Bug 526319

Hm, somehow the text of my report got cut off :(. Next try. The error message is:

--------------------------
Die Aktion laesst sich nicht ausfuehren
Verbindungsaufbau vom Server abgelehnt
Details der Anfrage:
Adresse: http://bugzilla.novell.com
Protokoll: http
Datum und Zeit: Mittwoch 29 Juli 2009 13:19
Zusaetzliche Information: bugzilla.novell.com: SSL-Aushandlung fehlgeschlagen
--------------------------

Other sites (also through https work fine). Firefox (and Konqueror from KDE4:Factory on 11.1) is able to display bugzilla and build.opensuse.org.

Read http://en.opensuse.org/Bugs/Definitions#Critical

how about you read then the definition of major?

"Major loss of function as specified in the product requirements for this release"? It's not supposed to be the default browser.

please don't override prjmgr prios - just fix the bug

I cannot log into en.opensuse.org or bugzilla.novell.com any more with konqueror.  Verison:

Version 4.3.00 (KDE 4.3.0) "release 152"
Using KDE 4.3.00 (KDE 4.3.0) "release 152"


The requested operation could not be completed
Connection to Server Refused
Details of the Request:
URL: https://bugzilla.novell.com/show_bug.cgi?id=438993
Protocol: https
Date and Time: Tuesday 04 August 2009 07:08 pm
Additional Information: bugzilla.novell.com: SSL negotiation failed
Description:
The server bugzilla.novell.com refused to allow this computer to make a connection.
Possible Causes:
The server, while currently connected to the Internet, may not be configured to allow requests.
The server, while currently connected to the Internet, may not be running the requested service (https).
A network firewall (a device which restricts Internet requests), either protecting your network or the network of the server, may have intervened, preventing this request.
Possible Solutions:
Try again, either now or at a later time.
Contact the administrator of the server for further assistance.
Contact your appropriate computer support system, whether the system administrator, or technical support group for further assistance.

i'm NOT getting this with build.opensuse.org, but i can't connect to my own intranet sites since they require ssl client certificates, and konqueror in kde 4.3 doesn't seem to have a means to import them and define which ones are to be used where.

*** Bug 530268 has been marked as a duplicate of this bug. ***

This is caused by the openssl update to version k. It breaks basically every qt application (also arora) and the infrastructure based on qt. plain curl seems still to work.

Guan Jun He, are you aware about any incompatibilities ?

(In reply to comment #9)
> This is caused by the openssl update to version k. It breaks basically every qt
> application (also arora) and the infrastructure based on qt. plain curl seems
> still to work.
> 
> Guan Jun He, are you aware about any incompatibilities ?

I installed openssl-0.9.8k and libopenssl-0.9.8k and libopenssl-devel-0.9.8k for my opensuse11.1,
I use kde4.1 , konqueror 4.1.3(KDE 4.1.3) "release" 4.10.4", it works fine to access https://bugzilla.novell.com,
if it's need to rebuild konqueror,please info me.

Fun fun. It looks like this is nowhere near trivial, and I'm pretty clueless about these things. Yet I'm apparently at least lucky :).

I cannot reproduce this problem with Konqueror from KDE4.1.3, in any way. This can be reproduced either on 11.2 (with either Konqueror or Arora) or on 11.1 after installing openssl-0.9.8k and installing Arora from KDE:KDE4:Factory:Desktop (which will probably pull in other things from the repo, at least Qt4 version 4.5.2, so if you do this on a production machine, revert this afterwards, KDE4.1.3 doesn't work very well with this Qt version).

While searching for more info, I was also told:
=====
] the issue I'm thinking of is a server-side issue where if you send tls extensiosn on ssl3, the server incorrectly calculates the checksum, so fails the handshake
] the client-side workaround being not to send tls extension advertisements on ssl3
] though, that server-side issue is only in old openssl versions
] IMO not a qt bug, or even an openssl client bug
] and most distros patch their openssl nowadays to not sent tls extensions on ssl3
=====

So I checked the RedHat openssl package and the patch called openssl-0.9.8g-no-extssl.patch looked to me reasonably close to what is mentioned above. And our openssl package with this patch applied makes both Konqueror and Arora on 11.2 work when accessing the affected sites.

I have no idea what the patch really does. As far as I understand it, the Novell sites have broken HTTPS support and the patch makes openssl avoid triggering the brokeness.

