Sadly, this is unrelated to the issue you identified, and entirely down to the crappy OpenSSL that OS X ships with by default. Version 0.9.8y has some real problems with performing SSL handshakes, and some servers don't tolerate it well. Using Python 3 on my OS X box (therefore using a newer OpenSSL) reveals that there's no problem.

You have two options:

1. Install OpenSSL from Homebrew, then install a new version of Python 2 from Homebrew which will automatically link against the Homebrew-provided OpenSSL.
2. Install OpenSSL from Homebrew, and then install PyOpenSSL against that new version by running env ARCHFLAGS="-arch x86_64" LDFLAGS="-L/usr/local/opt/openssl/lib" CFLAGS="-I/usr/local/opt/openssl/include" pip install PyOpenSSL.

Ah, looks like I was following a red herring then - I don't plan on deploying anything on OSX anyhow. Looks like I'll move my testing to a linux virtualbox. Apologies for this long-winded issue!

No need to apologise, asking that question was the right thing to do: it's bizarrely specific knowledge to know that OS X has this problem. =)

Ok, this is a bummer. I created an Ubuntu 14.04 server 32bit Virtualbox image via Vagrant and this is all still happening except for the SSLv2 case, where it fails because the protocol isn't included in the OpenSSL version in Ubuntu 14.04 (by design, I believe - SSLv2 is old and outdated).

Versions:
Ubuntu 14.04 32bit (via Vagrant/Virtualbox combo)
Python 2.7.6
requests==2.2.1
requests-toolbelt==0.2.0
urllib3==1.8.2

EDIT: forgot the OpenSSL version...

python -c "import ssl; print ssl.OPENSSL_VERSION"
OpenSSL 1.0.1f 6 Jan 2014

TLSv1:

>>> import requests
>>> from requests_toolbelt import SSLAdapter
>>> adapter = SSLAdapter('TLSv1')
>>> s = requests.Session()
>>> s.mount('https://', adapter)
>>> s.get('https://docs.apitools.com/2014/04/24/a-small-router-for-openresty.html')
Traceback (most recent call last):
  File "<console>", line 1, in <module>
  File "/home/vagrant/.virtualenvs/techtown/local/lib/python2.7/site-packages/requests/sessions.py", line 395, in get
    return self.request('GET', url, **kwargs)
  File "/home/vagrant/.virtualenvs/techtown/local/lib/python2.7/site-packages/requests/sessions.py", line 383, in request
    resp = self.send(prep, **send_kwargs)
  File "/home/vagrant/.virtualenvs/techtown/local/lib/python2.7/site-packages/requests/sessions.py", line 486, in send
    r = adapter.send(request, **kwargs)
  File "/home/vagrant/.virtualenvs/techtown/local/lib/python2.7/site-packages/requests/adapters.py", line 385, in send
    raise SSLError(e)
SSLError: [Errno 1] _ssl.c:510: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

SSLv2:

>>> import requests
>>> from requests_toolbelt import SSLAdapter
>>> adapter = SSLAdapter('SSLv3')
>>> s = requests.Session()
>>> s.mount('https://', adapter)
>>> s.get('https://docs.apitools.com/2014/04/24/a-small-router-for-openresty.html')
Traceback (most recent call last):
  File "<console>", line 1, in <module>
  File "/home/vagrant/.virtualenvs/techtown/local/lib/python2.7/site-packages/requests/sessions.py", line 395, in get
    return self.request('GET', url, **kwargs)
  File "/home/vagrant/.virtualenvs/techtown/local/lib/python2.7/site-packages/requests/sessions.py", line 383, in request
    resp = self.send(prep, **send_kwargs)
  File "/home/vagrant/.virtualenvs/techtown/local/lib/python2.7/site-packages/requests/sessions.py", line 486, in send
    r = adapter.send(request, **kwargs)
  File "/home/vagrant/.virtualenvs/techtown/local/lib/python2.7/site-packages/requests/adapters.py", line 385, in send
    raise SSLError(e)
SSLError: [Errno 1] _ssl.c:510: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

SSLv23:

>>> import requests
>>> from requests_toolbelt import SSLAdapter
>>> adapter = SSLAdapter('SSLv23')
>>> s = requests.Session()
>>> s.mount('https://', adapter)
>>> s.get('https://docs.apitools.com/2014/04/24/a-small-router-for-openresty.html')
Traceback (most recent call last):
  File "<console>", line 1, in <module>
  File "/home/vagrant/.virtualenvs/techtown/local/lib/python2.7/site-packages/requests/sessions.py", line 395, in get
    return self.request('GET', url, **kwargs)
  File "/home/vagrant/.virtualenvs/techtown/local/lib/python2.7/site-packages/requests/sessions.py", line 383, in request
    resp = self.send(prep, **send_kwargs)
  File "/home/vagrant/.virtualenvs/techtown/local/lib/python2.7/site-packages/requests/sessions.py", line 486, in send
    r = adapter.send(request, **kwargs)
  File "/home/vagrant/.virtualenvs/techtown/local/lib/python2.7/site-packages/requests/adapters.py", line 385, in send
    raise SSLError(e)
SSLError: [Errno 1] _ssl.c:510: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Perhaps this is a cipher list issue then? Or is the OpenSSL version used here still problematic?

I am absolutely willing to put in some time to help debug this if necessary... provided you guys give me some direction.

VM is downloading. I can't reproduce this on ArchLinux.
The stacktraces indicate this but I'd like to be sure: You are _not_ using PyOpenSSL but only the stdlib?

@t-8ch Thanks for taking a look at this, I'm a bit confused. OpenSSL makes my life really hard =(

@t-8ch I haven't installed PyOpenSSL if that's what you're asking?

I would have assumed (perhaps incorrectly) that pip install requests should give me everything I need to successfully call requests.get('...') on an HTTPS page. Which, of course, it works for the most part, just not for this site for some reason.

@jaddison It _mostly_ does. Unfortunately, Python 2.7s standard library sucks hard and doesn't support some features, such as SNI.

I wonder if this is SNI...

@jaddison There are two different codepaths behind the scenes. You shouldn't have to care about those, but it helps to know when debugging.

However I can now reproduce this on ubuntu. But only o Py2. On Py3 everything is fine.
I suspect @Lukasa is right and the server fails when the client is not using SNI.

It bothers me that an absence of SNI fails in multiple different ways depending on the server in question.

I did notice this change between OpenSSL 1.0.1f and 1.0.1g (https://www.openssl.org/news/openssl-1.0.1-notes.html):

Add TLS padding extension workaround for broken servers.

EDIT: Ahh, nevermind - the bug shouldn't vary between Py 2 and 3, I'd think.

@jaddison To test whether this is SNI, you'll need to install the SNI requirements for Python 2.

@Lukasa was right. Compare:

$ openssl s_client -connect docs.apitools.com:443                              
CONNECTED(00000003)
139846853338768:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:762:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 517 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

$  openssl s_client -connect docs.apitools.com:443 -servername docs.apitools.com
... happy handshake here

To elaborate: The second command enables the SNI functionality of openssl s_client.

You can a) switch to python3 b) install extra dependencies.
The stdlib has at the moment no way to do SNI.

Thanks for the quick feedback. Seeing as there is no bug, I'll close this... again.

Hey, thank you guys !! I installed python3 on my mac and boom, it works.

Just want to chime in and say that I experienced this issue on OS X 10.9.5, Python 2.7.7 and OpenSSL 0.9.8zc.

I was able to fix my handshaking issue by:

1. Installing a newer-than-stock OpenSSL on my machine via brew install OpenSSL
2. Compiling and installing the cryptography package linked against the new OpenSSL (env ARCHFLAGS="-arch x86_64" LDFLAGS="-L/usr/local/opt/openssl/lib" CFLAGS="-I/usr/local/opt/openssl/include" pip install cryptography)
3. Installing requests with SNI support by doing pip install requests[security]

Thanks, @Microserf. I'm pretty much running the same specs (10.9.5, Python 2.7.6 installed via Homebrew but compiled with system provided OpenSSL 0.9.8zg) and this was my entire process for getting requests up and running for Django:

brew install openssl

Install requests with a bunch of SNI stuff, compiled against our new install of OpenSSL. The [security] option simply installs pyopenssl ndg-httpsclient pyasn1

env ARCHFLAGS="-arch x86_64" LDFLAGS="-L/usr/local/opt/openssl/lib" CFLAGS="-I/usr/local/opt/openssl/include" pip install requests[security] urllib3

And we're good to go:

"""
This may or may not be needed. See:
https://urllib3.readthedocs.org/en/latest/security.html#openssl-pyopenssl
"""
# from urllib3.contrib import pyopenssl
# pyopenssl.inject_into_urllib3()

import requests
# r = requests.get(...)

Is there a definitive answer on how to get this working on ubuntu? I'm running into this issue, and it looks like the only answer here concerns how to get this working on a Mac. Upgrading our entire codebase to python 3 is not an option.

OK, I may have just answered my own question. What I did boils down to:

sudo apt-get install libffi-dev
pip install pyOpenSSL ndg-httpsclient pyasn1

@lsemel thank you, that just saved me a bunch of time

@lsemel Are your sure? I tried it on Ubuntu 15.10 and it still doesn't work with Python 2.7.10.

It works with Python 2.7 on Travis CI:
https://travis-ci.org/playing-se/swish-python

Got it to work now! I simply uninstalled pyOpenSSL:
pip uninstall pyOpenSSL

Maybe we should only pyopenssl.inject_into_urllib3() if Python version is less than 2.7.9? pyOpenSSL seems to break stuff on Ubuntu and Windows if Python version is 2.7.10.

PyOpenSSL should not be breaking anything. If it does, that's a bug that should be reported.

I will have to look into this, but is there any good reason to inject pyopenssl into urllib3 if Python version is 2.7.9 or newer?

I am thinking of something like this:

# Check if Modern SSL with SNI support
try:
    from ssl import SSLContext
    from ssl import HAS_SNI
except ImportError:
    # Attempt to enable urllib3's SNI support, if possible
    try:
        from .packages.urllib3.contrib import pyopenssl
        pyopenssl.inject_into_urllib3()
    except ImportError:
        pass

Yeah, frequently there is. For example, on OS X most Pythons link against the system OpenSSL, which is version 0.9.8zg. PyOpenSSL, however, will link against a much newer OpenSSL (1.0.2). That makes using PyOpenSSL a substantial security improvement.

Additionally, PyOpenSSL gives us much better access to OpenSSL, allowing us to secure it more effectively.

OK, I have played around with this a little now.

It WORKS with pyopenssl BUT not if ndg-httpsclient is installed.

However, I can get it work with ndg-httpsclient if I uninstall pyasn1 giving me these warnings:

/usr/lib/python2.7/dist-packages/ndg/httpsclient/subj_alt_name.py:22: UserWarning: Error importing pyasn1, subjectAltName check for SSL peer verification will be disabled.  Import error is: No module named pyasn1.type
  warnings.warn(import_error_msg)
/usr/lib/python2.7/dist-packages/ndg/httpsclient/ssl_peer_verification.py:25: UserWarning: SubjectAltName support is disabled - check pyasn1 package installation to enable
  warnings.warn(SUBJ_ALT_NAME_SUPPORT_MSG)
/usr/lib/python2.7/dist-packages/ndg/httpsclient/subj_alt_name.py:22: UserWarning: Error importing pyasn1, subjectAltName check for SSL peer verification will be disabled.  Import error is: No module named pyasn1.type
  warnings.warn(import_error_msg)

Same behavior on Ubuntu 15.10 and Windows 10 with Python 2.7.10 installed.

