View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005863 | unreal | ircd | public | 2021-04-29 23:45 | 2021-05-01 18:37 |
| Reporter | Le_Coyote | Assigned To | syzop | ||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | no change required | ||
| Product Version | 5.0.9 | ||||
| Summary | 0005863: "Illegal Parameter" error in TLS handshake when servername contains a ":" and unreal built against libressl | ||||
| Description | When a client connects to a Unreal built against libreSSL, with TLS, and the servername contains a ":" (e.g. when connecting to an IPv6-enabled server using the raw IP instead of the FQDN), the connection fails during the TLS handshake. The error is an "Illegal parameter" (47). Unreal/LibreSSL is not returning any server certificate. The problem was reproduced initially with weechat 2.8, weechat 3.1, and hexchat 2.14.3, but can be reproduced with a simple openssl s_client as described below. | ||||
| Steps To Reproduce | 1. Build Unreal (5.0.9.1) against libreSSL (tested both 3.2.5 stable and 3.3.2 dev with identical results) 2. openssl s_client -connect localhost:6697 -> works normally 3. openssl s_client -connect localhost:6697 -servername 2001: -> CONNECTED(00000003) 140019933402432:error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter:../ssl/record/rec_layer_s3.c:1543:SSL alert number 47 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 297 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- | ||||
| Additional Information | The problem is triggered by the colon in the servername, regardless of whether the connection is made with IPv4 or IPv6. It just so happens that connecting to a server using the raw IPv6 address is how the problem is most likely to happen in the wild. | ||||
| Tags | libressl | ||||
| 3rd party modules | |||||
|
|
As suggested by Case_Of on freenode/#libressl, issue opened there as well: https://github.com/libressl-portable/portable/issues/660 |
|
|
See discussion over at libreSSL's github. It's the client's fault. Bugs reported over there :) This can be closed now. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2021-04-29 23:45 | Le_Coyote | New Issue | |
| 2021-04-29 23:45 | Le_Coyote | Tag Attached: libressl | |
| 2021-04-29 23:57 | Le_Coyote | Note Added: 0021951 | |
| 2021-04-30 09:29 | Le_Coyote | Note Added: 0021952 | |
| 2021-05-01 18:37 | syzop | Assigned To | => syzop |
| 2021-05-01 18:37 | syzop | Status | new => closed |
| 2021-05-01 18:37 | syzop | Resolution | open => no change required |