Created attachment 314579 [details]
the mentioned redhat patch

And I actually have a very simple testcase - 'openssl s_client -connect bugzilla.novell.com:443 -ssl3'.

If this could be of any help:

On my machine (Factory Version), your test spit out the following:

alex@linux-jvwb:~> openssl s_client -connect bugzilla.novell.com:443 -ssl3
CONNECTED(00000003)
7372:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:
alex@linux-jvwb:~>

And yes, its qt 4.5.2 

alex@linux-jvwb:~> rpm -qa | grep qt4
libqt4-4.5.2-2.5
libqt4-sql-4.5.2-2.5
libpoppler-qt4-3-0.11.2-1.2
qt4-qtscript-doc-0.1.0-3.9
libqt4-x11-4.5.2-2.5
python-qt4-4.5.4-2.2
qt4-qtscript-0.1.0-3.9
libqt4-sql-sqlite-4.5.2-2.5
qt4-style-polyester-2.0.0-2.11
libqt4-qt3support-4.5.2-2.5
qt4-x11-tools-4.5.2-2.4

Here is more:

x86_64 Factory/M6

08:35 wahoo:~ > openssl s_client -connect bugzilla.novell.com:443 -ssl3
CONNECTED(00000003)
14922:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.
c:530:

08:36 wahoo:~ > rpm -qa |grep qt4
libqt4-4.5.2-57.3
libqt4-x11-4.5.2-57.3
python-qt4-4.5.4-32.1
libqt4-qt3support-4.5.2-57.3
libqt4-x11-32bit-4.5.2-57.3
libpoppler-qt4-3-0.11.2-21.2
libqt4-qt3support-32bit-4.5.2-57.3
libqt4-sql-mysql-32bit-4.5.2-59.1
libqt4-32bit-4.5.2-57.3
libqt4-sql-sqlite-32bit-4.5.2-57.3
libqt4-sql-sqlite-4.5.2-57.3
libqt4-sql-32bit-4.5.2-57.3
qt4-qtscript-0.1.0-6.7
libqt4-sql-4.5.2-57.3
libqt4-sql-mysql-4.5.2-59.1

(In reply to comment #14)
> If this could be of any help:
> 
> On my machine (Factory Version), your test spit out the following:
> 
> alex@linux-jvwb:~> openssl s_client -connect bugzilla.novell.com:443 -ssl3
> CONNECTED(00000003)
> 7372:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
> failure:s3_pkt.c:530:
> alex@linux-jvwb:~>
> 
> And yes, its qt 4.5.2 
> 
> alex@linux-jvwb:~> rpm -qa | grep qt4
> libqt4-4.5.2-2.5
> libqt4-sql-4.5.2-2.5
> libpoppler-qt4-3-0.11.2-1.2
> qt4-qtscript-doc-0.1.0-3.9
> libqt4-x11-4.5.2-2.5
> python-qt4-4.5.4-2.2
> qt4-qtscript-0.1.0-3.9
> libqt4-sql-sqlite-4.5.2-2.5
> qt4-style-polyester-2.0.0-2.11
> libqt4-qt3support-4.5.2-2.5
> qt4-x11-tools-4.5.2-2.4

where I can get the Factory Version OS, I want to do more testing to debug the issuse.thanks

(In reply to comment #17)
> (In reply to comment #14)
> > If this could be of any help:
> > 
> > On my machine (Factory Version), your test spit out the following:
> > 
> > alex@linux-jvwb:~> openssl s_client -connect bugzilla.novell.com:443 -ssl3
> > CONNECTED(00000003)
> > 7372:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
> > failure:s3_pkt.c:530:
> > alex@linux-jvwb:~>
> > 
> > And yes, its qt 4.5.2 
> > 
> > alex@linux-jvwb:~> rpm -qa | grep qt4
> > libqt4-4.5.2-2.5
> > libqt4-sql-4.5.2-2.5
> > libpoppler-qt4-3-0.11.2-1.2
> > qt4-qtscript-doc-0.1.0-3.9
> > libqt4-x11-4.5.2-2.5
> > python-qt4-4.5.4-2.2
> > qt4-qtscript-0.1.0-3.9
> > libqt4-sql-sqlite-4.5.2-2.5
> > qt4-style-polyester-2.0.0-2.11
> > libqt4-qt3support-4.5.2-2.5
> > qt4-x11-tools-4.5.2-2.4
> 
> where I can get the Factory Version OS, I want to do more testing to debug the
> issuse.thanks

