[bug-notifications] [openssl 0004931]: "git clone https: ..." fails: Request to upgrade OpenSSL to 1.0.0h or newer.
Mantis Bug Tracker
noreply at opencsw.org
Tue Apr 10 05:19:12 CEST 2012
A NOTE has been added to this issue.
======================================================================
https://www.opencsw.org/mantis/view.php?id=4931
======================================================================
Reported By: zephyrus00jp
Assigned To:
======================================================================
Project: openssl
Issue ID: 4931
Category: upgrade
Reproducibility: always
Severity: major
Priority: normal
Status: new
======================================================================
Date Submitted: 2012-04-02 15:50 CEST
Last Modified: 2012-04-10 05:19 CEST
======================================================================
Summary: "git clone https: ..." fails: Request to upgrade
OpenSSL to 1.0.0h or newer.
Description:
On solaris 10, I found that
git clone https:....
failed.
To make a long story short, I tracked down this to the failure of curl
library used by git, and then this curl library seems to be failing
in openssl modules.
The following is more detailed explanation and my fiding:
serverfault.com/questions/374053/solaris-10-opencsw-git-package-issue-with-bitbucket-git-hosting
Based on some similar reports, I think it is best to
offer openssl 1.0.0h or newer, and then re-compile curl libraries (making
sure that openssl versions are used), and recompile git tools as well.
I don't know much about OpenCSW packaging and so I can't try to
recompile openssl and figure out whether upgrading helps or not.
======================================================================
----------------------------------------------------------------------
(0009794) zephyrus00jp (reporter) - 2012-04-10 05:19
https://www.opencsw.org/mantis/view.php?id=4931#c9794
----------------------------------------------------------------------
I am still trying to figure out.
One thing that looks odd is that
solaris log doesn't show any key exchange sequences.
I wonder if there is some kind of protocol mismatch somewhere that can be
changed by configuration changes.
Solaris failure log (excerpted near the beginning) from
Connected to bitbucket.org (207.223.240.182) port 443
(https://www.opencsw.org/mantis/view.php?id=0)
* SSL: couldn't set callback!
* successfully set certificate verify locations:
* CAfile: none
CApath: /opt/csw/ssl/certs
* WARNING: failed to configure server name indication (SNI) TLS extension
??? key exchange is missing here in comparison to linux dump ...???
* SSL connection using AES256-SHA
Linux log :
* Connected to bitbucket.org (207.223.240.182) port 443
(https://www.opencsw.org/mantis/view.php?id=0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES256-SHA
* Server certificate:
Since log messages may vary between different versions, I think I really
should home in "couldn't set callback!" problem.
I tried installing openssl 1.0.0, and replaced the dynamic library, but
still no go. Then I realize that OpenSSL API may not be binary compatible
between 1.0.0 and previous versions.
So I may have to re-install from source
- openssl 1.0.0
- libcurl
- git
and try if the combination fixes the issue.
Stay tuned...
More information about the bug-notifications
mailing list