I recently updated from FreeBSD 7.2-RELEASE-p5 to 8.0-RELEASE-p1 and did a full reinstall of all ports. After reinstalling irc/xchat attempting to connect to a SSL enabled server as I had previously done resulted in the following error: Connection failed. Error: (336151568) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure I can connect to the same server without any problems using pidgin IRC as well as Chatzilla on this same desktop. Looking through Google a similar error with xchat occured in Linux when SSLv3 with newer extensions were implemented in OpenSSL 0.9.8g. The solution was to dumb down OpenSSL so it didn't use the extension. How-To-Repeat: Install xchat on FreeBSD 8.0-RELEASE-p1. Attempt to connect to an SSL secured irc server.
Responsible Changed From-To: freebsd-ports-bugs->gnome Fix synopsis and assign.
Searched in Google and found a fix in OpenSSL. http://marc.info/?l=openssl-cvs&m=124095946021321&w=2 (0.9.8 branch w/out comment) http://marc.info/?l=openssl-cvs&m=124095943621291&w=2 (1.0.0 branch w/ comment) I have checkout latest of OpenSSL_0_9_8-stable branch in its CVS and create a patch. Can you try to patch in your source tree by use this patch below and see if it fixes this problem for you? http://people.freebsd.org/~mezz/diff/patch-crypto_openssl_ssl_t1_lib.c Cheers, Mezz -- mezz7@cox.net - mezz@FreeBSD.org FreeBSD GNOME Team http://www.FreeBSD.org/gnome/ - gnome@FreeBSD.org
Steps I took: cd /usr/src patch < /path/to/patch-crypto_openssl_ssl_t1_lib.c make buildworld The following error occurred: cc -O2 -pipe -march=prescott -DTERMIOS -DANSI_SOURCE -I/usr/src/secure/lib/libssl/../../../crypto/openssl -I/usr/src/secure/lib/libssl/../../../crypto/openssl/crypto -I/usr/obj/usr/src/secure/lib/libssl -DOPENSSL_THREADS -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_IDEA -DL_ENDIAN -DNO_IDEA -std=gnu99 -fstack-protector -c /usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/t1_enc.c cc -O2 -pipe -march=prescott -DTERMIOS -DANSI_SOURCE -I/usr/src/secure/lib/libssl/../../../crypto/openssl -I/usr/src/secure/lib/libssl/../../../crypto/openssl/crypto -I/usr/obj/usr/src/secure/lib/libssl -DOPENSSL_THREADS -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_IDEA -DL_ENDIAN -DNO_IDEA -std=gnu99 -fstack-protector -c /usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/t1_lib.c /usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/t1_lib.c: In function 'ssl_add_clienthello_tlsext': /usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/t1_lib.c:138: error: 'struct ssl3_state_st' has no member named 'send_connection_binding' /usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/t1_lib.c: In function 'ssl_add_serverhello_tlsext': /usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/t1_lib.c:260: error: 'struct ssl3_state_st' has no member named 'send_connection_binding' *** Error code 1 Stop in /usr/src/secure/lib/libssl. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. Please advise. Jonathan > To: bug-followup@freebsd.org; lordsith49@hotmail.com > Subject: Re: ports/142198: SSLv3 failure with irc/xchat on FreeBSD 8.0 > Date: Thu, 31 Dec 2009 15:31:40 -0600 > From: mezz7@cox.net > > Searched in Google and found a fix in OpenSSL. > > http://marc.info/?l=openssl-cvs&m=124095946021321&w=2 (0.9.8 branch w/out > comment) > http://marc.info/?l=openssl-cvs&m=124095943621291&w=2 (1.0.0 branch w/ > comment) > > I have checkout latest of OpenSSL_0_9_8-stable branch in its CVS and > create a patch. Can you try to patch in your source tree by use this patch > below and see if it fixes this problem for you? > > http://people.freebsd.org/~mezz/diff/patch-crypto_openssl_ssl_t1_lib.c > > Cheers, > Mezz > > > -- > mezz7@cox.net - mezz@FreeBSD.org > FreeBSD GNOME Team > http://www.FreeBSD.org/gnome/ - gnome@FreeBSD.org _________________________________________________________________ Hotmail: Free, trusted and rich email service. http://clk.atdmt.com/GBL/go/171222984/direct/01/=
