crypto/tls: Intermittent errors with OpenSSL client #3796
Labels
Comments
Reproduced with s_client:
#!/bin/bash
for i in {1..1000}
do
echo $i | openssl s_client -connect localhost:8080 -quiet
done
"139758768248480:error:04091077:rsa routines:INT_RSA_VERIFY:wrong signature
length:rsa_sign.c:175:
139758768248480:error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad
signature:s3_clnt.c:1796:"
Normal:
140707248211616:error:140943E8:SSL
routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1247:SSL alert number 0
depth=0 O = Sniffy, CN = web.sniffy.local
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = Sniffy, CN = web.sniffy.local
verify error:num=21:unable to verify the first certificate
verify return:1
^Cdepth=0 O = Sniffy, CN = web.sniffy.local
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = Sniffy, CN = web.sniffy.local
verify error:num=21:unable to verify the first certificate
verify return:1
HTTP/1.1 400 Bad Request
Intermittent:
140093522732704:error:140943E8:SSL
routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1247:SSL alert number 0
depth=0 O = Sniffy, CN = web.sniffy.local
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = Sniffy, CN = web.sniffy.local
verify error:num=21:unable to verify the first certificate
verify return:1
139758768248480:error:04091077:rsa routines:INT_RSA_VERIFY:wrong signature
length:rsa_sign.c:175:
139758768248480:error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad
signature:s3_clnt.c:1796:
depth=0 O = Sniffy, CN = web.sniffy.local
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = Sniffy, CN = web.sniffy.local
verify error:num=21:unable to verify the first certificate
verify return:1
HTTP/1.1 400 Bad Request
|
|
Owner changed to @agl. Status changed to Accepted. |
http://golang.org/cl/6352093/ out for review. |
|
This issue was closed by revision 93ea79e. Status changed to Fixed. |
agl
added a commit
that referenced
this issue
May 11, 2015
««« backport 46ca86e70e96 crypto/rsa: left-pad PKCS#1 v1.5 outputs. OpenSSL requires that RSA signatures be exactly the same byte-length as the modulus. Currently it'll reject ~1/256 of our signatures: those that end up a byte shorter. Fixes #3796. R=golang-dev, edsrzf, r CC=golang-dev https://golang.org/cl/6352093 »»»
This issue was closed.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I'm running an HTTPS server and occasionally get client-side errors when trying to send it a request from a client using OpenSSL. The error I get from Ruby is: /usr/lib/ruby/1.9.1/net/http.rb:678:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server key exchange B: bad signature (OpenSSL::SSL::SSLError) from /usr/lib/ruby/1.9.1/net/http.rb:678:in `block in connect' from /usr/lib/ruby/1.9.1/timeout.rb:44:in `timeout' from /usr/lib/ruby/1.9.1/timeout.rb:89:in `timeout' from /usr/lib/ruby/1.9.1/net/http.rb:678:in `connect' from /usr/lib/ruby/1.9.1/net/http.rb:637:in `do_start' from /usr/lib/ruby/1.9.1/net/http.rb:626:in `start' from /usr/lib/ruby/1.9.1/net/http.rb:1168:in `request' from /usr/lib/ruby/1.9.1/net/http.rb:1081:in `request_get' from testssl.rb:8:in `block in <main>' from testssl.rb:6:in `times' from testssl.rb:6:in `<main>' I've attached a basic HTTPS server and a short Ruby script that can reproduce this issue. The client makes 1000 requests against the server and this has always been enough to trigger the problem for me.Attachments:
The text was updated successfully, but these errors were encountered: