Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 456362

Summary: net-libs/neon with >=dev-libs/openssl-1.0.1 - net-fs/davfs2 and net-misc/cadaver fail to connect to a blackboard LMS
Product: Gentoo Linux Reporter: Bill Kenworthy <billk>
Component: Current packagesAssignee: Arfrever Frehtes Taifersar Arahesis <arfrever.fta>
Status: UNCONFIRMED ---    
Severity: normal CC: jstein, mgorny
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Bill Kenworthy 2013-02-10 00:34:07 UTC
davfs and cadaver (via "neon" which provides the ssl interface) fail to connect to a blackboard LMS (learning management system) using webdav over https for dev-libs/openssl-1.0.1 all versions.  Lower versions (specifically 1.0.0j) work.

I dont have a copy of the exact error message but it was a simple "unknown protocol" from the mount command.

It appears related to tlsv1.0 fallback failing.  There are a few bugs on the web (e.g., redhat) but suggested fix is to move to sslv3 but this is not an option on this system (or doesnt work either).

Ive rebuilt openssl/neon/cadaver/davfs2 numerous times on two systems in different locations to the LMS I am trying to connect to and 1.0.0j is the last working version I can use.


BillK


moriah ~ # emerge --info
Portage 2.1.11.31 (default/linux/x86/10.0, gcc-4.6.3, glibc-2.15-r3, 3.7.4-gentoo i686)
=================================================================
System uname: Linux-3.7.4-gentoo-i686-Pentium-R-_Dual-Core_CPU_E6600_@_3.06GHz-with-gentoo-2.1
Timestamp of tree: Fri, 08 Feb 2013 12:15:01 +0000
ld GNU ld (GNU Binutils) 2.22
distcc 3.1 i686-pc-linux-gnu [disabled]
ccache version 3.1.8 [enabled]
app-shells/bash:          4.2_p37
dev-java/java-config:     2.1.12-r1
dev-lang/python:          2.5.4-r4, 2.6.8, 2.7.3-r2, 3.1.5, 3.2.3
dev-util/ccache:          3.1.8
dev-util/cmake:           2.8.9
dev-util/pkgconfig:       0.27.1
sys-apps/baselayout:      2.1-r1
sys-apps/openrc:          0.11.8
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.4_p6-r1, 1.5-r1, 1.7.9-r2, 1.8.5-r4, 1.9.6-r3, 1.10.3, 1.11.6
sys-devel/binutils:       2.20.1-r1, 2.22-r1
sys-devel/gcc:            4.3.6-r1, 4.6.3
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.6 (virtual/os-headers)
sys-libs/glibc:           2.15-r3
Repositories: gentoo ardunio arduino zugaina sunrise x-portage
ACCEPT_KEYWORDS="x86"
ACCEPT_LICENSE="* -@EULA dlj-1.1 Oracle-BCLA-JavaSE sun-bcla-java-vm AdobeFlash-10 AdobeFlash-10.1 AdobeFlash-10.3 skype-eula"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-w -march=core2 -O2 -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa /var/bind /var/lib/hsqldb"
CONFIG_PROTECT_MASK="${EPREFIX}/etc/gconf /etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/apache2-php5.4/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cgi-php5.4/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/php/cli-php5.4/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-w -march=core2 -O2 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--with-bdeps=y"
FCFLAGS="-O2 -march=i686 -pipe"
FEATURES="assume-digests binpkg-logs ccache config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch xattr"
FFLAGS="-O2 -march=i686 -pipe"
GENTOO_MIRRORS="http://ftp.iinet.net.au/pub/Gentoo"
LANG="en_AU.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/arduino /var/lib/layman/luksans-arduino /var/lib/layman/zugaina /var/lib/layman/sunrise /usr/local/portage"
SYNC="rsync://rsync.au.gentoo.org/gentoo-portage"
USE="16bittmp X a52 aac aalib acpi activefilter adns adplug alaw alsa ao apache2 asterisk async audacious avahi bash-completion berkdb bgpclassless binfilter bluetooth bonobo branding browserplugin bs2b btrfs buffysize bzip2 cairo calendar cdda cddb cdparanoia cdr cgi clamav cleartype cli consolekit corefonts cracklib crypt cscope ctype cue cups curl curlwrappers customlog cvs cxx dba dbus dedicated device-mapper dga dhcp dirac directfb discard-path djvu dlloader dlz dmraid dri dts dv dvb dvd dvi edd eds encode epoll erandom esd examples exif ext-sound extensions extras faac fam fat fbcon fbsplash fdt ffmpeg fftw filter fits flac flash fluidsynth follow-xff font-server fontconfig foomaticdb force-cgi-redirect fortran fpx freetds frontendonly ftp fuse g711 g722 g7221 gcj gcrypt gd gdal gdbm gdu geos gif gimp gimpprint git gl2ps glib glibc-omitfp gml gnome-keyring gnutls gpc gphoto2 gpm gps graphviz gs gsm gstreamer gtk gtk3 gtkhtml h323 hal hdf hdf5 hpn iax iconv idn ilbc imagemagick imap imlib innodb ios iproute2 ipv6 java javascript jbig jpeg jpeg2k kate kdeenablefinal kdrive l16 lame lcms ldap libatomic libclamav libkms libnotify libsamplerate lm_sensors logrotate lua lzma lzo mad mbrola mdadm midi mms mmx mmxext mng modules motif mozilla mozsvg mp3 mpeg mtp mudflap multipath multislot multitarget multiuser mysql mythbrowser mythgallery mythgame mythmusic mythnetvision mythnews mythtv mythweather nautilus ncurses netlink netpbm nls nntp no-htdocs nptl nsplugin ntfs oav objc odbc ogdi ogg old-linux opengl ospfapi pae pam passwordsave pch pcre pda pdf pdfimport pdo perl perl-geoipupdate php png pnm policykit postgres ppds proj pulseaudio python pyzord qemu qemu-ifup qt3support quicktime radosgw rar rbd rdesktop readline reiserfs rpm rtc rtsp samba sasl scanner schroedinger scrobbler sdl seamonkey sensord server session sftp sftplogging sid sip sln16 slp smi smp smux sndfile soap sockets sound speex spell sqlite sse sse2 ssl ssse3 startup-notification stream subversion svg swat sysfs syslog system-crontab szip t1lib tcl tcltk tcmalloc tcpd templates tga theora tidy tiff tk tokenizer toolbar truetype udev udisks ulaw underscores unicode unzip upnp upower urandom usb utils v4l v4l2 vaapi vcd vde vidix vim-pager vim-syntax vim-with-x virtfs virus-scan vnc vorbis vpx wav wavpack wddx webdav win32codecs wma-fixed wmf wxGTK x264 x86 xanim xattr xext xfs xine xml xmlrpc xorg xpm xsl xulrunner xv xvid yaz zaptel zip zlib zrtp zvbi" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authn_alias authn_core authz_core authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack usertrack_module vhost_alias cgid authn_core authz_core unixd socache_shmcb lbmethod_byrequests slotmem_shm" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer pdfimport" LINGUAS="en en_AU.UTF-8" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="jython2_5 pypy1_8 python2_5 python2_6 python2_7 python3_1 python3_2" QEMU_SOFTMMU_TARGETS="i386 arm" QEMU_USER_TARGETS="i386 arm armeb" RUBY_TARGETS="ruby18 ruby19" SANE_BACKENDS="epson epson2 net" USERLAND="GNU" VIDEO_CARDS="intel fbdev vesa" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON

moriah ~ #
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2013-02-12 14:44:56 UTC
Do they work when you compile net-libs/neon with USE="gnutls -ssl"?
Comment 2 Bill Kenworthy 2013-02-12 22:56:45 UTC
Yes, that was the original configuration ... I cant find the original redhat post that tipped me off to the cause but it actually suggested moving from gnutls to openssl and forcing sslv3 (which cant be done with neon as far as I can see).  It was at this point I discovered an machine that had not been upgraded worked with the older openssl so moved my desktop to openssl which didnt work either whereupon I found the version differences.

The blackboard LMS systems are notorious as being particularly "difficult" for users/admins to deal with but I am not sure if its a standards problem, or just "one of those things" - google shows "unknown protocol" can be caused by client or server.

using:
openssl s_client -host lms.murdoch.edu.au -port 443

connects to the server and lists the config details.  There is a "Verify return code: 20 (unable to get local issuer certificate)" but as firefox connects ok I dont think thats a real problem.  Wireshark shows Firefox using tlsv1, and neon starting and failing the protocol negotiation.

BillK
Comment 3 Bill Kenworthy 2013-02-12 22:59:56 UTC
whoops, typo.  The first sentence should read "No, it did not work"  gnutls was the original configuration.  It did work some several months ago, but there have been many upgrades both ends since then.
Comment 4 Chris Shelton 2013-04-15 14:30:58 UTC
This issue likely has the same cause as https://bugs.gentoo.org/show_bug.cgi?id=462348.  Openssl 1.0.1 tries to use tls v1.1 or 1.2 for client connections and can't fallback to tls v1.0.  

There is a long discussion of this same issue here:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/965371

Ubuntu applied a patch to disable tls v1.1 and 1.2 for client connections.  

Is there some way to tell neon to use a tls v1.0 connection, rather than leaving the negotiation up to openssl?  If so, that may be another way to workaround this issue.
Comment 5 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-02-07 18:07:19 UTC
Is this still a problem?