That's because without ndg-httpsclient the PyOpenSSL support isn't used.

Yes, I will have to dig into why it works if SubjectAltName is disabled. Any idea?

Almost certainly the problem is that you're using different OpenSSLs in each case.

I had the same issue on my Ubuntu 14.04 box and Python 2.7.11

It's from SNI

What worked for me was this:

• uninstall requests
• uninstall urllib3
• install the various crypto dependencies
• install urllib3
• install urllib3[secure] # just to be safe
• install requests

I think there was an installation-time check on urllib3 or requests which kept things from working without the uninstall

@jvanasco what are you using to install those packages? I assume pip. Why are you installing urllib3 and requests separately?

Well I needed urllib3 in the virtualenv... but I installed it to try and get the requirements installed by pip and easy_install. (I used both)

I have a web indexer and a few urls broke. I wrote a quick script to try the broken ones, and kept reinstalling/delete+installing the packages in the urllib3 instructions on ssl issues until they worked.

On May 31, 2016, at 7:25 PM, Ian Cordasco [email protected] wrote:

@jvanasco what are you using to install those packages? I assume pip. Why are you installing urllib3 and requests separately?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

I'm still seeing this issue and i've tried the suggested work arounds.
I updated my python version to 2.7.11
I installed the 3 additional packages.

I tried the uninstall/install sequence @jvanasco suggested and still got the SSLError
Also using Ubuntu 14.04 unfortunately there's no OpenSSL update so i have to use the workarounds posted here and i'm having no luck.

Any extra steps you guys possibly took?

Thanks

@Lekinho I found that making a short test-script that tested the domain I was having problems with helped.

it was just:

 import requests
 r = requests.get(bad_url)
 print r.__dict__

@Lekinho You can extract pyopenssl from requests in your code:

try:
    from requests.packages.urllib3.contrib import pyopenssl
    pyopenssl.extract_from_urllib3()
except ImportError:
    pass

@Lekinho If you're still encountering this problem with Python 2.7.11 it's highly likely that the remote server doesn't support the TLS settings being used by requests. Is the server in question available on the public internet? If so, can you provide me with the URL?

i've tried the pyopenssl import as suggested.
Unfortunately this is not accessible publicly.
However I have the exact details of what openSSL version the server has.
Basically, we run on a redhat virtual machine, I had this openSSL when everything was working : openssl-1.0.1e-42.el6_7.4.x86_64

Then we did a redhat upgrade and there was an update for openssl : openssl-1.0.1e-48.el6_8.1.x86_64

This version always has the bad handshake issue when using openssl on ubuntu 14.04.

Do you guys have any public URLs i can try with, to see if the work arounds helped resolve the issue and its just this unique combination that I have that's the problem?

The same machine is fine when REST requests are sent through the browser(i.e. without the ubuntu openssl )

Thanks

Can you provide the output of rpm -q --changelog openssl, please?

