| Summary: | REGRESSION: Bank of America on-line banking site quit working | ||
|---|---|---|---|
| Product: | [Unmaintained] kio | Reporter: | James Richard Tyrer <tyrerj> |
| Component: | kssl | Assignee: | Dirk Mueller <mueller> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | binner, davidxross, hasso, rwenzel |
| Priority: | NOR | ||
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Platform: | Compiled Sources | ||
| OS: | Linux | ||
| Latest Commit: | Version Fixed In: | ||
| Sentry Crash Report: | |||
| Attachments: |
possible patch
Output of openssl ciphers new patch patch v2 Konsole output after clicking button |
||
|
Description
James Richard Tyrer
2006-08-09 01:13:14 UTC
can you give me kssl debug output and the output of "openssl ciphers" ? which distro is that, btw? Same here with Debian unstable. bankofamerica.com "sign in" button works for me, btw, but many internal stuff here doesn't. HTTPS in general is OK, but "HTTP -> 302 -> HTTPS" seems to cause the trouble. It's not probably KDE bug though. For example FTP/SSL stopped work for me as well. And not only for me - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=381944 Hasso: you're using gnutls, right? gnutls is fucked, don't use it. James: do you use gnutls as well? which url can you access/can't you access? Dirk: nope, I specially set openssl lib path in settings. Anyway, I just discovered that reverting rev 568289 makes Konqueror working again for me. lftp issue in Debian unstable seems to be in app itself, just downgrading lftp (not touching any libraries) makes it working again, so this is not related. Created attachment 17307 [details]
possible patch
does this patch help?
No. Created attachment 17322 [details]
Output of openssl ciphers
Re: Comment #4 I have GnuTLS installed, however I explicitly built KDE against OpenSSL. --with-ssl-dir=/usr/local/ssl that doesn't mean that it actually uses openssl, given that kssl dlopen's the file it finds according to very strange rules. can you actually confirm via lsof etc that it loads the openssl libraries and not the gnutls compat wrapper? also, does it work if you disable tlsv1 support in kssl? does it work if you disable sslv3? what is the difference between openssl ciphers -tls1 and -ssl3 ? Created attachment 17338 [details]
new patch
I believe this patch should resolve the bug, can you test?
Created attachment 17339 [details]
patch v2
this should shouldn't make a difference, but is theoretically more correct.
*** Bug 108388 has been marked as a duplicate of this bug. *** I have uninstalled GNUtls. Didn't help. I tried -r568289 with KDELibs and KDEBase. Didn't help. I would think that it might not be a KDE issue except that Firefox still opens the two sites OK. I checked: "Warn on entering SSL mode" so that I could get the crypto information. I found that the KCM tab "OpenSSL" didn't have the: Path to OpenSSL Shared Libraries" set, so I set that to: "/usr/local/ssl/lib". I found that it didn't have the path to the "entropy file" set so I checked "Use entropy file" and set the path to: "/var/lib/random-seed". I note that setting this with the file selection dialog doesn't work, the KCM crashes. Copy and Paste works OK. This did result in a change. Now the BofA site displays an error: An error occurred while loading https://sitekey.bankofamerica.com/sas/signon.do: Connection to host sitekey.bankofamerica.com is broken. No change at the Chase site. Where and how do I disable tls1? Yes, my problem (ie. regression caused by patch from bug #108388) is solved with patch from comment 12. Original reporter seems to have different problem though, seems. James; you have to update to r568288 or to current HEAD as I'm going to install the patch, which should fix the issue. feel free to reopen once you're sure that this isn't caused by your gnutls/openssl settings. I believe from reading your last comment that you messed it up now that it doesn't load the openssl files either. SVN commit 571987 by mueller:
make SSL work again for sites that don't support TLSv1
BUG: 132098
M +6 -7 kssl.cc
--- branches/KDE/3.5/kdelibs/kio/kssl/kssl.cc #571986:571987
@@ -138,6 +138,8 @@
d->m_meth = d->kossl->TLSv1_client_method();
d->lastInitTLS = true;
+ m_pi.reset();
+
d->m_ctx = d->kossl->SSL_CTX_new(d->m_meth);
if (d->m_ctx == 0L) {
return false;
@@ -160,9 +162,6 @@
bool KSSL::initialize() {
#ifdef KSSL_HAVE_SSL
kdDebug(7029) << "KSSL initialize" << endl;
- if (m_cfg->tlsv1())
- return TLSInit();
-
if (m_bInit)
return false;
@@ -175,9 +174,9 @@
m_pi.reset();
- if (m_cfg->sslv2() && !m_cfg->sslv3())
+ if (m_cfg->sslv2() && !m_cfg->sslv3() && !m_cfg->tlsv1())
d->m_meth = d->kossl->SSLv2_client_method();
- else if (m_cfg->sslv3() && !m_cfg->sslv2())
