Bug 132098 - REGRESSION: Bank of America on-line banking site quit working
Summary: REGRESSION: Bank of America on-line banking site quit working
Status: RESOLVED FIXED
Alias: None
Product: kio
Classification: Unmaintained
Component: kssl (show other bugs)
Version: unspecified
Platform: Compiled Sources Linux
: NOR normal
Target Milestone: ---
Assignee: Dirk Mueller
URL:
Keywords:
: 108388 132358 (view as bug list)
Depends on:
Blocks:
 
Reported: 2006-08-09 01:13 UTC by James Richard Tyrer
Modified: 2007-12-11 20:21 UTC (History)
4 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:


Attachments
possible patch (390 bytes, patch)
2006-08-09 15:18 UTC, Dirk Mueller
Details
Output of openssl ciphers (563 bytes, text/plain)
2006-08-10 01:17 UTC, James Richard Tyrer
Details
new patch (1.48 KB, patch)
2006-08-11 13:37 UTC, Dirk Mueller
Details
patch v2 (1.42 KB, patch)
2006-08-11 13:44 UTC, Dirk Mueller
Details
Konsole output after clicking button (2.59 KB, text/plain)
2006-08-12 11:26 UTC, James Richard Tyrer
Details

Note You need to log in before you can comment on or make changes to this bug.
Description James Richard Tyrer 2006-08-09 01:13:14 UTC
Version:            (using KDE KDE 3.5.4)
Installed from:    Compiled From Sources
Compiler:          GCC-4.1.1 
OS:                Linux

These two sites worked in 3.5.3 and still work in Firefox.

http://www.bankofamerica.com/

when I click on the "Sign In" button, I get:

ERROR 500:

http://www.chase.com/

When I click on the "Log In" button, I get:

An error occurred while loading https://chaseonline.chase.com/siteminderagent/forms/formpost.fcc:
Could not connect to host chaseonline.chase.com.

Note that American Express still works:

http://home.americanexpress.com/home/mt_personal_cm.shtml

I suspect that somehow Konqueror is sending the wrong information.
Comment 1 Dirk Mueller 2006-08-09 08:48:07 UTC
can you give me kssl debug output and the output of "openssl ciphers" ?

Comment 2 Dirk Mueller 2006-08-09 08:48:26 UTC
which distro is that, btw?
Comment 3 Hasso Tepper 2006-08-09 13:12:14 UTC
Same here with Debian unstable. bankofamerica.com "sign in" button works for me, btw, but many internal stuff here doesn't. HTTPS in general is OK, but "HTTP -> 302 -> HTTPS" seems to cause the trouble.

It's not probably KDE bug though. For example FTP/SSL stopped work for me as well. And not only for me - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=381944
Comment 4 Dirk Mueller 2006-08-09 13:27:32 UTC
Hasso: you're using gnutls, right? gnutls is fucked, don't use it. 

James: do you use gnutls as well? which url can you access/can't you access? 
Comment 5 Hasso Tepper 2006-08-09 14:45:35 UTC
Dirk: nope, I specially set openssl lib path in settings.

Anyway, I just discovered that reverting rev 568289 makes Konqueror working again for me.

lftp issue in Debian unstable seems to be in app itself, just downgrading lftp (not touching any libraries) makes it working again, so this is not related.
Comment 6 Dirk Mueller 2006-08-09 15:18:25 UTC
Created attachment 17307 [details]
possible patch

does this patch help?
Comment 7 Hasso Tepper 2006-08-09 15:36:35 UTC
No.
Comment 8 James Richard Tyrer 2006-08-10 01:17:41 UTC
Created attachment 17322 [details]
Output of openssl ciphers
Comment 9 James Richard Tyrer 2006-08-10 01:21:00 UTC
Re: Comment #4

I have GnuTLS installed, however I explicitly built KDE against OpenSSL.

--with-ssl-dir=/usr/local/ssl
Comment 10 Dirk Mueller 2006-08-10 12:16:37 UTC
that doesn't mean that it actually uses openssl, given that kssl dlopen's the file it finds according to very strange rules. 

can you actually confirm via lsof etc that it loads the openssl libraries and not the gnutls compat wrapper?

also, does it work if you disable tlsv1 support in kssl? does it work if you disable sslv3? what is the difference between openssl ciphers -tls1 and -ssl3 ?
Comment 11 Dirk Mueller 2006-08-11 13:37:26 UTC
Created attachment 17338 [details]
new patch

I believe this patch should resolve the bug, can you test?
Comment 12 Dirk Mueller 2006-08-11 13:44:44 UTC
Created attachment 17339 [details]
patch v2

this should shouldn't make a difference, but is theoretically more correct.
Comment 13 Dirk Mueller 2006-08-11 13:49:11 UTC
*** Bug 108388 has been marked as a duplicate of this bug. ***
Comment 14 James Richard Tyrer 2006-08-11 13:53:24 UTC
I have uninstalled GNUtls.  Didn't help.