[admin@leke-2-2-8-11 ~]$ rpm -q --changelog openssl

• Mon May 02 2016 Tomáš Mráz [email protected] 1.0.1e-48.1
• fix CVE-2016-2105 - possible overflow in base64 encoding
• fix CVE-2016-2106 - possible overflow in EVP_EncryptUpdate()
• fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC
• fix CVE-2016-2108 - memory corruption in ASN.1 encoder
• fix CVE-2016-2109 - possible DoS when reading ASN.1 data from BIO
• fix CVE-2016-0799 - memory issues in BIO_printf
• Wed Feb 24 2016 Tomáš Mráz [email protected] 1.0.1e-48
• fix CVE-2016-0702 - side channel attack on modular exponentiation
• fix CVE-2016-0705 - double-free in DSA private key parsing
• fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn
• Tue Feb 16 2016 Tomáš Mráz [email protected] 1.0.1e-47
• fix CVE-2015-3197 - SSLv2 ciphersuite enforcement
• disable SSLv2 in the generic TLS method
• Fri Jan 15 2016 Tomáš Mráz [email protected] 1.0.1e-46
• fix 1-byte memory leak in pkcs12 parse (#1229871)
• document some options of the speed command (#1197095)
• Thu Jan 14 2016 Tomáš Mráz [email protected] 1.0.1e-45
• fix high-precision timestamps in timestamping authority
• Mon Dec 21 2015 Tomáš Mráz [email protected] 1.0.1e-44
• fix CVE-2015-7575 - disallow use of MD5 in TLS1.2
• Fri Dec 04 2015 Tomáš Mráz [email protected] 1.0.1e-43
• fix CVE-2015-3194 - certificate verify crash with missing PSS parameter
• fix CVE-2015-3195 - X509_ATTRIBUTE memory leak
• fix CVE-2015-3196 - race condition when handling PSK identity hint
• Tue Jun 23 2015 Tomáš Mráz [email protected] 1.0.1e-42
• fix regression caused by mistake in fix for CVE-2015-1791
• Thu Jun 11 2015 Tomáš Mráz [email protected] 1.0.1e-41
• improved fix for CVE-2015-1791
• add missing parts of CVE-2015-0209 fix for corectness although unexploitable
• Tue Jun 09 2015 Tomáš Mráz [email protected] 1.0.1e-40
• fix CVE-2014-8176 - invalid free in DTLS buffering code
• fix CVE-2015-1789 - out-of-bounds read in X509_cmp_time
• fix CVE-2015-1790 - PKCS7 crash with missing EncryptedContent
• fix CVE-2015-1791 - race condition handling NewSessionTicket
• fix CVE-2015-1792 - CMS verify infinite loop with unknown hash function
• Tue Jun 02 2015 Tomáš Mráz [email protected] 1.0.1e-39
• fix CVE-2015-3216 - regression in RAND locking that can cause segfaults on
  read in multithreaded applications
• Mon May 25 2015 Tomáš Mráz [email protected] 1.0.1e-38
• fix CVE-2015-4000 - prevent the logjam attack on client - restrict
  the DH key size to at least 768 bits (limit will be increased in future)
• Wed Mar 25 2015 Tomáš Mráz [email protected] 1.0.1e-37
• drop the AES-GCM restriction of 2^32 operations because the IV is
  always 96 bits (32 bit fixed field + 64 bit invocation field)
• Thu Mar 19 2015 Tomáš Mráz [email protected] 1.0.1e-36
• update fix for CVE-2015-0287 to what was released upstream
• Wed Mar 18 2015 Tomáš Mráz [email protected] 1.0.1e-35
• fix CVE-2015-0209 - potential use after free in d2i_ECPrivateKey()
• fix CVE-2015-0286 - improper handling of ASN.1 boolean comparison
• fix CVE-2015-0287 - ASN.1 structure reuse decoding memory corruption
• fix CVE-2015-0288 - X509_to_X509_REQ NULL pointer dereference
• fix CVE-2015-0289 - NULL dereference decoding invalid PKCS#7 data
• fix CVE-2015-0292 - integer underflow in base64 decoder
• fix CVE-2015-0293 - triggerable assert in SSLv2 server
• Tue Mar 03 2015 Tomáš Mráz [email protected] 1.0.1e-34
• copy digest algorithm when handling SNI context switch
• improve documentation of ciphersuites - patch by Hubert Kario
• add support for setting Kerberos service and keytab in
  s_server and s_client
• Tue Jan 13 2015 Tomáš Mráz [email protected] 1.0.1e-33
• fix CVE-2014-3570 - incorrect computation in BN_sqr()
• fix CVE-2014-3571 - possible crash in dtls1_get_record()
• fix CVE-2014-3572 - possible downgrade of ECDH ciphersuite to non-PFS state
• fix CVE-2014-8275 - various certificate fingerprint issues
• fix CVE-2015-0204 - remove support for RSA ephemeral keys for non-export
  ciphersuites and on server
• fix CVE-2015-0205 - do not allow unauthenticated client DH certificate
• fix CVE-2015-0206 - possible memory leak when buffering DTLS records
• Thu Oct 16 2014 Tomáš Mráz [email protected] 1.0.1e-32
• use FIPS approved method for computation of d in RSA
• Wed Oct 15 2014 Tomáš Mráz [email protected] 1.0.1e-31
• fix CVE-2014-3567 - memory leak when handling session tickets
• fix CVE-2014-3513 - memory leak in srtp support
• add support for fallback SCSV to partially mitigate CVE-2014-3566
  (padding attack on SSL3)
• Fri Aug 15 2014 Tomáš Mráz [email protected] 1.0.1e-30
• add ECC TLS extensions to DTLS (#1119800)
• Fri Aug 08 2014 Tomáš Mráz [email protected] 1.0.1e-29
• fix CVE-2014-3505 - doublefree in DTLS packet processing
• fix CVE-2014-3506 - avoid memory exhaustion in DTLS
• fix CVE-2014-3507 - avoid memory leak in DTLS
• fix CVE-2014-3508 - fix OID handling to avoid information leak
• fix CVE-2014-3509 - fix race condition when parsing server hello
• fix CVE-2014-3510 - fix DoS in anonymous (EC)DH handling in DTLS
• fix CVE-2014-3511 - disallow protocol downgrade via fragmentation
• Mon Jun 16 2014 Tomáš Mráz [email protected] 1.0.1e-28
• fix CVE-2014-0224 fix that broke EAP-FAST session resumption support
• Fri Jun 06 2014 Tomáš Mráz [email protected] 1.0.1e-26
• drop EXPORT, RC2, and DES from the default cipher list (#1057520)
• print ephemeral key size negotiated in TLS handshake (#1057715)
• do not include ECC ciphersuites in SSLv2 client hello (#1090952)
• properly detect encryption failure in BIO (#1100819)
• fail on hmac integrity check if the .hmac file is empty (#1105567)
• FIPS mode: make the limitations on DSA, DH, and RSA keygen
  length enforced only if OPENSSL_ENFORCE_MODULUS_BITS environment
  variable is set
• Mon Jun 02 2014 Tomáš Mráz [email protected] 1.0.1e-25
• fix CVE-2010-5298 - possible use of memory after free
• fix CVE-2014-0195 - buffer overflow via invalid DTLS fragment
• fix CVE-2014-0198 - possible NULL pointer dereference
• fix CVE-2014-0221 - DoS from invalid DTLS handshake packet
• fix CVE-2014-0224 - SSL/TLS MITM vulnerability
• fix CVE-2014-3470 - client-side DoS when using anonymous ECDH
• Thu May 22 2014 Tomáš Mráz [email protected] 1.0.1e-24
• add back support for secp521r1 EC curve
• Mon Apr 07 2014 Tomáš Mráz [email protected] 1.0.1e-23
• fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
• Mon Mar 17 2014 Tomáš Mráz [email protected] 1.0.1e-22
• use 2048 bit RSA key in FIPS selftests
• Wed Feb 19 2014 Tomáš Mráz [email protected] 1.0.1e-21
• add DH_compute_key_padded needed for FIPS CAVS testing
• make 3des strength to be 128 bits instead of 168 (#1056616)
• FIPS mode: do not generate DSA keys and DH parameters < 2048 bits
• FIPS mode: use approved RSA keygen (allows only 2048 and 3072 bit keys)
• FIPS mode: add DH selftest
• FIPS mode: reseed DRBG properly on RAND_add()
• FIPS mode: add RSA encrypt/decrypt selftest
• FIPS mode: add hard limit for 2^32 GCM block encryptions with the same key
• use the key length from configuration file if req -newkey rsa is invoked
• Tue Jan 07 2014 Tomáš Mráz [email protected] 1.0.1e-20
• fix CVE-2013-4353 - Invalid TLS handshake crash
• Mon Jan 06 2014 Tomáš Mráz [email protected] 1.0.1e-19
• fix CVE-2013-6450 - possible MiTM attack on DTLS1
• Fri Dec 20 2013 Tomáš Mráz [email protected] 1.0.1e-18
• fix CVE-2013-6449 - crash when version in SSL structure is incorrect
• Thu Dec 12 2013 Tomáš Mráz [email protected] 1.0.1e-17
• add back some no-op symbols that were inadvertently dropped
• Thu Oct 31 2013 Tomáš Mráz [email protected] 1.0.1e-16
• do not advertise ECC curves we do not support
• fix CPU identification on Cyrix CPUs
• Fri Sep 27 2013 Tomáš Mráz [email protected] 1.0.1e-15
• make DTLS1 work in FIPS mode
• avoid RSA and DSA 512 bits and Whirlpool in 'openssl speed' in FIPS mode
• Thu Sep 26 2013 Tomáš Mráz [email protected] 1.0.1e-14
• installation of dracut-fips marks that the FIPS module is installed
• Mon Sep 23 2013 Tomáš Mráz [email protected] 1.0.1e-13
• avoid dlopening libssl.so from libcrypto
• Fri Sep 20 2013 Tomáš Mráz [email protected] 1.0.1e-12
• fix small memory leak in FIPS aes selftest
• fix segfault in openssl speed hmac in the FIPS mode
• Thu Sep 12 2013 Tomáš Mráz [email protected] 1.0.1e-11
• document the nextprotoneg option in manual pages
  original patch by Hubert Kario
• Thu Aug 29 2013 Tomas Mraz [email protected] 1.0.1e-9
• always perform the FIPS selftests in library constructor
  if FIPS module is installed
• Fri Aug 16 2013 Tomas Mraz [email protected] 1.0.1e-8
• fix use of rdrand if available
• more commits cherry picked from upstream
• documentation fixes
• Fri Jul 26 2013 Tomas Mraz [email protected] 1.0.1e-7
• additional manual page fix
• use symbol versioning also for the textual version
• Thu Jul 25 2013 Tomas Mraz [email protected] 1.0.1e-6
• additional manual page fixes
• cleanup speed command output for ECDH ECDSA
• Fri Jul 19 2013 Tomas Mraz [email protected] 1.0.1e-5
• use _prefix macro
• Wed Jul 10 2013 Tomas Mraz [email protected] 1.0.1e-4
• add relro linking flag
• Wed Jul 10 2013 Tomas Mraz [email protected] 1.0.1e-2
• add support for the -trusted_first option for certificate chain verification
• Fri May 31 2013 Tomas Mraz [email protected] 1.0.1e-1
• rebase to the 1.0.1e upstream version
• Mon Feb 25 2013 Tomas Mraz [email protected] 1.0.0-28
• fix for CVE-2013-0169 - SSL/TLS CBC timing attack (#907589)
• fix for CVE-2013-0166 - DoS in OCSP signatures checking (#908052)
• enable compression only if explicitly asked for or OPENSSL_DEFAULT_ZLIB
  environment variable is set (fixes CVE-2012-4929 #857051)
• use __secure_getenv() everywhere instead of getenv() (#839735)
• Fri Oct 12 2012 Tomas Mraz [email protected] 1.0.0-27
• fix sslrand(1) and sslpasswd(1) reference in openssl(1) manpage (#841645)
• drop superfluous lib64 fixup in pkgconfig .pc files (#770872)
• force BIO_accept_new(*:) to listen on IPv4
• Wed Aug 15 2012 Tomas Mraz [email protected] 1.0.0-26
• use PKCS#8 when writing private keys in FIPS mode as the old
  PEM encryption mode is not FIPS compatible (#812348)
• Tue May 15 2012 Tomas Mraz [email protected] 1.0.0-25
• fix for CVE-2012-2333 - improper checking for record length in DTLS (#820686)
• properly initialize tkeylen in the CVE-2012-0884 fix
• Thu Apr 19 2012 Tomas Mraz [email protected] 1.0.0-24
• fix for CVE-2012-2110 - memory corruption in asn1_d2i_read_bio() (#814185)
• Mon Mar 19 2012 Tomas Mraz [email protected] 1.0.0-23
• fix problem with the SGC restart patch that might terminate handshake
  incorrectly
• fix for CVE-2012-0884 - MMA weakness in CMS and PKCS#7 code (#802725)
• fix for CVE-2012-1165 - NULL read dereference on bad MIME headers (#802489)
• Thu Mar 01 2012 Tomas Mraz [email protected] 1.0.0-22
• fix incorrect encryption of unaligned chunks in CFB, OFB and CTR modes
• Thu Jan 19 2012 Tomas Mraz [email protected] 1.0.0-21
• fix for CVE-2011-4108 & CVE-2012-0050 - DTLS plaintext recovery
  vulnerability and additional DTLS fixes (#771770)
• fix for CVE-2011-4576 - uninitialized SSL 3.0 padding (#771775)
• fix for CVE-2011-4577 - possible DoS through malformed RFC 3779 data (#771778)
• fix for CVE-2011-4619 - SGC restart DoS attack (#771780)
• Mon Oct 31 2011 Tomas Mraz [email protected] 1.0.0-20
• fix x86cpuid.pl - patch by Paolo Bonzini
• Thu Sep 29 2011 Tomas Mraz [email protected] 1.0.0-19
• add known answer test for SHA2 algorithms
• Wed Sep 21 2011 Tomas Mraz [email protected] 1.0.0-18
• fix missing initialization of a variable in the CHIL engine (#740188)
• Mon Sep 12 2011 Tomas Mraz [email protected] 1.0.0-17
• initialize the X509_STORE_CTX properly for CRL lookups - CVE-2011-3207
  (#736087)
• Wed Aug 24 2011 Tomas Mraz [email protected] 1.0.0-16