+ else if ((m_cfg->tlsv1() || m_cfg->sslv3()) && !m_cfg->sslv2())
d->m_meth = d->kossl->SSLv3_client_method();
else d->m_meth = d->kossl->SSLv23_client_method();
@@ -307,7 +306,7 @@
}
*/
- if (!d->lastInitTLS)
+ if (!d->lastInitTLS && !m_cfg->tlsv1())
d->kossl->SSL_set_options(d->m_ssl, SSL_OP_NO_TLSv1);
d->kossl->SSL_set_options(d->m_ssl, SSL_OP_ALL);
@@ -393,7 +392,7 @@
}
*/
- if (!d->lastInitTLS)
+ if (!d->lastInitTLS && !m_cfg->tlsv1())
d->kossl->SSL_set_options(d->m_ssl, SSL_OP_NO_TLSv1);
d->kossl->SSL_set_options(d->m_ssl, SSL_OP_ALL);
I applied the patch and the Chase site now works and the BofA site doesn't. So, you have fixed *a* problem. The BofA site _might_ be a different problem. The rebuild to get back to the current branch HEAD will take a while so I can't say for sure about BofA yet. Recycling this bug. The Bank of America site doesn't work. I still get: "ERROR 500". I have uninstalled GNUtls so that shouldn't be the problem. The Bank of America site worked OK for some time in Konqueror and then suddenly quit working. So, I doubt that it is a OpenSSL setting. How should I go about debugging this? when do you get error 500 when doing *what* ? do you have an established https connection already? (is there a ssl details you can open?) is this error 500 from the ioslave, the website? .. I have no idea what you're talking about, as I could reproduce the failure before but not anymore. I don't have an account there, but if I enter random account data I get as far as the error message about my password being invalid. The start page: "http://www.bankofamerica.com/" has a button: "Sign In" on it. You enter your ID and click it. It then tries to load: "https://sitekey.bankofamerica.com/sas/signon.do" and fails with the error. I have attached the Konsole output. Created attachment 17346 [details]
Konsole output after clicking button
I think that: "ERROR 500:" is an error on their server. I deleted my cookie and tried an invalid user number and get the same result using "Arizona". Same result. A server error error would probably mean that it was sending the wrong information to their server. ok, once again, very slowly. if you click on this link: https://sitekey.bankofamerica.com/sas/signon.do directly, do you get the error message "You have not entered your Online ID" with a bank of america logo in the upper left or not? if not, do you get the error 500 in a website or is an error you get from the http layer? in any case, this doesn't look like the bug this report was about. Re: Comment #24 If I click on the link, I get "ERROR 500:". I presume that this is not the case on your system -- that you get the error message which you quoted. If so, I am totally puzzled by this. This reference: http://www.checkupdown.com/status/E500.html says that: "ERROR 500" is an: "Internal server error". Since Firefox (and SeaMonkey, and Epiphany [all Gecko]) works correctly, and Konqueror used to work correctly, my best guess is that the internal server error is being caused by KDE sending the wrong information. Perhaps it only fails when it sees my name. :-D As I said, I was recycling the bug report (changed the title) for what appears to be a problem which is different from the one you fixed. However, this problem started at about the same time as the problem with the Chase site. I noticed them the same day. *** Bug 132358 has been marked as a duplicate of this bug. *** JRT: thanks, I know what error 500 means. :) given that you probably can't give me information how the login data you're sending looks like (and if it happens with simple input like 01234567890 what I tested as well), the only thing I can suggest you to do is to track down the particular svn revision by binary search which broke it for you. shouldn't be more than 10-15 recompilations. I traced this to a corrupted *rc file. Don't know why it only affected the B of A site. SVN commit 571987 by mueller: make SSL work again for sites that don't support TLSv1 BUG: 132098 And again don't work sites that don't support SSLv3. Let's make TLS work only when TLS checkbox = true and SSLv3 checkbox = false. --- kssl.cc 2006-08-11 22:34:04.000000000 +0000 +++ kssl_LISSI.cc 2006-08-21 19:41:45.337866392 +0000 @@ -176,8 +176,11 @@ if (m_cfg->sslv2() && !m_cfg->sslv3() && !m_cfg->tlsv1()) d->m_meth = d->kossl->SSLv2_client_method(); - else if ((m_cfg->tlsv1() || m_cfg->sslv3()) && !m_cfg->sslv2()) + else if ((m_cfg->tlsv1() && m_cfg->sslv3()) && !m_cfg->sslv2()) d->m_meth = d->kossl->SSLv3_client_method(); +//Patch LISSI Ltd, http://www.lissi.ru, mailto: info@lissi.ru + else if ((m_cfg->tlsv1() && !m_cfg->sslv3()) && !m_cfg->sslv2()) + return TLSInit(); else d->m_meth = d->kossl->SSLv23_client_method(); /* this patch is not acceptable. does this work for you?