I find the milestone6 on http://download.opensuse.org/distribution/11.2-Milestone6/iso/, and I will use it to debug this issue, if there is any thing improper,please info me.

it's not an  openssl bug,maybe the qt4.5.2's bug.

the following is the detail description:
1. for qt4-4.4.3 , openssl-0.9.8k, every thing is ok, the simple steps are:
SSL                      Client Hello
SSLV3                  ServerHello
SSLV3                  Certificate 
reset
SSLV2                  Client Hello
SSLV3                  Server Hello
SSLV3                  Certificate
SSLV3                  Client Key Exchange
SSLV3                  Change Cipher Spec
application data...
2. for qt4-4.5.2 , openssl-0.9.8k, can not access bugzilla.novell.com, the simple steps are:
SSL                      Client Hello
SSLV3                  ServerHello
SSLV3                  Certificate 
reset
SSL                      Client Hello(still SSl,should try SSL2,maybe then SSL3)
SSLV3                  ServerHello
SSLV3                  Certificate
reset
endless loop
timeout...

so,this is not a bug of openssl.Client need to analyze the reply from server,SSL failed,then try SSL2,may be then SSL3,for this issuse,SSL2 is ok.
if any concern,please info me.thanks

First of all, the bugreport is still assigned to you.
And second, comment #13 has a very simple Qt-independent testcase that clearly does or does not fail depending only on whether the affected openssl version is or is not installed. This is reproducible even on openSUSE11.1. At the very least this is a regression.

(In reply to comment #14)
> If this could be of any help:
> 
> On my machine (Factory Version), your test spit out the following:
> 
> alex@linux-jvwb:~> openssl s_client -connect bugzilla.novell.com:443 -ssl3
> CONNECTED(00000003)
> 7372:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
> failure:s3_pkt.c:530:
> alex@linux-jvwb:~>
> 
> And yes, its qt 4.5.2 
> 
> alex@linux-jvwb:~> rpm -qa | grep qt4
> libqt4-4.5.2-2.5
> libqt4-sql-4.5.2-2.5
> libpoppler-qt4-3-0.11.2-1.2
> qt4-qtscript-doc-0.1.0-3.9
> libqt4-x11-4.5.2-2.5
> python-qt4-4.5.4-2.2
> qt4-qtscript-0.1.0-3.9
> libqt4-sql-sqlite-4.5.2-2.5
> qt4-style-polyester-2.0.0-2.11
> libqt4-qt3support-4.5.2-2.5
> qt4-x11-tools-4.5.2-2.4

Have you applied the patch from comment #12?
and,could you provide the captured packets?you can use wireshark to captured the packet for port 443.
thanks

(In reply to comment #24)
[..]
> Have you applied the patch from comment #12?
No. But if you could provide me an openssl package containing that patch I would be happy to test it.

Created attachment 315731 [details]
updated openssl package for i586 and x86_64

if these packages are not the for your arch,please info me.thanks

These packages make arora working for me again.

(In reply to comment #27)
> These packages make arora working for me again.

great,thanks

patch has been submitted to SUSE:Factory:Head

please do not submit to internal build service. our factory distribution is open and this openess relies on submits being visible on build.opensuse.org

patch submitted to Base:System

Fixed package was checked into Factory.

This is an autogenerated message for OBS integration:
This bug (526319) was mentioned in
https://build.opensuse.org/request/show/101073 Evergreen:11.1 / openssl

This is an autogenerated message for OBS integration:
This bug (526319) was mentioned in
https://build.opensuse.org/request/show/102566 Evergreen:11.1 / openssl

SUSE-FU-2022:0445-1: An update that solves 183 vulnerabilities, contains 21 features and has 299 fixes is now available.