• merge the optimizations for AES-NI, SHA1, and RC4 from the intelx
  engine to the internal implementations
• Mon Aug 15 2011 Tomas Mraz [email protected] 1.0.0-15
• better documentation of the available digests in apps (#693858)
• backported CHIL engine fixes (#693863)
• allow testing build without downstream patches (#708511)
• enable partial RELRO when linking (#723994)
• add intelx engine with improved performance on new Intel CPUs
• add OPENSSL_DISABLE_AES_NI environment variable which disables
  the AES-NI support (does not affect the intelx engine)
• Wed Jun 08 2011 Tomas Mraz [email protected] 1.0.0-14
• use the AES-NI engine in the FIPS mode
• Tue May 24 2011 Tomas Mraz [email protected] 1.0.0-11
• add API necessary for CAVS testing of the new DSA parameter generation
• Thu Feb 10 2011 Tomas Mraz [email protected] 1.0.0-10
• fix OCSP stapling vulnerability - CVE-2011-0014 (#676063)
• correct the README.FIPS document
• Fri Feb 04 2011 Tomas Mraz [email protected] 1.0.0-8
• add -x931 parameter to openssl genrsa command to use the ANSI X9.31
  key generation method
• use FIPS-186-3 method for DSA parameter generation
• add OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW environment variable
  to allow using MD5 when the system is in the maintenance state
  even if the /proc fips flag is on
• make openssl pkcs12 command work by default in the FIPS mode
• Mon Jan 24 2011 Tomas Mraz [email protected] 1.0.0-7
• listen on ipv6 wildcard in s_server so we accept connections
  from both ipv4 and ipv6 (#601612)
• fix openssl speed command so it can be used in the FIPS mode
  with FIPS allowed ciphers (#619762)
• Tue Dec 07 2010 Tomas Mraz [email protected] 1.0.0-6
• disable code for SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG - CVE-2010-3864
  (#649304)
• Fri Nov 05 2010 Tomas Mraz [email protected] 1.0.0-5
• fix race in extension parsing code - CVE-2010-3864 (#649304)
• Wed Jun 30 2010 Tomas Mraz [email protected] 1.0.0-4
• openssl man page fix (#609484)
• Fri Jun 04 2010 Tomas Mraz [email protected] 1.0.0-3
• fix wrong ASN.1 definition of OriginatorInfo - CVE-2010-0742 (#598738)
• fix information leak in rsa_verify_recover - CVE-2010-1633 (#598732)
• Wed May 19 2010 Tomas Mraz [email protected] 1.0.0-2
• make CA dir readable - the private keys are in private subdir (#584810)
• a few fixes from upstream CVS
• make X509_NAME_hash_old work in FIPS mode (#568395)
• Tue Mar 30 2010 Tomas Mraz [email protected] 1.0.0-1
• update to final 1.0.0 upstream release
• Tue Feb 16 2010 Tomas Mraz [email protected] 1.0.0-0.22.beta5
• make TLS work in the FIPS mode
• Fri Feb 12 2010 Tomas Mraz [email protected] 1.0.0-0.21.beta5
• gracefully handle zero length in assembler implementations of
  OPENSSL_cleanse (#564029)
• do not fail in s_server if client hostname not resolvable (#561260)
• Wed Jan 20 2010 Tomas Mraz [email protected] 1.0.0-0.20.beta5
• new upstream release
• Thu Jan 14 2010 Tomas Mraz [email protected] 1.0.0-0.19.beta4
• fix CVE-2009-4355 - leak in applications incorrectly calling
  CRYPTO_free_all_ex_data() before application exit (#546707)
• upstream fix for future TLS protocol version handling
• Wed Jan 13 2010 Tomas Mraz [email protected] 1.0.0-0.18.beta4
• add support for Intel AES-NI
• Thu Jan 07 2010 Tomas Mraz [email protected] 1.0.0-0.17.beta4
• upstream fix compression handling on session resumption
• various null checks and other small fixes from upstream
• upstream changes for the renegotiation info according to the latest draft
• Mon Nov 23 2009 Tomas Mraz [email protected] 1.0.0-0.16.beta4
• fix non-fips mingw build (patch by Kalev Lember)
• add IPV6 fix for DTLS
• Fri Nov 20 2009 Tomas Mraz [email protected] 1.0.0-0.15.beta4
• add better error reporting for the unsafe renegotiation
• Fri Nov 20 2009 Tomas Mraz [email protected] 1.0.0-0.14.beta4
• fix build on s390x
• Wed Nov 18 2009 Tomas Mraz [email protected] 1.0.0-0.13.beta4
• disable enforcement of the renegotiation extension on the client (#537962)
• add fixes from the current upstream snapshot
• Fri Nov 13 2009 Tomas Mraz [email protected] 1.0.0-0.12.beta4
• keep the beta status in version number at 3 so we do not have to rebuild
  openssh and possibly other dependencies with too strict version check
• Thu Nov 12 2009 Tomas Mraz [email protected] 1.0.0-0.11.beta4
• update to new upstream version, no soname bump needed
• fix CVE-2009-3555 - note that the fix is bypassed if SSL_OP_ALL is used
  so the compatibility with unfixed clients is not broken. The
  protocol extension is also not final.
• Fri Oct 16 2009 Tomas Mraz [email protected] 1.0.0-0.10.beta3
• fix use of freed memory if SSL_CTX_free() is called before
  SSL_free() (#521342)
• Thu Oct 08 2009 Tomas Mraz [email protected] 1.0.0-0.9.beta3
• fix typo in DTLS1 code (#527015)
• fix leak in error handling of d2i_SSL_SESSION()
• Wed Sep 30 2009 Tomas Mraz [email protected] 1.0.0-0.8.beta3
• fix RSA and DSA FIPS selftests
• reenable fixed x86_64 camellia assembler code (#521127)
• Fri Sep 04 2009 Tomas Mraz [email protected] 1.0.0-0.7.beta3
• temporarily disable x86_64 camellia assembler code (#521127)
• Mon Aug 31 2009 Tomas Mraz [email protected] 1.0.0-0.6.beta3
• fix openssl dgst -dss1 (#520152)
• Wed Aug 26 2009 Tomas Mraz [email protected] 1.0.0-0.5.beta3
• drop the compat symlink hacks
• Sat Aug 22 2009 Tomas Mraz [email protected] 1.0.0-0.4.beta3
• constify SSL_CIPHER_description()
• Fri Aug 21 2009 Tomas Mraz [email protected] 1.0.0-0.3.beta3
• fix WWW:Curl:Easy reference in tsget
• Fri Aug 21 2009 Tomas Mraz [email protected] 1.0.0-0.2.beta3
• enable MD-2
• Thu Aug 20 2009 Tomas Mraz [email protected] 1.0.0-0.1.beta3
• update to new major upstream release
• Sat Jul 25 2009 Fedora Release Engineering [email protected] - 0.9.8k-7
• Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
• Wed Jul 22 2009 Bill Nottingham [email protected]
• do not build special 'optimized' versions for i686, as that's the base
  arch in Fedora now
• Tue Jun 30 2009 Tomas Mraz [email protected] 0.9.8k-6
• abort if selftests failed and random number generator is polled
• mention EVP_aes and EVP_sha2xx routines in the manpages
• add README.FIPS
• make CA dir absolute path (#445344)
• change default length for RSA key generation to 2048 (#484101)
• Thu May 21 2009 Tomas Mraz [email protected] 0.9.8k-5
• fix CVE-2009-1377 CVE-2009-1378 CVE-2009-1379
  (DTLS DoS problems) (#501253, #501254, #501572)
• Tue Apr 21 2009 Tomas Mraz [email protected] 0.9.8k-4
• support compatibility DTLS mode for CISCO AnyConnect (#464629)
• Fri Apr 17 2009 Tomas Mraz [email protected] 0.9.8k-3
• correct the SHLIB_VERSION define
• Wed Apr 15 2009 Tomas Mraz [email protected] 0.9.8k-2
• add support for multiple CRLs with same subject
• load only dynamic engine support in FIPS mode
• Wed Mar 25 2009 Tomas Mraz [email protected] 0.9.8k-1
• update to new upstream release (minor bug fixes, security
  fixes and machine code optimizations only)
• Thu Mar 19 2009 Tomas Mraz [email protected] 0.9.8j-10
• move libraries to /usr/lib (#239375)
• Fri Mar 13 2009 Tomas Mraz [email protected] 0.9.8j-9
• add a static subpackage
• Thu Feb 26 2009 Fedora Release Engineering [email protected] - 0.9.8j-8
• Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
• Mon Feb 02 2009 Tomas Mraz [email protected] 0.9.8j-7
• must also verify checksum of libssl.so in the FIPS mode
• obtain the seed for FIPS rng directly from the kernel device
• drop the temporary symlinks
• Mon Jan 26 2009 Tomas Mraz [email protected] 0.9.8j-6
• drop the temporary triggerpostun and symlinking in post
• fix the pkgconfig files and drop the unnecessary buildrequires
  on pkgconfig as it is a rpmbuild dependency (#481419)
• Sat Jan 17 2009 Tomas Mraz [email protected] 0.9.8j-5
• add temporary triggerpostun to reinstate the symlinks
• Sat Jan 17 2009 Tomas Mraz [email protected] 0.9.8j-4
• no pairwise key tests in non-fips mode (#479817)
• Fri Jan 16 2009 Tomas Mraz [email protected] 0.9.8j-3
• even more robust test for the temporary symlinks
• Fri Jan 16 2009 Tomas Mraz [email protected] 0.9.8j-2
• try to ensure the temporary symlinks exist
• Thu Jan 15 2009 Tomas Mraz [email protected] 0.9.8j-1
• new upstream version with necessary soname bump (#455753)
• temporarily provide symlink to old soname to make it possible to rebuild
  the dependent packages in rawhide
• add eap-fast support (#428181)
• add possibility to disable zlib by setting
• add fips mode support for testing purposes
• do not null dereference on some invalid smime files
• add buildrequires pkgconfig (#479493)
• Sun Aug 10 2008 Tomas Mraz [email protected] 0.9.8g-11
• do not add tls extensions to server hello for SSLv3 either
• Mon Jun 02 2008 Joe Orton [email protected] 0.9.8g-10
• move root CA bundle to ca-certificates package
• Wed May 28 2008 Tomas Mraz [email protected] 0.9.8g-9
• fix CVE-2008-0891 - server name extension crash (#448492)
• fix CVE-2008-1672 - server key exchange message omit crash (#448495)
• Tue May 27 2008 Tomas Mraz [email protected] 0.9.8g-8
• super-H arch support
• drop workaround for bug 199604 as it should be fixed in gcc-4.3
• Mon May 19 2008 Tom "spot" Callaway [email protected] 0.9.8g-7
• sparc handling
• Mon Mar 10 2008 Joe Orton [email protected] 0.9.8g-6
• update to new root CA bundle from mozilla.org (r1.45)
• Wed Feb 20 2008 Fedora Release Engineering [email protected] - 0.9.8g-5
• Autorebuild for GCC 4.3
• Thu Jan 24 2008 Tomas Mraz [email protected] 0.9.8g-4
• merge review fixes (#226220)
• adjust the SHLIB_VERSION_NUMBER to reflect library name (#429846)
• Thu Dec 13 2007 Tomas Mraz [email protected] 0.9.8g-3
• set default paths when no explicit paths are set (#418771)
• do not add tls extensions to client hello for SSLv3 (#422081)
• Tue Dec 04 2007 Tomas Mraz [email protected] 0.9.8g-2
• enable some new crypto algorithms and features
• add some more important bug fixes from openssl CVS
• Mon Dec 03 2007 Tomas Mraz [email protected] 0.9.8g-1
• update to latest upstream release, SONAME bumped to 7
• Mon Oct 15 2007 Joe Orton [email protected] 0.9.8b-17
• update to new CA bundle from mozilla.org
• Fri Oct 12 2007 Tomas Mraz [email protected] 0.9.8b-16
• fix CVE-2007-5135 - off-by-one in SSL_get_shared_ciphers (#309801)
• fix CVE-2007-4995 - out of order DTLS fragments buffer overflow (#321191)
• add alpha sub-archs (#296031)
• Tue Aug 21 2007 Tomas Mraz [email protected] 0.9.8b-15
• rebuild
• Fri Aug 03 2007 Tomas Mraz [email protected] 0.9.8b-14
• use localhost in testsuite, hopefully fixes slow build in koji
• CVE-2007-3108 - fix side channel attack on private keys (#250577)
• make ssl session cache id matching strict (#233599)
• Wed Jul 25 2007 Tomas Mraz [email protected] 0.9.8b-13
• allow building on ARM architectures (#245417)
• use reference timestamps to prevent multilib conflicts (#218064)
• -devel package must require pkgconfig (#241031)
• Mon Dec 11 2006 Tomas Mraz [email protected] 0.9.8b-12
• detect duplicates in add_dir properly (#206346)
• Thu Nov 30 2006 Tomas Mraz [email protected] 0.9.8b-11
• the previous change still didn't make X509_NAME_cmp transitive
• Thu Nov 23 2006 Tomas Mraz [email protected] 0.9.8b-10
• make X509_NAME_cmp transitive otherwise certificate lookup
  is broken (#216050)
• Thu Nov 02 2006 Tomas Mraz [email protected] 0.9.8b-9
• aliasing bug in engine loading, patch by IBM (#213216)
• Mon Oct 02 2006 Tomas Mraz [email protected] 0.9.8b-8
• CVE-2006-2940 fix was incorrect (#208744)
• Mon Sep 25 2006 Tomas Mraz [email protected] 0.9.8b-7
• fix CVE-2006-2937 - mishandled error on ASN.1 parsing (#207276)
• fix CVE-2006-2940 - parasitic public keys DoS (#207274)
• fix CVE-2006-3738 - buffer overflow in SSL_get_shared_ciphers (#206940)
• fix CVE-2006-4343 - sslv2 client DoS (#206940)