I tried -r568289 with KDELibs and KDEBase.  Didn't help.

I would think that it might not be a KDE issue except that Firefox still opens the two sites OK.

I checked: "Warn on entering SSL mode" so that I could get the crypto information.  I found that the KCM tab "OpenSSL" didn't have the: Path to OpenSSL Shared Libraries" set, so I set that to: "/usr/local/ssl/lib".  I found that it didn't have the path to the "entropy file" set so I checked "Use entropy file" and set the path to: "/var/lib/random-seed".  I note that setting this with the file selection dialog doesn't work, the KCM crashes.  Copy and Paste works OK.

This did result in a change.  Now the BofA site displays an error:

An error occurred while loading https://sitekey.bankofamerica.com/sas/signon.do:
Connection to host sitekey.bankofamerica.com is broken.

No change at the Chase site.

Where and how do I disable tls1?
Comment 15 Hasso Tepper 2006-08-11 14:33:20 UTC
Yes, my problem (ie. regression caused by patch from bug #108388) is solved with patch from comment 12. Original reporter seems to have different problem though, seems.

Comment 16 Dirk Mueller 2006-08-11 15:11:42 UTC
James; you have to update to r568288 or to current HEAD as I'm going to install the patch, which should fix the issue. feel free to reopen once you're sure that this isn't caused by your gnutls/openssl settings. I believe from reading your last comment that you messed it up now that it doesn't load the openssl files either. 
Comment 17 Dirk Mueller 2006-08-11 15:14:40 UTC
SVN commit 571987 by mueller:

make SSL work again for sites that don't support TLSv1
BUG: 132098


 M  +6 -7      kssl.cc  


--- branches/KDE/3.5/kdelibs/kio/kssl/kssl.cc #571986:571987
@@ -138,6 +138,8 @@
 	d->m_meth = d->kossl->TLSv1_client_method();
 	d->lastInitTLS = true;
 
+	m_pi.reset();
+
 	d->m_ctx = d->kossl->SSL_CTX_new(d->m_meth);
 	if (d->m_ctx == 0L) {
 		return false;
@@ -160,9 +162,6 @@
 bool KSSL::initialize() {
 #ifdef KSSL_HAVE_SSL
 	kdDebug(7029) << "KSSL initialize" << endl;
-	if (m_cfg->tlsv1())
-		return TLSInit();
-
 	if (m_bInit)
 		return false;
 
@@ -175,9 +174,9 @@
 
 	m_pi.reset();
 
-	if (m_cfg->sslv2() && !m_cfg->sslv3())
+	if (m_cfg->sslv2() && !m_cfg->sslv3() && !m_cfg->tlsv1())
 		d->m_meth = d->kossl->SSLv2_client_method();
-	else if (m_cfg->sslv3() && !m_cfg->sslv2())
+	else if ((m_cfg->tlsv1() || m_cfg->sslv3()) && !m_cfg->sslv2())
 		d->m_meth = d->kossl->SSLv3_client_method();
 	else d->m_meth = d->kossl->SSLv23_client_method();
 
@@ -307,7 +306,7 @@
 	}
 */
 
-	if (!d->lastInitTLS)
+	if (!d->lastInitTLS && !m_cfg->tlsv1())
 		d->kossl->SSL_set_options(d->m_ssl, SSL_OP_NO_TLSv1);
 
 	d->kossl->SSL_set_options(d->m_ssl, SSL_OP_ALL);
@@ -393,7 +392,7 @@
 	}
 */
 
-	if (!d->lastInitTLS)
+	if (!d->lastInitTLS && !m_cfg->tlsv1())
 		d->kossl->SSL_set_options(d->m_ssl, SSL_OP_NO_TLSv1);
 
 	d->kossl->SSL_set_options(d->m_ssl, SSL_OP_ALL);
Comment 18 James Richard Tyrer 2006-08-12 01:56:51 UTC
I applied the patch and the Chase site now works and the BofA site doesn't.

So, you have fixed *a* problem.  The BofA site _might_ be a different problem.

The rebuild to get back to the current branch HEAD will take a while so I can't say for sure about BofA yet.
Comment 19 James Richard Tyrer 2006-08-12 07:37:08 UTC
Recycling this bug.

The Bank of America site doesn't work.

I still get: "ERROR 500".  I have uninstalled GNUtls so that shouldn't be the problem.

The Bank of America site worked OK for some time in Konqueror and then suddenly quit working.  So, I doubt that it is a OpenSSL setting.

