Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 412859 - >=dev-libs/openssl-1.0.1 breaks paypal, facebook and some other https servers
Summary: >=dev-libs/openssl-1.0.1 breaks paypal, facebook and some other https servers
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Core system (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo's Team for Core System packages
: 462348 (view as bug list)
Depends on:
Blocks: 412661
  Show dependency tree
Reported: 2012-04-21 05:52 UTC by Alexander E. Patrakov
Modified: 2014-02-04 09:44 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alexander E. Patrakov 2012-04-21 05:52:06 UTC
The https connections to the mentioned sites just hang, because OpenSSL sends too-big ClientHello packets that are filtered out.

Reproducible: Always

Steps to Reproduce:
In a python interpreter, type these lines:

>>> from urllib2 import urlopen
>>> urlopen('').read()

Actual Results:  
After a long timeout, the following message is printed:

urllib2.URLError: <urlopen error [Errno 104] Connection reset by peer>

Expected Results:  
In less than two seconds, the following exception should be raised:

urllib2.HTTPError: HTTP Error 404: Not Found

This was the case with openssl-1.0.0

This regression against openssl-1.0.0 breaks web scripts that use django-social-auth, because they no longer can get a token from facebook. IMHO it is critical enough to warrant package.masking >=dev-libs/openssl-1.0.1

Upstream bugtracker: (use guset:guest as login/password)
Comment 1 Jan Dumon 2012-05-04 09:46:40 UTC
It also seems to breaks 802.1X in wpa_supplicant. (Only tried with PEAP + MSCHAPv2). For me it always results in EAP authentication failure.
Downgrading to openssl-1.0.0i fixed the issue.
Comment 2 J 2012-05-10 16:20:14 UTC
paypal and facebook look like they're fixed.

@Jan is that a microsoft radius server your client is talking to?

With your 1.0.0i openssl, try
openssl s_client -tls1 -servername "verylonghostnameaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -msg -connect server:port

Check that the hello message length is >255 bytes (at least 0x100)

If that replicates the problem (or try a longer servername if it works), then it's your radius server's ssl implementation that's the problem.
Comment 3 Hanno Böck gentoo-dev 2012-10-26 11:02:54 UTC
Can we close this? It is not a bug in Gentoo, it's a bug in other people's ssl implementations and most of them seem to be fixed by now.
Comment 4 Hanno Böck gentoo-dev 2012-12-05 16:00:47 UTC
closing, as this is not a gentoo bug
Comment 5 SpanKY gentoo-dev 2014-02-04 09:44:31 UTC
*** Bug 462348 has been marked as a duplicate of this bug. ***