:

# openssl s_client -bugs -tls1_2 -cipher ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA -connect getupdates.oracle.com:443
CONNECTED(00000005)
18446741324917160760:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
---
no peer certificate available
[...]

Packet size < 256: it worked, the server answered.

Let's use the same cipher list as before, but we disable the session ticket extension to shorten the size of the packet:

# openssl s_client -bugs -tls1_2 -cipher ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:CAMELLIA128-SHA -no_ticket -connect getupdates.oracle.com:443

CONNECTED(00000005)
18446741324917160760:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
---
no peer certificate available
[...]

Packet size < 256: it works also.