[CalendarServer-users] SSL problems with 2.3 and trunk under Debian

Mark Nipper nipsy at bitgnome.net
Tue Jan 12 13:28:37 PST 2010

	As a follow up, I was thinking this might be related to
the recent switch Debian which enabled IPV6_V6ONLY on all sockets
by default (through sysctl's net.ipv6.bindv6only).  However,
disabling this feature is still resulting in an inoperable SSL

	So my next inclination is that this might be related to
the recent SSL/TLS protocol vulnerability (CVE-2009-3555), and
sure enough, it is.

	Here's something that finally worked for me when
connecting to the server on port 8443:
openssl s_client -connect localhost:8443 -prexit -state -debug -msg -no_tls1 -no_ssl2

Completely disabling any possibility of renegotiation on the
client side suddenly gave me a working connection to the server.

	Now, I assume this is related to changes in Debian's
currently packaged OpenSSL library to try to work around the
aforementioned vulnerability.  The current version is 0.9.8k-7,
which according to:

is really just 0.9.8l backported to the local version of 0.9.8k
in Debian itself.

	Point being, this is going to start biting people I think
as people upgrade.  Since I think the ultimate fix is still
pending at the moment, I'm not sure if you want to address the
issue at all for the time being.  I don't even know if Apple has
addressed this issue yet or not in Mac OS X.

	If anyone has any suggestions on how to work around the
issue on the client side (specifically Sunbird/Lightning), I'd
love to hear them.

Mark Nipper
nipsy at bitgnome.net (XMPP)
+1 979 575 3193
And if I close my mind in fear, please pry it open.

More information about the calendarserver-users mailing list