Ubuntu 14.04+ can’t connect to some servers

Some servers have trouble talking to Ubuntu 14.04+. This is because OpenSSL 1.0.1g, which included a patch to use a different TLS padding value, was not packaged for Ubuntu; OpenSSL security fixes have been backported to Ubuntu’s 1.0.1f since then. The patch in question bears this commit manifest:

commit 6411b83e52fdfd0d3563d50a4dc00838b142fb2c
Author: Dr. Stephen Henson <steve@openssl.org>
Date:   Sat Apr 5 20:43:54 2014 +0100

Set TLS padding extension value.

Enable TLS padding extension using official value from:

(cherry picked from commit cd6bd5ffda616822b52104fee0c4c7d623fd4f53)



It seems that some MS IIS servers are configured to reject TLS connections that advertise a particular version and do not use this new padding spec, probably in an attempt to mitigate the POODLE attack. Interestingly, OpenSSL 1.0.1a still seems to work.

This problem will often manifest as a hung connection on SSL protocol negotiation, or an error stating that there was an unknown SSL protocol error. It can be worked around without patches by manually specifying the cipher on the commandline.

Leave a Reply

Your email address will not be published. Required fields are marked *