 Relationships |
|||||||
|
|||||||
| Anonymous | Login | 2024-04-18 17:29 CEST |
| Main | My View | View Issues |
| Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Issue History ] [ Print ] | |||||||||||
| ID | Category | Severity | Reproducibility | Date Submitted | Last Update | |||||||
| 0005068 | [wget] regular use | minor | always | 2013-04-19 11:58 | 2014-01-24 20:30 | |||||||
| Reporter | beezly | View Status | public | |||||||||
| Assigned To | dam | |||||||||||
| Priority | normal | Resolution | open | |||||||||
| Status | assigned | |||||||||||
| Summary | 0005068: Problems negotiating SSL with updates.oracle.com | |||||||||||
| Description |
with wget 1.14 I am experiencing problems connecting to updates.oracle.com (as PCA does when it pulls down the patchdiag.xref file). If I do; /opt/csw/bin/wget -d --progress=dot:binary --ca-certificate=/opt/csw/bin/pca -O /var/tmp/patchdiag.xref "https://getupdates.oracle.com/reports/patchdiag.xref" [^] I get; Setting --progress (progress) to dot:binary Setting --ca-certificate (cacertificate) to /opt/csw/bin/pca Setting --output-document (outputdocument) to /var/tmp/patchdiag.xref DEBUG output created by Wget 1.14 on solaris2.10. URI encoding = 'ISO8859-1' --2013-04-19 10:54:03-- https://getupdates.oracle.com/reports/patchdiag.xref [^] Resolving getupdates.oracle.com (getupdates.oracle.com)... 141.146.44.51 Caching getupdates.oracle.com => 141.146.44.51 Connecting to getupdates.oracle.com (getupdates.oracle.com)|141.146.44.51|:443... connected. Created socket 5. Releasing 0x000e8a18 (new refcount 1). Initiating SSL handshake. SSL handshake failed. Closed fd 5 Unable to establish SSL connection. The same works if I use /usr/sfw/bin/wget instead (1.12 on this system). |
|||||||||||
| Additional Information | ||||||||||||
| Tags | No tags attached. | |||||||||||
| Attached Files | ||||||||||||
|
|
||||||||||||
|
Relationships |
|||||||
|
|||||||
|
Notes |
|
|
(0010339) dam (administrator) 2013-04-19 16:05 |
This looks like an issue of OpenSSL 1.0.0 as this also fails: openssl s_client -connect getupdates.oracle.com:443 I'll forward this to the OpenSSL maintainer and keep you posted. |
|
(0010340) dam (administrator) 2013-04-19 23:18 |
Ok, quick answer: you must add --secure-protocol=TLSv1 Long answer: the server at Oracles side is broken. Here is the analysis from my colleague Yann Roulliard: Am 19.04.2013 um 23:10 schrieb Yann Rouillard <yann@xxx>: Ok, I thing I got it. It is not directly related to the tls protocol version, nor the cipher list. As soon as the "client hello" packet is bigger to equal to 256, the Oracle webserver doesn't respond anymore. It is triggered with tls 1.2 because it supports a lot more ciphers which is why the packet easily reaches the 256 size. I put some tests I made at the end of this mail. This is rather a bug on the oracle server side. It there a lot of ssl implementations which have this bug, I could open a ticket upstream and maybe patch. Now the question is how to submit this problem to Oracle, I wonder if they will accept that kind of bug on "My Oracle Support". I will try. Yann To reproduce: # openssl s_client -bugs -tls1_2 -cipher ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:CAMELLIA128-SHA -connect getupdates.oracle.com:443 CONNECTED(00000005) Packet size 256 -> the connection is stucked. Let's remove just one cipher: # openssl s_client -bugs -tls1_2 -cipher ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA -connect getupdates.oracle.com:443 CONNECTED(00000005) 18446741324917160760:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: --- no peer certificate available [...] Packet size < 256: it worked, the server answered. Let's use the same cipher list as before, but we disable the session ticket extension to shorten the size of the packet: # openssl s_client -bugs -tls1_2 -cipher ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:CAMELLIA128-SHA -no_ticket -connect getupdates.oracle.com:443 CONNECTED(00000005) 18446741324917160760:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: --- no peer certificate available [...] Packet size < 256: it works also. |
|
(0010343) yann (developer) 2013-04-20 10:36 |
I opened a Service Request on "My Oracle Support" about this problem. I'll keep you updated. |
|
(0010422) yann (developer) 2013-06-07 22:39 |
Finally a real answer from Oracle after a long time, I put it below. Opencsw is mentioned in the documentation about wget. I will give them the exact workaround if they want to add it. -------------------------------------------------------------------- Hi Yann, Website admin team will plan to upgrade the webserver s/w during their next meeting so it can support TLS1.2. At this time, TLS1.2 is not supported. https://getupdates.oracle.com [^] web server does not fully support TLS 1.2 Only OpenSSL versions from branch 1.0.0 will work - Oracle Solaris does not deliver higher versions at this time. Customers who are trying to access the URL using latest wget/OpenSSL (ie. from www.opencsw.org) version with TLS 1.2 support may get connection failures. The same is documented, please refer below oracle doc.. Patch download automation for Sun products using wget [ID 1199543.1] I will close this case on 10th-june unless you need further clarification on this Thanks Murugan |
|
(0010688) dam (administrator) 2014-01-24 20:30 |
I wonder if this is related to https://www.imperialviolet.org/2013/10/07/f5update.html [^] |
| Copyright © 2000 - 2008 Mantis Group |  |