• Tue Sep 05 2006 Tomas Mraz [email protected] 0.9.8b-6
• fix CVE-2006-4339 - prevent attack on PKCS#1 v1.5 signatures (#205180)
• Wed Aug 02 2006 Tomas Mraz [email protected] - 0.9.8b-5
• set buffering to none on stdio/stdout FILE when bufsize is set (#200580)
  patch by IBM
• Fri Jul 28 2006 Alexandre Oliva [email protected] - 0.9.8b-4.1
• rebuild with new binutils (#200330)
• Fri Jul 21 2006 Tomas Mraz [email protected] - 0.9.8b-4
• add a temporary workaround for sha512 test failure on s390 (#199604)
• Thu Jul 20 2006 Tomas Mraz [email protected]
• add ipv6 support to s_client and s_server (by Jan Pazdziora) (#198737)
• add patches for BN threadsafety, AES cache collision attack hazard fix and
  pkcs7 code memleak fix from upstream CVS
• Wed Jul 12 2006 Jesse Keating [email protected] - 0.9.8b-3.1
• rebuild
• Wed Jun 21 2006 Tomas Mraz [email protected] - 0.9.8b-3
• dropped libica and ica engine from build
• Wed Jun 21 2006 Joe Orton [email protected]
• update to new CA bundle from mozilla.org; adds CA certificates
  from netlock.hu and startcom.org
• Mon Jun 05 2006 Tomas Mraz [email protected] - 0.9.8b-2
• fixed a few rpmlint warnings
• better fix for #173399 from upstream
• upstream fix for pkcs12
• Thu May 11 2006 Tomas Mraz [email protected] - 0.9.8b-1
• upgrade to new version, stays ABI compatible
• there is no more linux/config.h (it was empty anyway)
• Tue Apr 04 2006 Tomas Mraz [email protected] - 0.9.8a-6
• fix stale open handles in libica (#177155)
• fix build if 'rand' or 'passwd' in buildroot path (#178782)
• initialize VIA Padlock engine (#186857)
• Fri Feb 10 2006 Jesse Keating [email protected] - 0.9.8a-5.2
• bump again for double-long bug on ppc(64)
• Tue Feb 07 2006 Jesse Keating [email protected] - 0.9.8a-5.1
• rebuilt for new gcc4.1 snapshot and glibc changes
• Thu Dec 15 2005 Tomas Mraz [email protected] 0.9.8a-5
• don't include SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
  in SSL_OP_ALL (#175779)
• Fri Dec 09 2005 Jesse Keating [email protected]
• rebuilt
• Tue Nov 29 2005 Tomas Mraz [email protected] 0.9.8a-4
• fix build (-lcrypto was erroneusly dropped) of the updated libica
• updated ICA engine to 1.3.6-rc3
• Tue Nov 22 2005 Tomas Mraz [email protected] 0.9.8a-3
• disable builtin compression methods for now until they work
  properly (#173399)
• Wed Nov 16 2005 Tomas Mraz [email protected] 0.9.8a-2
• don't set -rpath for openssl binary
• Tue Nov 08 2005 Tomas Mraz [email protected] 0.9.8a-1
• new upstream version
• patches partially renumbered
• Fri Oct 21 2005 Tomas Mraz [email protected] 0.9.7f-11
• updated IBM ICA engine library and patch to latest upstream version
• Wed Oct 12 2005 Tomas Mraz [email protected] 0.9.7f-10
• fix CAN-2005-2969 - remove SSL_OP_MSIE_SSLV2_RSA_PADDING which
  disables the countermeasure against man in the middle attack in SSLv2
  (#169863)
• use sha1 as default for CA and cert requests - CAN-2005-2946 (#169803)
• Tue Aug 23 2005 Tomas Mraz [email protected] 0.9.7f-9
• add *.so.soversion as symlinks in /lib (#165264)
• remove unpackaged symlinks (#159595)
• fixes from upstream (constant time fixes for DSA,
  bn assembler div on ppc arch, initialize memory on realloc)
• Thu Aug 11 2005 Phil Knirsch [email protected] 0.9.7f-8
• Updated ICA engine IBM patch to latest upstream version.
• Thu May 19 2005 Tomas Mraz [email protected] 0.9.7f-7
• fix CAN-2005-0109 - use constant time/memory access mod_exp
  so bits of private key aren't leaked by cache eviction (#157631)
• a few more fixes from upstream 0.9.7g
• Wed Apr 27 2005 Tomas Mraz [email protected] 0.9.7f-6
• use poll instead of select in rand (#128285)
• fix Makefile.certificate to point to /etc/pki/tls
• change the default string mask in ASN1 to PrintableString+UTF8String
• Mon Apr 25 2005 Joe Orton [email protected] 0.9.7f-5
• update to revision 1.37 of Mozilla CA bundle
• Thu Apr 21 2005 Tomas Mraz [email protected] 0.9.7f-4
• move certificates to _sysconfdir/pki/tls (#143392)
• move CA directories to _sysconfdir/pki/CA
• patch the CA script and the default config so it points to the
  CA directories
• Fri Apr 01 2005 Tomas Mraz [email protected] 0.9.7f-3
• uninitialized variable mustn't be used as input in inline
  assembly
• reenable the x86_64 assembly again
• Thu Mar 31 2005 Tomas Mraz [email protected] 0.9.7f-2
• add back RC4_CHAR on ia64 and x86_64 so the ABI isn't broken
• disable broken bignum assembly on x86_64
• Wed Mar 30 2005 Tomas Mraz [email protected] 0.9.7f-1
• reenable optimizations on ppc64 and assembly code on ia64
• upgrade to new upstream version (no soname bump needed)
• disable thread test - it was testing the backport of the
  RSA blinding - no longer needed
• added support for changing serial number to
  Makefile.certificate (#151188)
• make ca-bundle.crt a config file (#118903)
• Tue Mar 01 2005 Tomas Mraz [email protected] 0.9.7e-3
• libcrypto shouldn't depend on libkrb5 (#135961)
• Mon Feb 28 2005 Tomas Mraz [email protected] 0.9.7e-2
• rebuild
• Mon Feb 28 2005 Tomas Mraz [email protected] 0.9.7e-1
• new upstream source, updated patches
• added patch so we are hopefully ABI compatible with upcoming
  0.9.7f
• Thu Feb 10 2005 Tomas Mraz [email protected]
• Support UTF-8 charset in the Makefile.certificate (#134944)
• Added cmp to BuildPrereq
• Thu Jan 27 2005 Joe Orton [email protected] 0.9.7a-46
• generate new ca-bundle.crt from Mozilla certdata.txt (revision 1.32)
• Thu Dec 23 2004 Phil Knirsch [email protected] 0.9.7a-45
• Fixed and updated libica-1.3.4-urandom.patch patch (#122967)
• Fri Nov 19 2004 Nalin Dahyabhai [email protected] 0.9.7a-44
• rebuild
• Fri Nov 19 2004 Nalin Dahyabhai [email protected] 0.9.7a-43
• rebuild
• Fri Nov 19 2004 Nalin Dahyabhai [email protected] 0.9.7a-42
• rebuild
• Fri Nov 19 2004 Nalin Dahyabhai [email protected] 0.9.7a-41
• remove der_chop, as upstream cvs has done (CAN-2004-0975, #140040)
• Tue Oct 05 2004 Phil Knirsch [email protected] 0.9.7a-40
• Include latest libica version with important bugfixes
• Tue Jun 15 2004 Elliot Lee [email protected]
• rebuilt
• Mon Jun 14 2004 Phil Knirsch [email protected] 0.9.7a-38
• Updated ICA engine IBM patch to latest upstream version.
• Mon Jun 07 2004 Nalin Dahyabhai [email protected] 0.9.7a-37
• build for linux-alpha-gcc instead of alpha-gcc on alpha (Jeff Garzik)
• Tue May 25 2004 Nalin Dahyabhai [email protected] 0.9.7a-36
• handle %{_arch}=i486/i586/i686/athlon cases in the intermediate
  header (#124303)
• Thu Mar 25 2004 Joe Orton [email protected] 0.9.7a-35
• add security fixes for CAN-2004-0079, CAN-2004-0112
• Tue Mar 16 2004 Phil Knirsch [email protected]
• Fixed libica filespec.
• Thu Mar 11 2004 Nalin Dahyabhai [email protected] 0.9.7a-34
• ppc/ppc64 define powerpc/powerpc64, not ppc/ppc64, fix
  the intermediate header
• Wed Mar 10 2004 Nalin Dahyabhai [email protected] 0.9.7a-33
• add an intermediate which points to the right
  arch-specific opensslconf.h on multilib arches
• Tue Mar 02 2004 Elliot Lee [email protected]
• rebuilt
• Thu Feb 26 2004 Phil Knirsch [email protected] 0.9.7a-32
• Updated libica to latest upstream version 1.3.5.
• Tue Feb 17 2004 Phil Knirsch [email protected] 0.9.7a-31
• Update ICA crypto engine patch from IBM to latest version.
• Fri Feb 13 2004 Elliot Lee [email protected]
• rebuilt
• Fri Feb 13 2004 Phil Knirsch [email protected] 0.9.7a-29
• rebuilt
• Wed Feb 11 2004 Phil Knirsch [email protected] 0.9.7a-28
• Fixed libica build.
• Wed Feb 04 2004 Nalin Dahyabhai [email protected]
• add "-ldl" to link flags added for Linux-on-ARM (#99313)
• Wed Feb 04 2004 Joe Orton [email protected] 0.9.7a-27
• updated ca-bundle.crt: removed expired GeoTrust roots, added
  freessl.com root, removed trustcenter.de Class 0 root
• Sun Nov 30 2003 Tim Waugh [email protected] 0.9.7a-26
• Fix link line for libssl (bug #111154).
• Fri Oct 24 2003 Nalin Dahyabhai [email protected] 0.9.7a-25
• add dependency on zlib-devel for the -devel package, which depends on zlib
  symbols because we enable zlib for libssl (#102962)
• Fri Oct 24 2003 Phil Knirsch [email protected] 0.9.7a-24
• Use /dev/urandom instead of PRNG for libica.
• Apply libica-1.3.5 fix for /dev/urandom in icalinux.c
• Use latest ICA engine patch from IBM.
• Sat Oct 04 2003 Nalin Dahyabhai [email protected] 0.9.7a-22.1
• rebuild
• Wed Oct 01 2003 Nalin Dahyabhai [email protected] 0.9.7a-22
• rebuild (22 wasn't actually built, fun eh?)
• Tue Sep 30 2003 Nalin Dahyabhai [email protected] 0.9.7a-23
• re-disable optimizations on ppc64
• Tue Sep 30 2003 Joe Orton [email protected]
• add a_mbstr.c fix for 64-bit platforms from CVS
• Tue Sep 30 2003 Nalin Dahyabhai [email protected] 0.9.7a-22
• add -Wa,--noexecstack to RPM_OPT_FLAGS so that assembled modules get tagged
  as not needing executable stacks
• Mon Sep 29 2003 Nalin Dahyabhai [email protected] 0.9.7a-21
• rebuild
• Thu Sep 25 2003 Nalin Dahyabhai [email protected]
• re-enable optimizations on ppc64
• Thu Sep 25 2003 Nalin Dahyabhai [email protected]
• remove exclusivearch
• Wed Sep 24 2003 Nalin Dahyabhai [email protected] 0.9.7a-20
• only parse a client cert if one was requested
• temporarily exclusivearch for %{ix86}
• Tue Sep 23 2003 Nalin Dahyabhai [email protected]
• add security fixes for protocol parsing bugs (CAN-2003-0543, CAN-2003-0544)
  and heap corruption (CAN-2003-0545)
• update RHNS-CA-CERT files
• ease back on the number of threads used in the threading test
• Wed Sep 17 2003 Matt Wilson [email protected] 0.9.7a-19
• rebuild to fix gzipped file md5sums (#91211)
• Mon Aug 25 2003 Phil Knirsch [email protected] 0.9.7a-18
• Updated libica to version 1.3.4.
• Thu Jul 17 2003 Nalin Dahyabhai [email protected] 0.9.7a-17
• rebuild
• Tue Jul 15 2003 Nalin Dahyabhai [email protected] 0.9.7a-10.9
• free the kssl_ctx structure when we free an SSL structure (#99066)
• Fri Jul 11 2003 Nalin Dahyabhai [email protected] 0.9.7a-16
• rebuild
• Thu Jul 10 2003 Nalin Dahyabhai [email protected] 0.9.7a-15
• lower thread test count on s390x
• Tue Jul 08 2003 Nalin Dahyabhai [email protected] 0.9.7a-14
• rebuild
• Thu Jun 26 2003 Nalin Dahyabhai [email protected] 0.9.7a-13
• disable assembly on arches where it seems to conflict with threading
• Thu Jun 26 2003 Phil Knirsch [email protected] 0.9.7a-12
• Updated libica to latest upstream version 1.3.0
• Wed Jun 11 2003 Nalin Dahyabhai [email protected] 0.9.7a-9.9
• rebuild
• Wed Jun 11 2003 Nalin Dahyabhai [email protected] 0.9.7a-11
• rebuild
• Tue Jun 10 2003 Nalin Dahyabhai [email protected] 0.9.7a-10
• ubsec: don't stomp on output data which might also be input data
• Tue Jun 10 2003 Nalin Dahyabhai [email protected] 0.9.7a-9
• temporarily disable optimizations on ppc64
• Mon Jun 09 2003 Nalin Dahyabhai [email protected]
• backport fix for engine-used-for-everything from 0.9.7b
• backport fix for prng not being seeded causing problems, also from 0.9.7b
• add a check at build-time to ensure that RSA is thread-safe
• keep perlpath from stomping on the libica configure scripts
• Fri Jun 06 2003 Nalin Dahyabhai [email protected]
• thread-safety fix for RSA blinding
• Wed Jun 04 2003 Elliot Lee [email protected] 0.9.7a-8
• rebuilt
• Fri May 30 2003 Phil Knirsch [email protected] 0.9.7a-7
• Added libica-1.2 to openssl (featurerequest).
• Wed Apr 16 2003 Nalin Dahyabhai [email protected] 0.9.7a-6
• fix building with incorrect flags on ppc64
• Wed Mar 19 2003 Nalin Dahyabhai [email protected] 0.9.7a-5
• add patch to harden against Klima-Pokorny-Rosa extension of Bleichenbacher's
  attack (CAN-2003-0131)
• Mon Mar 17 2003 Nalin Dahyabhai [email protected] 0.9.7a-4
• add patch to enable RSA blinding by default, closing a timing attack
  (CAN-2003-0147)
• Wed Mar 05 2003 Nalin Dahyabhai [email protected] 0.9.7a-3