On Mon, 04 Jan 2010 10:48:33 -0600, Jonathan Call <lordsith49@hotmail.com> wrote: > > Steps I took: > > cd /usr/src > patch < /path/to/patch-crypto_openssl_ssl_t1_lib.c > make buildworld > > The following error occurred: <snip> > > > > Please advise. Ah, it means that I can't checkout latest version of 0.9.8 branch. So.. Let's follow this very same fix: http://marc.info/?l=openssl-cvs&m=124095946021321&w=2 My other machine is on Windows 7 and I can't shut it down at the moment (work related), so not able to update the patch. If you don't mind to edit file and let me know the result will be cool. Thanks, Mezz > Jonathan > >> To: bug-followup@freebsd.org; lordsith49@hotmail.com >> Subject: Re: ports/142198: SSLv3 failure with irc/xchat on FreeBSD 8.0 >> Date: Thu, 31 Dec 2009 15:31:40 -0600 >> From: mezz7@cox.net >> >> Searched in Google and found a fix in OpenSSL. >> >> http://marc.info/?l=openssl-cvs&m=124095946021321&w=2 (0.9.8 branch >> w/out >> comment) >> http://marc.info/?l=openssl-cvs&m=124095943621291&w=2 (1.0.0 branch w/ >> comment) >> >> I have checkout latest of OpenSSL_0_9_8-stable branch in its CVS and >> create a patch. Can you try to patch in your source tree by use this >> patch >> below and see if it fixes this problem for you? >> >> http://people.freebsd.org/~mezz/diff/patch-crypto_openssl_ssl_t1_lib.c >> >> Cheers, >> Mezz >> >> >> -- >> mezz7@cox.net - mezz@FreeBSD.org >> FreeBSD GNOME Team >> http://www.FreeBSD.org/gnome/ - gnome@FreeBSD.org -- mezz7@cox.net - mezz@FreeBSD.org FreeBSD GNOME Team http://www.FreeBSD.org/gnome/ - gnome@FreeBSD.org
I applied that patch and after a 'make buildworld' and a 'make installworld' xchat now connects to an SSL enabled server without any errors. Jonathan > To: lordsith49@hotmail.com; bug-followup@freebsd.org > Subject: Re: ports/142198: SSLv3 failure with irc/xchat on FreeBSD 8.0 > Date: Wed, 6 Jan 2010 17:38:46 -0600 > From: mezz7@cox.net > > On Mon, 04 Jan 2010 10:48:33 -0600, Jonathan Call <lordsith49@hotmail.com> > wrote: > > > > > Steps I took: > > > > cd /usr/src > > patch < /path/to/patch-crypto_openssl_ssl_t1_lib.c > > make buildworld > > > > The following error occurred: > <snip> > > > > > > > > Please advise. > > Ah, it means that I can't checkout latest version of 0.9.8 branch. So.. > Let's follow this very same fix: > > http://marc.info/?l=openssl-cvs&m=124095946021321&w=2 > > My other machine is on Windows 7 and I can't shut it down at the moment > (work related), so not able to update the patch. If you don't mind to edit > file and let me know the result will be cool. > > Thanks, > Mezz > > > Jonathan > > > >> To: bug-followup@freebsd.org; lordsith49@hotmail.com > >> Subject: Re: ports/142198: SSLv3 failure with irc/xchat on FreeBSD 8.0 > >> Date: Thu, 31 Dec 2009 15:31:40 -0600 > >> From: mezz7@cox.net > >> > >> Searched in Google and found a fix in OpenSSL. > >> > >> http://marc.info/?l=openssl-cvs&m=124095946021321&w=2 (0.9.8 branch > >> w/out > >> comment) > >> http://marc.info/?l=openssl-cvs&m=124095943621291&w=2 (1.0.0 branch w/ > >> comment) > >> > >> I have checkout latest of OpenSSL_0_9_8-stable branch in its CVS and > >> create a patch. Can you try to patch in your source tree by use this > >> patch > >> below and see if it fixes this problem for you? > >> > >> http://people.freebsd.org/~mezz/diff/patch-crypto_openssl_ssl_t1_lib.c > >> > >> Cheers, > >> Mezz > >> > >> > >> -- > >> mezz7@cox.net - mezz@FreeBSD.org > >> FreeBSD GNOME Team > >> http://www.FreeBSD.org/gnome/ - gnome@FreeBSD.org > > > -- > mezz7@cox.net - mezz@FreeBSD.org > FreeBSD GNOME Team > http://www.FreeBSD.org/gnome/ - gnome@FreeBSD.org _________________________________________________________________ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. http://clk.atdmt.com/GBL/go/196390709/direct/01/=
Responsible Changed From-To: gnome->simon Change from ports to kern and gnome to simon, which it's a OpenSSL bug.