How should I go about debugging this?
Comment 20 Dirk Mueller 2006-08-12 10:19:10 UTC
when do you get error 500 when doing *what* ?
do you have an established https connection already? (is there a ssl details you can open?)

is this error 500 from the ioslave, the website? ..

I have no idea what you're talking about, as I could reproduce the failure
before but not anymore. I don't have an account there, but if I enter
random account data I get as far as the error message about my password being
invalid. 

Comment 21 James Richard Tyrer 2006-08-12 11:25:17 UTC
The start page: "http://www.bankofamerica.com/" has a button: "Sign In" on it.  You enter your ID and click it.  It then tries to load: "https://sitekey.bankofamerica.com/sas/signon.do" and fails with the error.

I have attached the Konsole output.
Comment 22 James Richard Tyrer 2006-08-12 11:26:53 UTC
Created attachment 17346 [details]
Konsole output after clicking button
Comment 23 James Richard Tyrer 2006-08-12 11:42:37 UTC
I think that: "ERROR 500:" is an error on their server.

I deleted my cookie and tried an invalid user number and get the same result using "Arizona".  Same result.

A server error error would probably mean that it was sending the wrong information to their server.
Comment 24 Dirk Mueller 2006-08-12 15:20:14 UTC
ok, once again, very slowly. 

if you click on this link: https://sitekey.bankofamerica.com/sas/signon.do
directly, do you get the error message "You have not entered your Online ID" with a bank of america logo in the upper left or not?

if not, do you get the error 500 in a website or is an error you get from the http layer?

in any case, this doesn't look like the bug this report was about. 

Comment 25 James Richard Tyrer 2006-08-12 23:31:56 UTC
Re: Comment #24

If I click on the link, I get "ERROR 500:".  I presume that this is not the case on your system -- that you get the error message which you quoted.  If so, I am totally puzzled by this.

This reference:

http://www.checkupdown.com/status/E500.html

says that: "ERROR 500" is an: "Internal server error".

Since Firefox (and SeaMonkey, and Epiphany [all Gecko]) works correctly, and Konqueror used to work correctly, my best guess is that the internal server error is being caused by KDE sending the wrong information.  Perhaps it only fails when it sees my name. :-D

As I said, I was recycling the bug report (changed the title) for what appears to be a problem which is different from the one you fixed.  However, this problem started at about the same time as the problem with the Chase site.  I noticed them the same day.
Comment 26 Tommi Tervo 2006-08-13 22:02:35 UTC
*** Bug 132358 has been marked as a duplicate of this bug. ***
Comment 27 Dirk Mueller 2006-08-13 22:49:16 UTC
JRT: thanks, I know what error 500 means. :)

given that you probably can't give me information how the login data you're
sending looks like (and if it happens with simple input like 01234567890 what I tested as well), the only thing I can suggest you to do is to track down
the particular svn revision by binary search which broke it for you. 

shouldn't be more than 10-15 recompilations. 

Comment 28 James Richard Tyrer 2006-08-15 16:01:31 UTC
I traced this to a corrupted *rc file.

Don't know why it only affected the B of A site.
Comment 29 Vladimir I. Kobylyanskiy 2006-08-21 17:49:10 UTC
SVN commit 571987 by mueller:

make SSL work again for sites that don't support TLSv1
BUG: 132098 


And again don't work sites that don't support SSLv3.

Let's make TLS work only when TLS checkbox = true and SSLv3 checkbox = false.


--- kssl.cc	2006-08-11 22:34:04.000000000 +0000
+++ kssl_LISSI.cc	2006-08-21 19:41:45.337866392 +0000
@@ -176,8 +176,11 @@
 
 	if (m_cfg->sslv2() && !m_cfg->sslv3() && !m_cfg->tlsv1())
 		d->m_meth = d->kossl->SSLv2_client_method();
-	else if ((m_cfg->tlsv1() || m_cfg->sslv3()) && !m_cfg->sslv2())
+	else if ((m_cfg->tlsv1() && m_cfg->sslv3()) && !m_cfg->sslv2())
 		d->m_meth = d->kossl->SSLv3_client_method();
+//Patch LISSI Ltd, http://www.lissi.ru, mailto: info@lissi.ru
+	else if ((m_cfg->tlsv1() && !m_cfg->sslv3()) && !m_cfg->sslv2())
+		return TLSInit();
 	else d->m_meth = d->kossl->SSLv23_client_method();
 
 /*
Comment 30 Dirk Mueller 2006-08-22 14:20:09 UTC
this patch is not acceptable. does this work for you?

