Bug TLS negotiation to server fails, browser and latest cURL work without a problem
rumbah
Newbie
Posts: 6
#1
2017-10-21, 01:07
Hi,

connecting to my server fails with a SSL negotiation error. The server runs with apache and TLS 1.2 with name based vhosts, so SNI is needed for the connection (URL in the log). Older standalone versions of cURL fails, but the latest works.

Here is the requested data:

1. Version of Kodi: 17.4 and 18 922a6bb 32bit

2. Windows 10 "Creators Update" 64bit (not fall creators)

3. CPU/Architecture: Intel Xeon E3 1230 v3, Haswell

4. RAM amount: 32GB

5. Detailed Instructions to reproduce the Problem: Just trying to connect to my server by adding it as a source as https webserver. You get an error message that a connection to the server is not possible.
The log suggests a SSL negotiation error. I tried multiple browsers (Firefox v36, v37, Opera, Chrome, Vivaldi) and cURL 7.56 and 7.46 (the only older binary for Windows that I could find) to connect to the server.
The browsers and cURL 7.56 work without a problem, cURL 7.46 shows the same error as Kodi.

6. Details of all devices relevant to the problem: I don't know what to describe here, hardware description in the log.

7. FULL Debug Log (with cURL log enabled): https://pastebin.ca/3892992

If you need any additional info or more testing I'll be glad to help.

EDIT: LibreElec on a pie cannot connect to the server either.
Find
Reply
asavah
Posting Freak
Posts: 1,010
#2
2017-10-21, 04:16
Your server configuration is wrong.
Code:
openssl s_client -showcerts -servername  youserverurl.from.log -connect youserverurl.from.log:443 </dev/null
CONNECTED(00000003)
1996055776:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:772:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 332 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
   Protocol  : TLSv1.2
   Cipher    : 0000
   Session-ID:
   Session-ID-ctx:
   Master-Key:
   Key-Arg   : None
   PSK identity: None
   PSK identity hint: None
   SRP username: None
   Start Time: 1508551895
   Timeout   : 300 (sec)
   Verify return code: 0 (ok)
---

This output is from openssl 1.0.2l.
The same command when used to query my own server (nginx, tls1.2 + sni + letsencrypt cert) does return the proper certificate.
Find
Reply
rumbah
Newbie
Posts: 6
#3
2017-10-21, 07:56
Testing with OpenSSL 1.1.0 does work without a problem.

But I just tested the supported cipher suites with my server and it seems only one is supported:

Code:
prio  ciphersuite                  protocols  pfs_keysize
1     ECDHE-RSA-CHACHA20-POLY1305  TLSv1.2    X25519,253bits
And that is only supported with OpenSSL >= 1.1.0 it seems. So I guess that the Windows version and LibreElec version of Kodi only use OpenSSL 1.0.2 .
The curious thing is that my config contains:

Code:
#    Mozilla Modern

SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA256:ECDHE-ECDSA-AES128-SHA384:ECDHE-RSA-AES128-SHA384:ECDHE-ECDSA-AES256-SHA256:ECDHE-RSA-AES256-SHA256
Find
Reply

Home
Search
Help
Logout Mark Read Team Forum Stats Members Help
TLS negotiation to server fails, browser and latest cURL work without a problem0