--- kssl.cc (revision 573819)
+++ kssl.cc (working copy)
@@ -176,6 +176,8 @@ bool KSSL::initialize() {
if (m_cfg->sslv2() && !m_cfg->sslv3() && !m_cfg->tlsv1())
d->m_meth = d->kossl->SSLv2_client_method();
+ else if (m_cfg->tlsv1() && !m_cfg->sslv3() && !m_cfg->sslv2())
+ d->m_meth = d->kossl->TLSv1_client_method();
else if ((m_cfg->tlsv1() || m_cfg->sslv3()) && !m_cfg->sslv2())
d->m_meth = d->kossl->SSLv3_client_method();
else d->m_meth = d->kossl->SSLv23_client_method();
the problem is that I can not reproduce the issue you're reporting with the host that you gave as an example, and additionally I don't see how that should be happening. openssl s_client -ssl2 -connect kis.hosteurope.de:443 fails, but openssl s_client -ssl3 -connect kis.hosteurope.de:443 and openssl s_client -tls1 -connect kis.hosteurope.de:443 connects just fine for me. Patch seems to works fine.
Maybe in documentation must be said that if server works only with TLSv1 user need to make SSLv3 checkbox to fasle.
And about reproduce:
1) Openssl command line.
Start openssl test-server
openssl s_server -cert <cert_file> -key <key_file> -tls1
Then try
openssl s_client -connect 127.0.0.1:4444 -ssl3
and you resive an error message("wrong protcol number bla-bla-bla")
Then try
openssl s_client -connect 127.0.0.1:4444 -tls1
and all works fine.
2)Apache
For Apache you can select protocol by directive "SSLProtocol TLSv1|SSLv3|SSLv2"
If you start your server with SSLProtocot TLSv1 - you cannot visit it by SSLv3. Only TLSv1.
SVN commit 576152 by mueller:
fix TLSv1 again, now that I actually understood how
openssl works
CCBUG: 132098
M +18 -6 kssl.cc
--- branches/KDE/3.5/kdelibs/kio/kssl/kssl.cc #576151:576152
@@ -174,9 +174,11 @@
m_pi.reset();
- if (m_cfg->sslv2() && !m_cfg->sslv3() && !m_cfg->tlsv1())
+ if (!m_cfg->tlsv1() && !m_cfg->sslv3() && m_cfg->sslv2())
d->m_meth = d->kossl->SSLv2_client_method();
- else if ((m_cfg->tlsv1() || m_cfg->sslv3()) && !m_cfg->sslv2())
+ else if (m_cfg->tlsv1() && !m_cfg->sslv3() && !m_cfg->sslv2())
+ d->m_meth = d->kossl->TLSv1_client_method();
+ else if (!m_cfg->tlsv1() && m_cfg->sslv3() && !m_cfg->sslv2())
d->m_meth = d->kossl->SSLv3_client_method();
else d->m_meth = d->kossl->SSLv23_client_method();
@@ -306,10 +308,15 @@
}
*/
+ int off = SSL_OP_ALL;
if (!d->lastInitTLS && !m_cfg->tlsv1())
- d->kossl->SSL_set_options(d->m_ssl, SSL_OP_NO_TLSv1);
+ off |= SSL_OP_NO_TLSv1;
+ if (!m_cfg->sslv3())
+ off |= SSL_OP_NO_SSLv3;
+ if (!m_cfg->sslv2())
+ off |= SSL_OP_NO_SSLv2;
- d->kossl->SSL_set_options(d->m_ssl, SSL_OP_ALL);
+ d->kossl->SSL_set_options(d->m_ssl, off);
rc = d->kossl->SSL_set_fd(d->m_ssl, sock);
if (rc == 0) {
@@ -392,10 +399,15 @@
}
*/
+ int off = SSL_OP_ALL;
if (!d->lastInitTLS && !m_cfg->tlsv1())
- d->kossl->SSL_set_options(d->m_ssl, SSL_OP_NO_TLSv1);
+ off |= SSL_OP_NO_TLSv1;
+ if (!m_cfg->sslv3())
+ off |= SSL_OP_NO_SSLv3;
+ if (!m_cfg->sslv2())
+ off |= SSL_OP_NO_SSLv2;
- d->kossl->SSL_set_options(d->m_ssl, SSL_OP_ALL);
+ d->kossl->SSL_set_options(d->m_ssl, off);
rc = d->kossl->SSL_set_fd(d->m_ssl, sock);
if (rc == 0) {
|