• disable use of BN assembly module on x86_64, but continue to allow inline
  assembly (#83403)
• Thu Feb 27 2003 Nalin Dahyabhai [email protected] 0.9.7a-2
• disable EC algorithms
• Wed Feb 19 2003 Nalin Dahyabhai [email protected] 0.9.7a-1
• update to 0.9.7a
• Wed Feb 19 2003 Nalin Dahyabhai [email protected] 0.9.7-8
• add fix to guard against attempts to allocate negative amounts of memory
• add patch for CAN-2003-0078, fixing a timing attack
• Thu Feb 13 2003 Elliot Lee [email protected] 0.9.7-7
• Add openssl-ppc64.patch
• Mon Feb 10 2003 Nalin Dahyabhai [email protected] 0.9.7-6
• EVP_DecryptInit should call EVP_CipherInit() instead of EVP_CipherInit_ex(),
  to get the right behavior when passed uninitialized context structures
  (#83766)
• build with -mcpu=ev5 on alpha family (#83828)
• Wed Jan 22 2003 Tim Powers [email protected]
• rebuilt
• Fri Jan 17 2003 Phil Knirsch [email protected] 0.9.7-4
• Added IBM hw crypto support patch.
• Wed Jan 15 2003 Nalin Dahyabhai [email protected]
• add missing builddep on sed
• Thu Jan 09 2003 Bill Nottingham [email protected] 0.9.7-3
• debloat
• fix broken manpage symlinks
• Wed Jan 08 2003 Nalin Dahyabhai [email protected] 0.9.7-2
• fix double-free in 'openssl ca'
• Fri Jan 03 2003 Nalin Dahyabhai [email protected] 0.9.7-1
• update to 0.9.7 final
• Tue Dec 17 2002 Nalin Dahyabhai [email protected] 0.9.7-0
• update to 0.9.7 beta6 (DO NOT USE UNTIL UPDATED TO FINAL 0.9.7)
• Wed Dec 11 2002 Nalin Dahyabhai [email protected]
• update to 0.9.7 beta5 (DO NOT USE UNTIL UPDATED TO FINAL 0.9.7)
• Tue Oct 22 2002 Nalin Dahyabhai [email protected] 0.9.6b-30
• add configuration stanza for x86_64 and use it on x86_64
• build for linux-ppc on ppc
• start running the self-tests again
• Wed Oct 02 2002 Elliot Lee [email protected] 0.9.6b-29hammer.3
• Merge fixes from previous hammer packages, including general x86-64 and
  multilib
• Tue Aug 06 2002 Nalin Dahyabhai [email protected] 0.9.6b-29
• rebuild
• Thu Aug 01 2002 Nalin Dahyabhai [email protected] 0.9.6b-28
• update asn patch to fix accidental reversal of a logic check
• Wed Jul 31 2002 Nalin Dahyabhai [email protected] 0.9.6b-27
• update asn patch to reduce chance that compiler optimization will remove
  one of the added tests
• Wed Jul 31 2002 Nalin Dahyabhai [email protected] 0.9.6b-26
• rebuild
• Mon Jul 29 2002 Nalin Dahyabhai [email protected] 0.9.6b-25
• add patch to fix ASN.1 vulnerabilities
• Thu Jul 25 2002 Nalin Dahyabhai [email protected] 0.9.6b-24
• add backport of Ben Laurie's patches for OpenSSL 0.9.6d
• Wed Jul 17 2002 Nalin Dahyabhai [email protected] 0.9.6b-23
• own {_datadir}/ssl/misc
• Fri Jun 21 2002 Tim Powers [email protected]
• automated rebuild
• Sun May 26 2002 Tim Powers [email protected]
• automated rebuild
• Fri May 17 2002 Nalin Dahyabhai [email protected] 0.9.6b-20
• free ride through the build system (whee!)
• Thu May 16 2002 Nalin Dahyabhai [email protected] 0.9.6b-19
• rebuild in new environment
• Thu Apr 04 2002 Nalin Dahyabhai [email protected] 0.9.6b-17, 0.9.6b-18
• merge RHL-specific bits into stronghold package, rename
• Tue Apr 02 2002 Gary Benson [email protected] stronghold-0.9.6c-2
• add support for Chrysalis Luna token
• Tue Mar 26 2002 Gary Benson [email protected]
• disable AEP random number generation, other AEP fixes
• Fri Mar 15 2002 Nalin Dahyabhai [email protected] 0.9.6b-15
• only build subpackages on primary arches
• Thu Mar 14 2002 Nalin Dahyabhai [email protected] 0.9.6b-13
• on ia32, only disable use of assembler on i386
• enable assembly on ia64
• Mon Jan 07 2002 Florian La Roche Florian.[email protected] 0.9.6b-11
• fix sparcv9 entry
• Mon Jan 07 2002 Gary Benson [email protected] stronghold-0.9.6c-1
• upgrade to 0.9.6c
• bump BuildArch to i686 and enable assembler on all platforms
• synchronise with shrimpy and rawhide
• bump soversion to 3
• Wed Oct 10 2001 Florian La Roche Florian.[email protected]
• delete BN_LLONG for s390x, patch from Oliver Paukstadt
• Mon Sep 17 2001 Nalin Dahyabhai [email protected] 0.9.6b-9
• update AEP driver patch
• Mon Sep 10 2001 Nalin Dahyabhai [email protected]
• adjust RNG disabling patch to match version of patch from Broadcom
• Fri Sep 07 2001 Nalin Dahyabhai [email protected] 0.9.6b-8
• disable the RNG in the ubsec engine driver
• Tue Aug 28 2001 Nalin Dahyabhai [email protected] 0.9.6b-7
• tweaks to the ubsec engine driver
• Fri Aug 24 2001 Nalin Dahyabhai [email protected] 0.9.6b-6
• tweaks to the ubsec engine driver
• Thu Aug 23 2001 Nalin Dahyabhai [email protected] 0.9.6b-5
• update ubsec engine driver from Broadcom
• Fri Aug 10 2001 Nalin Dahyabhai [email protected] 0.9.6b-4
• move man pages back to %{_mandir}/man?/foo.?ssl from
  %{_mandir}/man?ssl/foo.?
• add an [ engine ] section to the default configuration file
• Thu Aug 09 2001 Nalin Dahyabhai [email protected]
• add a patch for selecting a default engine in SSL_library_init()
• Mon Jul 23 2001 Nalin Dahyabhai [email protected] 0.9.6b-3
• add patches for AEP hardware support
• add patch to keep trying when we fail to load a cert from a file and
  there are more in the file
• add missing prototype for ENGINE_ubsec() in engine_int.h
• Wed Jul 18 2001 Nalin Dahyabhai [email protected] 0.9.6b-2
• actually add hw_ubsec to the engine list
• Tue Jul 17 2001 Nalin Dahyabhai [email protected]
• add in the hw_ubsec driver from CVS
• Wed Jul 11 2001 Nalin Dahyabhai [email protected] 0.9.6b-1
• update to 0.9.6b
• Thu Jul 05 2001 Nalin Dahyabhai [email protected]
• move .so symlinks back to %{_libdir}
• Tue Jul 03 2001 Nalin Dahyabhai [email protected]
• move shared libraries to /lib (#38410)
• Mon Jun 25 2001 Nalin Dahyabhai [email protected]
• switch to engine code base
• Mon Jun 18 2001 Nalin Dahyabhai [email protected]
• add a script for creating dummy certificates
• move man pages from %{_mandir}/man?/foo.?ssl to %{_mandir}/man?ssl/foo.?
• Thu Jun 07 2001 Florian La Roche Florian.[email protected]
• add s390x support
• Fri Jun 01 2001 Nalin Dahyabhai [email protected]
• change two memcpy() calls to memmove()
• don't define L_ENDIAN on alpha
• Wed May 23 2001 Joe Orton [email protected] stronghold-0.9.6a-1
• Add 'stronghold-' prefix to package names.
• Obsolete standard openssl packages.
• Wed May 16 2001 Joe Orton [email protected]
• Add BuildArch: i586 as per Nalin's advice.
• Tue May 15 2001 Joe Orton [email protected]
• Enable assembler on ix86 (using new .tar.bz2 which does
  include the asm directories).
• Tue May 15 2001 Nalin Dahyabhai [email protected]
• make subpackages depend on the main package
• Tue May 01 2001 Nalin Dahyabhai [email protected]
• adjust the hobble script to not disturb symlinks in include/ (fix from
  Joe Orton)
• Fri Apr 27 2001 Nalin Dahyabhai [email protected]
• drop the m2crypo patch we weren't using
• Tue Apr 24 2001 Nalin Dahyabhai [email protected]
• configure using "shared" as well
• Sun Apr 08 2001 Nalin Dahyabhai [email protected]
• update to 0.9.6a
• use the build-shared target to build shared libraries
• bump the soversion to 2 because we're no longer compatible with
  our 0.9.5a packages or our 0.9.6 packages
• drop the patch for making rsatest a no-op when rsa null support is used
• put all man pages into
  ssl instead of
• break the m2crypto modules into a separate package
• Tue Mar 13 2001 Nalin Dahyabhai [email protected]
• use BN_LLONG on s390
• Mon Mar 12 2001 Nalin Dahyabhai [email protected]
• fix the s390 changes for 0.9.6 (isn't supposed to be marked as 64-bit)
• Sat Mar 03 2001 Nalin Dahyabhai [email protected]
• move c_rehash to the perl subpackage, because it's a perl script now
• Fri Mar 02 2001 Nalin Dahyabhai [email protected]
• update to 0.9.6
• enable MD2
• use the libcrypto.so and libssl.so targets to build shared libs with
• bump the soversion to 1 because we're no longer compatible with any of
  the various 0.9.5a packages circulating around, which provide lib*.so.0
• Wed Feb 28 2001 Florian La Roche Florian.[email protected]
• change hobble-openssl for disabling MD2 again
• Tue Feb 27 2001 Nalin Dahyabhai [email protected]
• re-disable MD2 -- the EVP_MD_CTX structure would grow from 100 to 152
  bytes or so, causing EVP_DigestInit() to zero out stack variables in
  apps built against a version of the library without it
• Mon Feb 26 2001 Nalin Dahyabhai [email protected]
• disable some inline assembly, which on x86 is Pentium-specific
• re-enable MD2 (see http://www.ietf.org/ietf/IPR/RSA-MD-all)
• Thu Feb 08 2001 Florian La Roche Florian.[email protected]
• fix s390 patch
• Fri Dec 08 2000 Than Ngo [email protected]
• added support s390
• Mon Nov 20 2000 Nalin Dahyabhai [email protected]
• remove -Wa,* and -m* compiler flags from the default Configure file (#20656)
• add the CA.pl man page to the perl subpackage
• Thu Nov 02 2000 Nalin Dahyabhai [email protected]
• always build with -mcpu=ev5 on alpha
• Tue Oct 31 2000 Nalin Dahyabhai [email protected]
• add a symlink from cert.pem to ca-bundle.crt
• Wed Oct 25 2000 Nalin Dahyabhai [email protected]
• add a ca-bundle file for packages like Samba to reference for CA certificates
• Tue Oct 24 2000 Nalin Dahyabhai [email protected]
• remove libcrypto's crypt(), which doesn't handle md5crypt (#19295)
• Mon Oct 02 2000 Nalin Dahyabhai [email protected]
• add unzip as a buildprereq (#17662)
• update m2crypto to 0.05-snap4
• Tue Sep 26 2000 Bill Nottingham [email protected]
• fix some issues in building when it's not installed
• Wed Sep 06 2000 Nalin Dahyabhai [email protected]
• make sure the headers we include are the ones we built with (aaaaarrgh!)
• Fri Sep 01 2000 Nalin Dahyabhai [email protected]
• add Richard Henderson's patch for BN on ia64
• clean up the changelog
• Tue Aug 29 2000 Nalin Dahyabhai [email protected]
• fix the building of python modules without openssl-devel already installed
• Wed Aug 23 2000 Nalin Dahyabhai [email protected]
• byte-compile python extensions without the build-root
• adjust the makefile to not remove temporary files (like .key files when
  building .csr files) by marking them as .PRECIOUS
• Sat Aug 19 2000 Nalin Dahyabhai [email protected]
• break out python extensions into a subpackage
• Mon Jul 17 2000 Nalin Dahyabhai [email protected]
• tweak the makefile some more
• Tue Jul 11 2000 Nalin Dahyabhai [email protected]
• disable MD2 support
• Thu Jul 06 2000 Nalin Dahyabhai [email protected]
• disable MDC2 support
• Sun Jul 02 2000 Nalin Dahyabhai [email protected]
• tweak the disabling of RC5, IDEA support
• tweak the makefile
• Thu Jun 29 2000 Nalin Dahyabhai [email protected]
• strip binaries and libraries
• rework certificate makefile to have the right parts for Apache
• Wed Jun 28 2000 Nalin Dahyabhai [email protected]
• use %{_perl} instead of /usr/bin/perl
• disable alpha until it passes its own test suite
• Fri Jun 09 2000 Nalin Dahyabhai [email protected]
• move the passwd.1 man page out of the passwd package's way
• Fri Jun 02 2000 Nalin Dahyabhai [email protected]
• update to 0.9.5a, modified for U.S.
• add perl as a build-time requirement
• move certificate makefile to another package
• disable RC5, IDEA, RSA support
• remove optimizations for now
• Wed Mar 01 2000 Florian La Roche Florian.[email protected]
• Bero told me to move the Makefile into this package
• Wed Mar 01 2000 Florian La Roche Florian.[email protected]
• add lib*.so symlinks to link dynamically against shared libs
• Tue Feb 29 2000 Florian La Roche Florian.[email protected]
• update to 0.9.5
• run ldconfig directly in post/postun
• add FAQ
• Sat Dec 18 1999 Bernhard Rosenkrdnzer [email protected]
• Fix build on non-x86 platforms
• Fri Nov 12 1999 Bernhard Rosenkrdnzer [email protected]
• move /usr/share/ssl/* from -devel to main package
• Tue Oct 26 1999 Bernhard Rosenkrdnzer [email protected]
• inital packaging
• changes from base:
  