On Fri, 08 Jan 2010 13:21:52 -0600, Jonathan Call <lordsith49@hotmail.com> wrote: > > I applied that patch and after a 'make buildworld' and a 'make > installworld' xchat now connects to an SSL enabled server without any > errors. Thanks for tested it! Cheers, Mezz > Jonathan > >> To: lordsith49@hotmail.com; bug-followup@freebsd.org >> Subject: Re: ports/142198: SSLv3 failure with irc/xchat on FreeBSD 8.0 >> Date: Wed, 6 Jan 2010 17:38:46 -0600 >> From: mezz7@cox.net >> >> On Mon, 04 Jan 2010 10:48:33 -0600, Jonathan Call >> <lordsith49@hotmail.com> >> wrote: >> >> > >> > Steps I took: >> > >> > cd /usr/src >> > patch < /path/to/patch-crypto_openssl_ssl_t1_lib.c >> > make buildworld >> > >> > The following error occurred: >> <snip> >> > >> > >> > >> > Please advise. >> >> Ah, it means that I can't checkout latest version of 0.9.8 branch. So.. >> Let's follow this very same fix: >> >> http://marc.info/?l=openssl-cvs&m=124095946021321&w=2 >> >> My other machine is on Windows 7 and I can't shut it down at the moment >> (work related), so not able to update the patch. If you don't mind to >> edit >> file and let me know the result will be cool. >> >> Thanks, >> Mezz >> >> > Jonathan >> > >> >> To: bug-followup@freebsd.org; lordsith49@hotmail.com >> >> Subject: Re: ports/142198: SSLv3 failure with irc/xchat on FreeBSD >> 8.0 >> >> Date: Thu, 31 Dec 2009 15:31:40 -0600 >> >> From: mezz7@cox.net >> >> >> >> Searched in Google and found a fix in OpenSSL. >> >> >> >> http://marc.info/?l=openssl-cvs&m=124095946021321&w=2 (0.9.8 branch >> >> w/out >> >> comment) >> >> http://marc.info/?l=openssl-cvs&m=124095943621291&w=2 (1.0.0 branch >> w/ >> >> comment) >> >> >> >> I have checkout latest of OpenSSL_0_9_8-stable branch in its CVS and >> >> create a patch. Can you try to patch in your source tree by use this >> >> patch >> >> below and see if it fixes this problem for you? >> >> >> >> >> http://people.freebsd.org/~mezz/diff/patch-crypto_openssl_ssl_t1_lib.c >> >> >> >> Cheers, >> >> Mezz -- mezz7@cox.net - mezz@FreeBSD.org FreeBSD GNOME Team http://www.FreeBSD.org/gnome/ - gnome@FreeBSD.org
Sometimes, PR isn't easy to follow up. Want to write a clean email at once without trying to follow up in the PR. I have searched in Google. I get plenty of result from Linux distro that have same error in different applications (not xchat alone). Most of them have patched in their OpenSSL. I have found the fix in its CVS. http://marc.info/?l=openssl-cvs&m=124095946021321&w=2 (0.9.8 branch w/out comment) http://marc.info/?l=openssl-cvs&m=124095943621291&w=2 (1.0.0 branch w/ comment) I have tried to checkout latest branch of OpenSSL_0_9_8-stable from its CVS, but it changes a lot. I have gone head to create very same patch as committed above URL. Jonathan Call has tested this patch and it works for him to get xchat connects IRC server with SSL. Patch: http://people.freebsd.org/~mezz/diff/patch-crypto_openssl_ssl_t1_lib.c It will be great if you can MFC to FreeBSD 8.x and 7.x if it possibles. Another way without use patch above is to update the OpenSSL in base system. Cheers, Mezz -- mezz7@cox.net - mezz@FreeBSD.org FreeBSD GNOME Team http://www.FreeBSD.org/gnome/ - gnome@FreeBSD.org
Responsible Changed From-To: simon->freebsd-bugs Send PRs which I'm unlikely to look at back to the pool.
*** Bug 203699 has been marked as a duplicate of this bug. ***
Created attachment 165250 [details] Patch for inclusion in files Patch taken from 203699 by cpbsdmail@gmail.com
Can't be in Progress without an Assignee. Let's try to get this 6 year old bug done right. @Lordsith, if this is still an issue for you please let us know. I apologise that your bug report fell through the cracks.
This is also required to connect to servers with SSLv3 disabled to address POODLE (e.g. Slack). An equivalent Debian bug is https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=766065
A commit references this bug: Author: brd Date: Mon Jul 25 17:41:16 UTC 2016 New revision: 419050 URL: https://svnweb.freebsd.org/changeset/ports/419050 Log: Fix connecting to servers with SSLv3 disabled to address POODLE. PR: 142198 Submitted by: lordsith49@hotmail.com, brnrd Changes: head/irc/xchat/Makefile head/irc/xchat/files/patch-src_common_ssl.c