Project

General

Profile

[Solved] Problems with libssl1.1-1.1.1-1ubuntu2.1~18.04.2

Added by HenrikHolst over 1 year ago

Ubuntu recently upgraded libssl1.1 for Ubuntu 18.04LTS and that made lighttpd behave badly. I managed to download the old libssl1.1-1.1.1-1ubuntu2.1~18.04.1 DEB but it did't fix the problem for some reason (perhaps the package updates more than the .so, I'll have to get back regarding that).

Anyway I rebuilt lighttpd for libssl1.0 and that made it work again (ubuntu 18.04 carry both 1.1 and 1.0), anyway when running cURL on a server where it didn't work it seams that lighttpd/libssl sends some extra bytes:

henrik@kobol:~/utveckling/Millistream/applications/mda$ curl "https://packages.millistream.com/" -o /dev/null -sv
*   Trying 85.159.94.206...
* TCP_NODELAY set
* connect to 85.159.94.206 port 443 failed: Förbindelsen förvägrad
*   Trying 195.242.43.117...
* TCP_NODELAY set
* Connected to packages.millistream.com (195.242.43.117) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* (304) (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* (304) (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* (304) (IN), TLS Unknown, Certificate Status (22):
{ [1 bytes data]
* (304) (IN), TLS handshake, Unknown (8):
{ [25 bytes data]
* (304) (IN), TLS Unknown, Certificate Status (22):
{ [1 bytes data]
* (304) (IN), TLS handshake, Certificate (11):
{ [2822 bytes data]
* (304) (IN), TLS Unknown, Certificate Status (22):
{ [1 bytes data]
* (304) (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* (304) (IN), TLS Unknown, Certificate Status (22):
{ [1 bytes data]
* (304) (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* (304) (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* (304) (OUT), TLS Unknown, Certificate Status (22):
} [1 bytes data]
* (304) (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using unknown / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=*.millistream.com
*  start date: May 11 00:00:00 2018 GMT
*  expire date: May  5 12:00:00 2020 GMT
*  subjectAltName: host "packages.millistream.com" matched cert's "*.millistream.com" 
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=RapidSSL RSA CA 2018
*  SSL certificate verify ok.
} [5 bytes data]
* (304) (OUT), TLS Unknown, Unknown (23):
} [1 bytes data]
> GET / HTTP/1.1
> Host: packages.millistream.com
> User-Agent: curl/7.58.0
> Accept: */*
> 
{ [5 bytes data]
* (304) (IN), TLS Unknown, Certificate Status (22):
{ [1 bytes data]
* (304) (IN), TLS handshake, Newsession Ticket (4):
{ [265 bytes data]
* (304) (IN), TLS Unknown, Certificate Status (22):
{ [1 bytes data]
* (304) (IN), TLS handshake, Newsession Ticket (4):
{ [265 bytes data]
* (304) (IN), TLS Unknown, Unknown (21):
{ [1 bytes data]
* (304) (IN), TLS alert, Client hello (1):
{ [2 bytes data]
* Empty reply from server
* Connection #0 to host packages.millistream.com left intact

vs how the same request looks when it does work:

henrik@kobol:~/utveckling/Millistream/applications/mda$ curl "https://packages.millistream.com/" -o /dev/null -sv
*   Trying 85.159.94.206...
* TCP_NODELAY set
* connect to 85.159.94.206 port 443 failed: Förbindelsen förvägrad
*   Trying 195.242.43.117...
* TCP_NODELAY set
* Connected to packages.millistream.com (195.242.43.117) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* (304) (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* (304) (IN), TLS handshake, Server hello (2):
{ [93 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2817 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [365 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [102 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=*.millistream.com
*  start date: May 11 00:00:00 2018 GMT
*  expire date: May  5 12:00:00 2020 GMT
*  subjectAltName: host "packages.millistream.com" matched cert's "*.millistream.com" 
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=RapidSSL RSA CA 2018
*  SSL certificate verify ok.
} [5 bytes data]
> GET / HTTP/1.1
> Host: packages.millistream.com
> User-Agent: curl/7.58.0
> Accept: */*
> 
{ [5 bytes data]
< HTTP/1.1 200 OK
< Content-Type: text/html; charset=utf-8
< Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
< X-Frame-Options: DENY
< Content-Length: 7059
< Date: Mon, 17 Jun 2019 12:40:58 GMT
< Server: lighttpd/1.4.54
< 
{ [7059 bytes data]
* Connection #0 to host packages.millistream.com left intact


Replies (5)

RE: Problems with libssl1.1-1.1.1-1ubuntu2.1~18.04.2 - Added by gstrauss over 1 year ago

What is reported in the lighttpd error log?
What version of lighttpd? Have you tested with lighttpd 1.4.54?

For https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/1800605
See #2912. This was fixed in 7a7f4f98 and released in lighttpd 1.4.51 over 8 months ago.

For https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/1832295
please note that the poster there already states that lighttpd 1.4.54 works on Ubuntu.

RE: Problems with libssl1.1-1.1.1-1ubuntu2.1~18.04.2 - Added by HenrikHolst over 1 year ago

Hi,

sorry for forgetting the version, this is all on v1.4.54 and the errors produced are perhaps (I write perhaps because they did not appear with tail -f after a request so I don't know if they appeared from my tests, from other people trying to reach our site or if the errors simply was delayed until the server was stopped):
2019-06-17 14:37:36: (server.c.1521) server started (lighttpd/1.4.54) 
2019-06-17 14:37:38: (mod_openssl.c.1695) SSL: renegotiation initiated by client, killing connection 
2019-06-17 14:37:38: (mod_openssl.c.1695) SSL: renegotiation initiated by client, killing connection 
2019-06-17 14:37:38: (mod_openssl.c.1695) SSL: renegotiation initiated by client, killing connection 
2019-06-17 14:37:42: (mod_openssl.c.1695) SSL: renegotiation initiated by client, killing connection 
2019-06-17 14:37:42: (mod_openssl.c.1695) SSL: renegotiation initiated by client, killing connection 
2019-06-17 14:37:42: (mod_openssl.c.1695) SSL: renegotiation initiated by client, killing connection 
2019-06-17 14:37:44: (mod_openssl.c.1695) SSL: renegotiation initiated by client, killing connection 
2019-06-17 14:37:46: (mod_openssl.c.1695) SSL: renegotiation initiated by client, killing connection 
2019-06-17 14:37:46: (mod_openssl.c.1695) SSL: renegotiation initiated by client, killing connection 
2019-06-17 14:37:48: (mod_openssl.c.1695) SSL: renegotiation initiated by client, killing connection 
2019-06-17 14:37:50: (mod_openssl.c.1695) SSL: renegotiation initiated by client, killing connection 
2019-06-17 14:37:50: (mod_openssl.c.1695) SSL: renegotiation initiated by client, killing connection 
2019-06-17 14:37:53: (mod_openssl.c.1695) SSL: renegotiation initiated by client, killing connection 
2019-06-17 14:37:53: (mod_openssl.c.1695) SSL: renegotiation initiated by client, killing connection 
2019-06-17 14:37:54: (mod_openssl.c.1695) SSL: renegotiation initiated by client, killing connection 
2019-06-17 14:37:55: (mod_openssl.c.1695) SSL: renegotiation initiated by client, killing connection 
2019-06-17 14:37:55: (mod_openssl.c.1695) SSL: renegotiation initiated by client, killing connection 
2019-06-17 14:37:55: (mod_openssl.c.1695) SSL: renegotiation initiated by client, killing connection 
2019-06-17 14:37:55: (mod_openssl.c.1695) SSL: renegotiation initiated by client, killing connection 

RE: Problems with libssl1.1-1.1.1-1ubuntu2.1~18.04.2 - Added by HenrikHolst over 1 year ago

So now I rebuild 1.4.54 and it worked again.

So perhaps the change to libssl1.1 changed some include files as well that made builds agains prior versions to libssl1.1 incompatible with the new one. So you are correct that this was fixed in an earlier commit, just that a lighttpd built with the libssl1.1-dev package for a prior version does not work with the new one for some reason.

RE: [Solved] Problems with libssl1.1-1.1.1-1ubuntu2.1~18.04.2 - Added by gstrauss over 1 year ago

Yes, it matters against which development headers lighttpd mod_openssl.c is built.

    #ifdef TLS1_3_VERSION

is compile time check, and the code in 7a7f4f98 can not check:
if (SSL_version(ssl) >= TLS1_3_VERSION)

if TLS1_3_VERSION is not defined.

RE: [Solved] Problems with libssl1.1-1.1.1-1ubuntu2.1~18.04.2 - Added by HenrikHolst over 1 year ago

OK and they changed that in libssl1.1-1.1.1-1ubuntu2.1~18.04.2, I'll see. Because I built lighttpd against whatever version of libssl1.1 was available when 1.4.54 came out and I thought that libssl stopped doing that stupid ABI changes that they did back in the 0.9.x days where you had to rebuild for every single change. Either that or my build environment back in May was somehow faulty, should of course have checked that first but such is life.

    (1-5/5)