Cannot Connect to a Specific Web Service Using HTTPS (TLS 1.2) - Freezes
2015-06-11 14:50 (9 years ago)
ytyng
When attempting to communicate using TLS1.2 with a specific web server and OpenSSL versions 1.0.1a to 1.0.1f, OpenSSL may freeze.
As of June 2015, OpenSSL 1.0.1f is the latest version available via apt for Ubuntu 14.04, Ubuntu 15.04, etc., and cannot be upgraded further through apt.
Here is the method to install the updated OpenSSL 1.0.1g.
Status Before Installation
OpenSSL Version
$ openssl version OpenSSL 1.0.1f 6 Jan 2014
SSL Connection Operation Test
$ openssl s_client -connect hoge.example.com:443 # Placeholder site name → Freezes
Trying to connect while avoiding TLS1.2
$ openssl s_client -connect home.example.com:443 -no_tls1_2 → Connection successful
Build & Install
$ wget https://www.openssl.org/source/openssl-1.0.1g.tar.gz $ tar -xzvf openssl-1.0.1g.tar.gz $ cd openssl-1.0.1g $ ./config $ make $ sudo make install_sw $ sudo ln -sf /usr/local/ssl/bin/openssl \`which openssl\`
If you run make install here,
cms.pod around line 457: Expected text after =item, not a number cms.pod around line 461: Expected text after =item, not a number cms.pod around line 465: Expected text after =item, not a number cms.pod around line 470: Expected text after =item, not a number cms.pod around line 474: Expected text after =item, not a number POD document had syntax errors at /usr/bin/pod2man line 71. make: *** [install_docs] Error 255
This causes the process to fail with errors. It appears to fail when building the man pages. Therefore, use make install_sw, which does not build man pages.
Operation Verification
$ openssl version OpenSSL 1.0.1g 7 Apr 2014 $ openssl s_client -connect hoge.example.com:443 → Connection successful!
However
This will upgrade OpenSSL, but if you need to update curl, PHP, Python, or other dependencies, you may need to rebuild them as well, which can be quite cumbersome.
If you encounter this bug with curl, PHP, or Python, it might be easier to modify those applications to avoid connecting with TLS1.2.
→ http://b.ytyng.com/a-62/ How to avoid freezing sites when connecting with HTTPS using Curl, Python, PHP
References
How To Upgrade OpenSSL to 1.0.1g To Guard Against Heartbleed in Ubuntu ~ Bauer-Power Media http://www.bauer-power.net/2014/05/how-to-upgrade-openssl-to-101g-to-guard.html#.VXaBpOdCLHM
You might also consider installing with Linuxbrew
Recommendation of Linuxbrew - Qiita http://qiita.com/thermes/items/926b478ff6e3758ecfea
Comments