Using INN 2.5.1 with Openssl with SSLv2 disabled

Evans, Darren E (IS) darren.evans at ngc.com
Thu Oct 27 23:32:22 UTC 2011


My customer(Government) wants to block use of SSLv2 with the INN server due to security vulnerabilities.  I have recompiled openssl 0.9.8r with the option for no SSLv2.  I then staticly link the openssl libraries (libcrypto and libssl) into my INN build.  When I then try to run the nnrpd service it gets the following error with a SSL alert number 20, alert bad  record mac

Using the openssl on the server I was able to get the following info as well:
#  /usr/local/ssl/bin/openssl s_client -connect vbnews:563
CONNECTED(00000004)
depth=0 /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=DISA/CN=vbnews.vb.c2fse.northgrum.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=DISA/CN=vbnews.vb.c2fse.northgrum.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=DISA/CN=vbnews.vb.c2fse.northgrum.com
verify error:num=21:unable to verify the first certificate
verify return:1
22555:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:1102:SSL alert number 20
22555:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

I have check all of the obvious issues with certificates (It is issued from a real CA and the trusts and CAcerts are all in place).  The server is in DNS correctly.  The development network does not have outside connectivity, but is a VLAN (You can get in, but not out).  Everything worked fine with INN 2.5.1 and openssl-0.9.8k, but I decided to use the later version for this since the other is much older.

I am using Thunderbird 3.0.4 for my news client and it is set to SSL/TLS and has all of the certs in place as well, but only works with the older openssl-0.9.8k with SSLv2 enabled.

Has anyone seen any problems with INN 2.5.1 and the newer openssl versions?  Or when SSLv2 compiled out of openssl?

Thank you for the help.

Darren Evans
Software Engineer
NORTHROP GRUMMAN Corporation
Mission Systems

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/inn-workers/attachments/20111027/357e76fa/attachment.html>


More information about the inn-workers mailing list