  
  
  • Move /usr/local/ssl to /usr/share/ssl for FHS compliance
  
  
  • handle RPM_OPT_FLAGS
  
  

It looks like @Lekinho deleted their github account? For the next person who has issues - it's possible that their upgrade of OpenSsl or Python broke some compiled c bindings. Whenever I have an upgrade like that, I trash my virtualenv or all packages and then build a new one.

@jvanasco i'm still here.
I was wondering, do you have a public URL i could test this with? I want to see if the workaround actually resolves the issue for confirmed cases ( this will mean I didnt screw something up while trying to do it)

@Lukasa

subset of changeset between working version and updated version :+1:
Mon May 02 2016 Tomáš Mráz [email protected] 1.0.1e-48.1
fix CVE-2016-2105 - possible overflow in base64 encoding
fix CVE-2016-2106 - possible overflow in EVP_EncryptUpdate()
fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC
fix CVE-2016-2108 - memory corruption in ASN.1 encoder
fix CVE-2016-2109 - possible DoS when reading ASN.1 data from BIO
fix CVE-2016-0799 - memory issues in BIO_printf

Wed Feb 24 2016 Tomáš Mráz [email protected] 1.0.1e-48

fix CVE-2016-0702 - side channel attack on modular exponentiation
fix CVE-2016-0705 - double-free in DSA private key parsing
fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn

Tue Feb 16 2016 Tomáš Mráz [email protected] 1.0.1e-47

fix CVE-2015-3197 - SSLv2 ciphersuite enforcement
disable SSLv2 in the generic TLS method

Fri Jan 15 2016 Tomáš Mráz [email protected] 1.0.1e-46

fix 1-byte memory leak in pkcs12 parse (#1229871)
document some options of the speed command (#1197095)

Thu Jan 14 2016 Tomáš Mráz [email protected] 1.0.1e-45

fix high-precision timestamps in timestamping authority

Mon Dec 21 2015 Tomáš Mráz [email protected] 1.0.1e-44

fix CVE-2015-7575 - disallow use of MD5 in TLS1.2

Fri Dec 04 2015 Tomáš Mráz [email protected] 1.0.1e-43

fix CVE-2015-3194 - certificate verify crash with missing PSS parameter
fix CVE-2015-3195 - X509_ATTRIBUTE memory leak
fix CVE-2015-3196 - race condition when handling PSK identity hint

Tue Jun 23 2015 Tomáš Mráz [email protected] 1.0.1e-42

Update :
So I found a work around for this.
Basically a colleague was reading up on the issue and saw some posts about RHEL openssl support for ECC/ECDH cipher not being 100% for whatever reason.

We tried out the request to the URL by explicitly disabling ECDH ciphers (adding the negation from openssl script itself i.e. openssl s_client -connect 10.85.103.218:8443 -cipher 'DEFAULT:!ECDH')

We were able to successfully connect.

Here's the default cipher list for the openssl on ubuntu 14.04
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+HIGH:RSA+3DES:!aNULL:!eNULL:!MD5

So with that knowlege, I used pyopenssl to print out my default SSL ciphers and explicitly removed every ECDH cipher from the string. Did this right in the block to import urllib3 from requests package (i.e. before starting to make any actual requests) here's something similar :
https://github.com/kennethreitz/requests/issues/1308

I realize there may be security risks for this action but at least this gets us going and sheds more light on it.

Why those particular ciphers appear to be an issue for the RHEL, I have no idea.

I will try when i have more time to see what particular RHEL changes may have introduced this and read up on the purpose more.

Anyone know more about ciphers generally?

Have the same issue... ARG...

@lukas-gitl frustration will not help you solve the problem. Providing us with information about your environment (preferably some - if not all - of the information that we asked Lekinho above) will help.

@sigmavirus24 Apologies. I meant to provide more information and then got side tracked (since I had no time for this). I'm using Ubuntu 14.04, python 2.7.6 and the latest requests version on pip. This happens when I try to access as API Gateway endpoint (they might be quite restrictive).

I tried removing the virtualenv and regenerating it but unfortunately that didn't solve it.

Let me know what else you need. I switched to nodejs for the time but would be happy to help with a resolution.

@lukas-gitl It's highly likely that the server you're contacting requires ciphers you aren't offering, or TLS versions you aren't offering. This can be related to the OpenSSL you have installed. You should also try running pip install requests[security]: you may be encountering problems with SNI.

Yeah, I already tried that too. Let me put a quick test script together here so we are on the same page.

virtualenv -p /usr/bin/python2.7 env
source env/bin/activate
pip install requests
pip install requests[security]
echo 'import requests' >> test.py
echo 'requests.get("https://API_ID.execute-api.us-west-2.amazonaws.com/ENV/ENPOINT")' >> test.py
python test.py

And what specific error are you seeing?

.../env/local/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning. SNIMissingWarning .../env/local/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. InsecurePlatformWarning Traceback (most recent call last): File "test.py", line 2, in <module> requests.get("https://sbsz8eqowe.execute-api.us-west-2.amazonaws.com/dev/segment_to_s3_webhook") File ".../env/local/lib/python2.7/site-packages/requests/api.py", line 71, in get return request('get', url, params=params, **kwargs) File ".../env/local/lib/python2.7/site-packages/requests/api.py", line 57, in request return session.request(method=method, url=url, **kwargs) File ".../env/local/lib/python2.7/site-packages/requests/sessions.py", line 475, in request resp = self.send(prep, **send_kwargs) File ".../env/local/lib/python2.7/site-packages/requests/sessions.py", line 585, in send r = adapter.send(request, **kwargs) File ".../env/local/lib/python2.7/site-packages/requests/adapters.py", line 477, in send raise SSLError(e, request=request) requests.exceptions.SSLError: [Errno 1] _ssl.c:510: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure```

So I'm basically required to update to a later version of python?

Ok, both of those warnings suggest that your requests is not actually using the extensions from requests[security]. It strongly suggests that whatever Python you are executing is _not_ the one you installed in your virtual environment: the requests[security] extension should remove those warnings.

@lukas-gitl please see my notes above.
Do you have access to the server? compare the default ciphers list for the server and the client.
It is highly likely 1 of them doesnt support the first set of ciphers in the other, hence the error.

You can check default ciphers with a simple script like what i used here :

!/usr/bin/python

import sys
import os
import ssl
print(ssl.OPENSSL_VERSION)
sys.path.insert(1, os.path.abspath(os.path.join(os.getcwd(), 'lib')))
sys.path.append('/usr/local/lib/python2.7/dist-packages')
import requests
from requests.packages.urllib3.contrib import pyopenssl
pyopenssl.inject_into_urllib3()
print pyopenssl.DEFAULT_SSL_CIPHER_LIST

Ok, now I'm really confused. The error message are coming from the virtual environment. So how could those come from there while I execute from a different python environment?

So I tried pip install pyopenssl ndg-httpsclient pyasn1 instead of pip install requests[security] and that worked...

Aha, I suspect your pip is too old to handle the extras.

Ah, damn. That explains a lot. Thank you very much for your help!

I encountered the same trouble here, I was to send a GET request by following code:
requests.get('https://mdskip.taobao.com/core/initItemDetail.htm?itemId=530444505608&showShopProm=false&queryMemberRight=true&isRegionLevel=false&tmallBuySupport=true&addressLevel=2&sellerPreview=false&isForbidBuyItem=false&cachedTimestamp=1466835924196&offlineShop=false&household=false&tryBeforeBuy=false&isSecKill=false&service3C=false&isApparel=true&isUseInventoryCenter=false&cartEnable=true&isAreaSell=false&callback=setMdskip&timestamp=1466841669969&isg=Al9faN3XWRpIf6UEoQ88UH/1b7np0rNm&ref=https%3A%2F%2Fs.taobao.com%2Fsearch%3Fq%3D%25E6%258B%2589%25E5%25A4%258F%25E8%25B4%259D%25E5%25B0%2594%26imgfile%3D%26commend%3Dall%26ssid%3Ds5-e%26search_type%3Ditem%26sourceId%3Dtb.index%26spm%3Da21bo.50862.201856-taobao-item.1%26ie%3Dutf8%26initiative_id%3Dtbindexz_20160625')

unfortunately I was given the error info:
Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/Library/Python/2.7/site-packages/requests/api.py", line 71, in get return request('get', url, params=params, **kwargs) File "/Library/Python/2.7/site-packages/requests/api.py", line 57, in request return session.request(method=method, url=url, **kwargs) File "/Library/Python/2.7/site-packages/requests/sessions.py", line 475, in request resp = self.send(prep, **send_kwargs) File "/Library/Python/2.7/site-packages/requests/sessions.py", line 585, in send r = adapter.send(request, **kwargs) File "/Library/Python/2.7/site-packages/requests/adapters.py", line 477, in send raise SSLError(e, request=request) requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'SSL23_GET_SERVER_HELLO', 'sslv3 alert handshake failure')],)",)

I tried to brew install openssl, brew upgrade openssl, pip install --upgrade pip, pip install requests, pip install request[security], but they didn't work.