Category: feature (moderate)
Bug References: 1000080,1000117,1000194,1000677,1000742,1001148,1001912,1002585,1002895,1003091,1005246,1009528,1010874,1010966,1011936,1015549,1019637,1021641,1022085,1022086,1022271,1027079,1027610,1027688,1027705,1027908,1028281,1028723,1029523,1029902,1030038,1032118,1032119,1035604,1039469,1040164,1040256,1041090,1042392,1042670,1044095,1044107,1044175,1049186,1049304,1050653,1050665,1055478,1055542,1055825,1056058,1056951,1057496,1062237,1065363,1066242,1066873,1068790,1070737,1070738,1070853,1071905,1071906,1071941,1073310,1073845,1073879,1074247,1076519,1077096,1077230,1078329,1079761,1080301,1081005,1081750,1081751,1082155,1082163,1082318,1083826,1084117,1084157,1085276,1085529,1085661,1087102,1087104,1088573,1089039,1090427,1090765,1090953,1093518,1093917,1094788,1094814,1094883,1095267,1096738,1096937,1097158,1097531,1097624,1098535,1098592,1099308,1099569,1100078,1101246,1101470,1102868,1104789,1106197,1108508,1109882,1109998,1110435,1110869,1110871,1111493,1111622,1111657,1112209,1112357,1113534,1113652,1113742,1113975,1115769,1117951,1118611,1119376,1119416,1119792,1121717,1121852,1122191,1123064,1123185,1123186,1123558,1124885,1125815,1126283,1126318,1127080,1127173,1128146,1128323,1128355,1129071,1129566,1130840,1131291,1132174,1132323,1132455,1132663,1132900,1135009,1136444,1138666,1138715,1138746,1139915,1140255,1141168,1142899,1143033,1143454,1143893,1144506,1149686,1149792,1150003,1150190,1150250,1150895,1153830,1155815,1156677,1156694,1156908,1157104,1157354,1158809,1159235,1159538,1160163,1161557,1161770,1162224,1162367,1162743,1163978,1164310,1165439,1165578,1165730,1165823,1165960,1166139,1166758,1167008,1167501,1167732,1167746,1168480,1168973,1169489,1170175,1170863,1171368,1171561,1172226,1172908,1172928,1173226,1173356,1174009,1174091,1174514,1175729,1176116,1176129,1176134,1176232,1176256,1176257,1176258,1176259,1176262,1176389,1176785,1176977,1177120,1177127,1177559,1178168,1178341,1178670,1179491,1179562,1179630,1179805,1180125,1180781,1181126,1181324,1181944,1182066,1182211,1182244,1182264,1182331,1182333,1182379,1182963,1183059,1183374,1183858,1184505,1185588,1185706,1185748,1186738,1187045,1189521,1190781,1193357,356549,381844,394317,408865,428177,430141,431945,437293,442740,459468,489641,504687,509031,526319,590833,610223,610642,629905,637176,651003,657698,658604,670526,673071,693027,715423,720601,743787,747125,748738,749210,749213,749735,750618,751718,751946,751977,754447,754677,761500,774710,784670,784994,787526,793420,799119,802184,803004,809831,811890,822642,825221,828513,831629,832833,834601,835687,839107,84331,849377,855666,855676,856687,857203,857850,858239,867887,869945,871152,872299,873351,876282,876710,876712,876748,880891,885662,885882,889013,889363,892477,892480,895129,898917,901223,901277,901902,902364,906878,907584,908362,908372,912014,912015,912018,912292,912293,912294,912296,912460,913229,915479,917607,917759,917815,919648,920236,922448,922488,922496,922499,922500,926597,929678,929736,930189,931698,931978,933898,933911,934487,934489,934491,934493,935856,937085,937212,937492,937634,937912,939456,940608,942385,942751,943421,944204,945455,946648,947104,947357,947679,948198,952871,954256,954486,954690,957812,957813,957815,958501,961334,962291,963415,963974,964204,964472,964474,965830,967128,968046,968047,968048,968050,968265,968270,968374,968601,975875,976942,977584,977614,977615,977616,977663,978224,981848,982268,982575,983249,984323,985054,988086,990207,990392,990419,990428,991193,991877,992120,992988,992989,992992,993130,993819,993825,993968,994749,994844,994910,995075,995324,995359,995377,995959,996255,997043,997614,998190,999665,999666,999668