--- kssl.cc     (revision 573819)
+++ kssl.cc     (working copy)
@@ -176,6 +176,8 @@ bool KSSL::initialize() {

        if (m_cfg->sslv2() && !m_cfg->sslv3() && !m_cfg->tlsv1())
                d->m_meth = d->kossl->SSLv2_client_method();
+        else if (m_cfg->tlsv1() && !m_cfg->sslv3() && !m_cfg->sslv2())
+               d->m_meth = d->kossl->TLSv1_client_method();
        else if ((m_cfg->tlsv1() || m_cfg->sslv3()) && !m_cfg->sslv2())
                d->m_meth = d->kossl->SSLv3_client_method();
        else d->m_meth = d->kossl->SSLv23_client_method();
Comment 31 Dirk Mueller 2006-08-22 14:22:27 UTC
the problem is that I can not reproduce the issue you're reporting with the host that you gave as an example, and additionally I don't see how that should be happening. 

openssl s_client -ssl2 -connect kis.hosteurope.de:443
fails, but
openssl s_client -ssl3 -connect kis.hosteurope.de:443
and
openssl s_client -tls1 -connect kis.hosteurope.de:443

connects just fine for me. 
Comment 32 Vladimir I. Kobylyanskiy 2006-08-22 15:12:09 UTC
Patch seems to works fine.
Maybe in documentation must be said that if server works only with TLSv1 user need to make SSLv3 checkbox to fasle.
         

And about reproduce:


1) Openssl command line.

Start openssl test-server
       openssl s_server -cert <cert_file> -key <key_file> -tls1

Then try
       
       openssl s_client -connect 127.0.0.1:4444 -ssl3 
       and you resive an error message("wrong protcol number bla-bla-bla")

Then try
       openssl s_client -connect 127.0.0.1:4444 -tls1 
       and all works fine.


2)Apache

For Apache you can select protocol by directive "SSLProtocol TLSv1|SSLv3|SSLv2"
If you start your server with SSLProtocot TLSv1 - you cannot visit it by SSLv3. Only TLSv1.

Comment 33 Dirk Mueller 2006-08-23 11:23:35 UTC
SVN commit 576152 by mueller:

fix TLSv1 again, now that I actually understood how
openssl works
CCBUG: 132098


 M  +18 -6     kssl.cc  


--- branches/KDE/3.5/kdelibs/kio/kssl/kssl.cc #576151:576152
@@ -174,9 +174,11 @@
 
 	m_pi.reset();
 
-	if (m_cfg->sslv2() && !m_cfg->sslv3() && !m_cfg->tlsv1())
+	if (!m_cfg->tlsv1() && !m_cfg->sslv3() && m_cfg->sslv2())
 		d->m_meth = d->kossl->SSLv2_client_method();
-	else if ((m_cfg->tlsv1() || m_cfg->sslv3()) && !m_cfg->sslv2())
+        else if (m_cfg->tlsv1() && !m_cfg->sslv3() && !m_cfg->sslv2())
+		d->m_meth = d->kossl->TLSv1_client_method();
+	else if (!m_cfg->tlsv1() && m_cfg->sslv3() && !m_cfg->sslv2())
 		d->m_meth = d->kossl->SSLv3_client_method();
 	else d->m_meth = d->kossl->SSLv23_client_method();
 
@@ -306,10 +308,15 @@
 	}
 */
 
+	int off = SSL_OP_ALL;
 	if (!d->lastInitTLS && !m_cfg->tlsv1())
-		d->kossl->SSL_set_options(d->m_ssl, SSL_OP_NO_TLSv1);
+		off |= SSL_OP_NO_TLSv1;
+	if (!m_cfg->sslv3())
+		off |= SSL_OP_NO_SSLv3;
+	if (!m_cfg->sslv2())
+		off |= SSL_OP_NO_SSLv2;
 
-	d->kossl->SSL_set_options(d->m_ssl, SSL_OP_ALL);
+	d->kossl->SSL_set_options(d->m_ssl, off);
 
 	rc = d->kossl->SSL_set_fd(d->m_ssl, sock);
 	if (rc == 0) {
@@ -392,10 +399,15 @@
 	}
 */
 
+	int off = SSL_OP_ALL;
 	if (!d->lastInitTLS && !m_cfg->tlsv1())
-		d->kossl->SSL_set_options(d->m_ssl, SSL_OP_NO_TLSv1);
+		off |= SSL_OP_NO_TLSv1;
+	if (!m_cfg->sslv3())
+		off |= SSL_OP_NO_SSLv3;
+	if (!m_cfg->sslv2())
+		off |= SSL_OP_NO_SSLv2;
 
-	d->kossl->SSL_set_options(d->m_ssl, SSL_OP_ALL);
+	d->kossl->SSL_set_options(d->m_ssl, off);
 
 	rc = d->kossl->SSL_set_fd(d->m_ssl, sock);
 	if (rc == 0) {