However when I type openssl version I got OpenSSL 0.9.8zh 14 Jan 2016, I don't know if it's all right.

Is there anyone who could help me with it?

@jschwinger23 Can you run pip install pyopenssl ndg-httpsclient pyasn1 as well please?

@Lukasa Thanks for your reply. I reconfirmed that I did install them:

$ pip install pyopenssl ndg-httpsclient pyasn1 Requirement already satisfied (use --upgrade to upgrade): pyopenssl in /System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python Requirement already satisfied (use --upgrade to upgrade): ndg-httpsclient in /Library/Python/2.7/site-packages Requirement already satisfied (use --upgrade to upgrade): pyasn1 in /Library/Python/2.7/site-packages

but code still down.

Anyway, I figured out that everything goes well in Python3, and I am glad to be able to code in python3.
Thank you very much.

Followed above instructions but still running into this issue

``` Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/Library/Python/2.7/site-packages/requests/api.py", line 71, in get return request('get', url, params=params, **kwargs) File "/Library/Python/2.7/site-packages/requests/api.py", line 57, in request return session.request(method=method, url=url, **kwargs) File "/Library/Python/2.7/site-packages/requests/sessions.py", line 475, in request resp = self.send(prep, **send_kwargs) File "/Library/Python/2.7/site-packages/requests/sessions.py", line 585, in send r = adapter.send(request, **kwargs) File "/Library/Python/2.7/site-packages/requests/adapters.py", line 477, in send raise SSLError(e, request=request) requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'SSL23_GET_SERVER_HELLO', 'sslv3 alert handshake failure')],)",)

any ideas?
``````

@rohanpai It is likely that you have either no cipher overlap, or that the remote server is unhappy with the versions you're offering, or that you're expected to provide a client cert and are not. It's hard to give more specific advice. Try this to investigate the issue.

On ubuntu 14.04LTS I needed to do this:

sudo pip install ndg-httpsclient pyasn1 --upgrade

Note that in Ubuntu it's not possible to upgrade/remove pyopenssl as it's owned by the OS.

markstrefford's solution worked for me on mac os sierra too

@markstrefford 's solution also worked for me.

Just a heads up for anyone using OpenSSL 1.1:
You'll run into this issue as well, even when forcing TLS adapters, when the remote server offers Elliptic Curves as the first option.
The cause is: http://bugs.python.org/issue29697

Hey guys! I'm having the same issue with the following server https://34.200.105.231/SID/Service.svc?wsdl. I've tried everything and I jump from and to the same 2 errors:

• requests.exceptions.SSLError: ("bad handshake: SysCallError(-1, 'Unexpected EOF')",)
• requests.exceptions.SSLError: EOF occurred in violation of protocol (_ssl.c:661)

Any ideas? @Lukasa, I see a few issues with the Certificate, but seems like it shouldn't be that bad: https://sslanalyzer.comodoca.com/?url=34.200.105.231

The certificate won't usually cause this problem: this problem is caused by the server hanging up on us, so usually it's the result of a cipher suite mismatch. In this case, that's exactly what's going on as you can see here.

This is a server that, frankly, should never be exposed to the open internet. There are no secure methods of communicating with this server: none, zero. This is why the handshake fails: Requests only accepts modern cipher suites, and there are no modern cipher suites available to this server. The best option is TLS_RSA_WITH_3DES_EDE_CBC_SHA, an option we removed because it is vulnerable to practical attacks on large-scale data transfer.

If this server is yours, please upgrade it to a better TLS implementation or change the settings. Otherwise, my first bit of advice is to reconsider ever speaking to this server. If you must, then you can use the code here, but I strongly recommend that you put pressure on the server operator to fix this mess.

@Lukasa -- thanks for working through this with everyone! Ive read through and tried most of this

Issue

When running script on Windows it all works.
When running script on OSX receive:

raise SSLError(e, request=request)
requests.exceptions.SSLError: ("bad handshake: SysCallError(-1, 'Unexpected EOF')",)

Im not convinced it is not the server itself, but would appreciate any additional help to confirm and/or pop me out of this rabbit hole. Would be a huge win to get it to work.

OSX specifics:

• Python Python 2.7.10
• OpenSSL OpenSSL 1.1.1-dev xx XXX xxxx (compiled via GitHub)
• using PIP to install

Attempts made

• uninstalled pyopenssl, requests, requests[security], cryptography
• installed against env ARCHFLAGS="-arch x86_64" LDFLAGS="-L/usr/local/opt/openssl/lib" CFLAGS="-I/usr/local/opt/openssl/include" pip install --force-reinstall --no-cache-dir {PACKAGE}

I am not 100% sure that installing against the openssl actually did anything, as it seemed to act the same as installing without (such as, speed and messaging all appeared the same)

As directed in another thread (above) connecting directly via openSSL appears to be happy?

openssl s_client -connect XXX.102.7.147:443
CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 198 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1493384325
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

Uh...OpenSSL is technically fine, but that OpenSSL negotiated no cipher (that is, it appears to have negotiated SSL_NULL_WITH_NULL_NULL. Can you run ssllabs against your server and check what cipher suites it supports?

@Lukasa Its not exposed on the internet, is there some command line probe that I could fire off that could provide adequate insight for you?

You could try cipherscan.

@Lukasa got it installed ... its acting wonky (no output, watching it) ... will post back if I come up with anything that could be passed along. Thanks for the guidance!

@Lukasa thanks so much for your help - never actually got cipherscan working - but corrected our issues. It had nothing to do with any of this, and was a silly IP mismatch across our environments ... lessons learned! thank you ...

No problem at all, glad you got it sorted!

streamlink -l debug httpstream://https://www.arconaitv.us/stream.php?id=43 worst
[cli][info] streamlink is running as root! Be careful!
[cli][debug] OS: Linux-4.14.0-041400-generic-x86_64-with-Ubuntu-14.04-trusty
[cli][debug] Python: 2.7.6
[cli][debug] Streamlink: 0.13.0+27.g2ff314c
[cli][debug] Requests(2.19.1), Socks(1.6.7), Websocket(0.48.0)
[cli][info] Found matching plugin http for URL httpstream://https://www.arconaitv.us/stream.php?id=43
[plugin.http][debug] URL=https://www.arconaitv.us/stream.php?id=43; params={}
[cli][info] Available streams: live (worst, best)
[cli][info] Opening stream: live (http)
[cli][debug] Pre-buffering 8192 bytes
[cli][info] Starting player: /usr/bin/vlc
[cli][debug] Writing stream to output
[cli][info] Stream ended
[cli][info] Closing currently open stream..

tried but no luck

atlast got it working tvplayer on local pc . i installed tinyproxy in my local pc but in vps httpproxy xxxx not working .
is tinyproxy ok or i need some other proxy server to install in my local pc.

tinyproxy.txt

Hi @maanich, this doesn’t appear to be directly related to this issue, or to be a defect report for Requests which is what this issue tracker is reserved for. If you have questions about system configuration, those will be best addressed on a platform like StackOverflow. Thanks!

streamlink --https-proxy "http://8xxxx:8000/" --tvplayer-email [email protected] --tvplayer-password vcvdf3 --http-no-ssl-verify https://tvplayer.com/watch/itv best --player-no-close --stdout | /var/tmp/youtube/ffmpeg -y -i pipe:0 -vcodec copy -acodec copy -flags -global_header -hls_flags delete_segments -hls_time 10 -hls_list_size 6 /mnt/hls/arc.m3u8
ffmpeg version 4.0-static https://johnvansickle.com/ffmpeg/ Copyright (c) 2000-2018 the FFmpeg developers
built with gcc 6.3.0 (Debian 6.3.0-18+deb9u1) 20170516
configuration: --enable-gpl --enable-version3 --enable-static --disable-debug --disable-ffplay --disable-indev=sndio --disable-outdev=sndio --cc=gcc-6 --enable-libxml2 --enable-fontconfig --enable-frei0r --enable-gnutls --enable-gray --enable-libaom --enable-libfribidi --enable-libass --enable-libfreetype --enable-libmp3lame --enable-libopencore-amrnb --enable-libopencore-amrwb --enable-libopenjpeg --enable-librubberband --enable-libsoxr --enable-libspeex --enable-libvorbis --enable-libopus --enable-libtheora --enable-libvidstab --enable-libvo-amrwbenc --enable-libvpx --enable-libwebp --enable-libx264 --enable-libx265 --enable-libxml2 --enable-libxvid --enable-libzimg
libavutil 56. 14.100 / 56. 14.100
libavcodec 58. 18.100 / 58. 18.100
libavformat 58. 12.100 / 58. 12.100
libavdevice 58. 3.100 / 58. 3.100
libavfilter 7. 16.100 / 7. 16.100
libswscale 5. 1.100 / 5. 1.100
libswresample 3. 1.100 / 3. 1.100
libpostproc 55. 1.100 / 55. 1.100
[console][info] streamlink is running as root! Be careful!
[console][info] Found matching plugin tvplayer for URL https://tvplayer.com/watch/itv
error: Unable to open URL: https://live.tvplayer.com/stream.m3u8?id=204&Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cCo6XC9cL2xpdmUudHZwbGF5ZXIuY29tXC9zdHJlYW0ubTN1OD9pZD0yMDQiLCJDb25kaXRpb24iOnsiRGF0ZUxlc3NUaGFuIjp7IkFXUzpFcG9jaFRpbWUiOjE1MjkwNTc0OTR9LCJJcEFkZHJlc3MiOnsiQVdTOlNvdXJjZUlwIjoiNjIuMjEwLjE0Mi42NlwvMzIifX19XX0_&Signature=mHOteYcUu4QsbGDn0e~7meDUGT8VN7bVOBAHa-0Mk6ROA9XHYx3aIAZMAo3dFjOGuWk-3MszJzRFHdv~-CCsmX3D8XQa2zvzfuIWfMAT~yDshroXBN25iW6ZJ0-7lGla00jMTUpm5sW-uDy18OkiBWgGvDVas2Lz-EW~5-LTw2YWvEpqkvRB9OpcsHJj9RRQLuDVjwYKXwKvHTJmB1J~sGE3aigaL7AZyBaIAUMcpk-xYMpDuPV9BsBN9AT397lFfRPFt155u~yeBHZ4JlUN2GINUBt0-CzGuYVq3dsOkYYEZJo9cQTVhArpo7ek03VbDP5egtCM8obN63AEkA__&Key-Pair-Id=APKAJGWDVCU5SXAPJELQ (403 Client Error: Forbidden)
pipe:0: Invalid data found when processing input

advice please n what proxy server is good for streamlink if any