CVE References: CVE-2006-2937,CVE-2006-2940,CVE-2006-3738,CVE-2006-4339,CVE-2006-4343,CVE-2006-7250,CVE-2007-3108,CVE-2007-4995,CVE-2007-5135,CVE-2008-0891,CVE-2008-1672,CVE-2008-5077,CVE-2009-0590,CVE-2009-0591,CVE-2009-0789,CVE-2009-1377,CVE-2009-1378,CVE-2009-1379,CVE-2009-1386,CVE-2009-1387,CVE-2010-0740,CVE-2010-0742,CVE-2010-1633,CVE-2010-2939,CVE-2010-3864,CVE-2010-5298,CVE-2011-0014,CVE-2011-3207,CVE-2011-3210,CVE-2011-3389,CVE-2011-4108,CVE-2011-4576,CVE-2011-4577,CVE-2011-4619,CVE-2011-4944,CVE-2012-0027,CVE-2012-0050,CVE-2012-0845,CVE-2012-0884,CVE-2012-1150,CVE-2012-1165,CVE-2012-2110,CVE-2012-2686,CVE-2012-4929,CVE-2013-0166,CVE-2013-0169,CVE-2013-1752,CVE-2013-4238,CVE-2013-4314,CVE-2013-4353,CVE-2013-6449,CVE-2013-6450,CVE-2014-0012,CVE-2014-0076,CVE-2014-0160,CVE-2014-0195,CVE-2014-0198,CVE-2014-0221,CVE-2014-0224,CVE-2014-1829,CVE-2014-1830,CVE-2014-2667,CVE-2014-3470,CVE-2014-3505,CVE-2014-3506,CVE-2014-3507,CVE-2014-3508,CVE-2014-3509,CVE-2014-3510,CVE-2014-3511,CVE-2014-3512,CVE-2014-3513,CVE-2014-3566,CVE-2014-3567,CVE-2014-3568,CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-4650,CVE-2014-5139,CVE-2014-7202,CVE-2014-7203,CVE-2014-8275,CVE-2014-9721,CVE-2015-0204,CVE-2015-0205,CVE-2015-0206,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0293,CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792,CVE-2015-2296,CVE-2015-3194,CVE-2015-3195,CVE-2015-3196,CVE-2015-3197,CVE-2015-3216,CVE-2015-4000,CVE-2016-0702,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800,CVE-2016-10745,CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2109,CVE-2016-2176,CVE-2016-2177,CVE-2016-2178,CVE-2016-2179,CVE-2016-2180,CVE-2016-2181,CVE-2016-2182,CVE-2016-2183,CVE-2016-6302,CVE-2016-6303,CVE-2016-6304,CVE-2016-6306,CVE-2016-7052,CVE-2016-7055,CVE-2016-9015,CVE-2017-18342,CVE-2017-3731,CVE-2017-3732,CVE-2017-3735,CVE-2017-3736,CVE-2017-3737,CVE-2017-3738,CVE-2018-0732,CVE-2018-0734,CVE-2018-0737,CVE-2018-0739,CVE-2018-18074,CVE-2018-20060,CVE-2018-5407,CVE-2018-7750,CVE-2019-10906,CVE-2019-11236,CVE-2019-11324,CVE-2019-13132,CVE-2019-1547,CVE-2019-1551,CVE-2019-1559,CVE-2019-1563,CVE-2019-20907,CVE-2019-20916,CVE-2019-5010,CVE-2019-6250,CVE-2019-8341,CVE-2019-9740,CVE-2019-9947,CVE-2020-14343,CVE-2020-15166,CVE-2020-15523,CVE-2020-15801,CVE-2020-1747,CVE-2020-1971,CVE-2020-25659,CVE-2020-26137,CVE-2020-27783,CVE-2020-28493,CVE-2020-29651,CVE-2020-36242,CVE-2020-8492,CVE-2021-23336,CVE-2021-23840,CVE-2021-23841,CVE-2021-28957,CVE-2021-29921,CVE-2021-3177,CVE-2021-33503,CVE-2021-3426,CVE-2021-3712
JIRA References: ECO-3105,SLE-11435,SLE-12684,SLE-12986,SLE-13688,SLE-14253,SLE-15159,SLE-15860,SLE-15861,SLE-16754,SLE-17532,SLE-17957,SLE-18260,SLE-18354,SLE-18446,SLE-19264,SLE-3887,SLE-4480,SLE-4577,SLE-7686,SLE-9135
Sources used:
SUSE Manager Tools 12-BETA (src):    venv-salt-minion-3002.2-3.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.