This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Problem with HTTPS in LWP module in Perl - solution


FYI,

I ran into the same problem, did some wiresharking, and figured out what the differences are
between a successful handshake (Firefox) and the failure (LWP using SSLeay/openssl).
I'm not too familiar with SSL/TLS etc, but it turns out that the cipher list is way larger using
openssl (64 suites) than with Firefox (36 suites). I figure the order and presence of some ciphers
is the cause: the actual cipher used is TLS_RSA_WITH_RC4_128_SHA, which is present in both
cases. Also the TLS version used (1.0 for Firefox, 1.2 for openssl) does not make a difference.


The following code allows for a successful transaction with https://www.geocaching.com.
The solution is in the SSL_cipher_list:


$ perl -e '$ENV{PERL_NET_HTTPS_SSL_SOCKET_CLASS}="IO::Socket::SSL";\
use IO::Socket::SSL; IO::Socket::SSL::set_defaults(SSL_cipher_list => "RC4-SHA");\
use LWP::UserAgent; print LWP::UserAgent->new()->request(\
HTTP::Request->new(GET=>"https://www.geocaching.com";))->content;'


However this includes only the one cipher (and TLS_EMPTY_RENEGOTIATION_INFO_SCSV).

Expanding to all SHA ciphers, the following filter must be used:
          'SHA:!NULL:!3DES:!DES:!ADH:!SRP'

Finally, this is the filter with a relatively broad scope, and again all exclusions are required:

'ALL:!3DES:!DES:!ADH:!SRP:!AESGCM:!SHA256:!SHA384'

When any of these excluded ciphers/hashes are present in the Client Hello negotiation packet,
there is no response from the server besides a TCP ACK.
Note that, for instance, '!3DES' also filters out ciphers that use 3DES as an encoding (I guess)
and not as the main cipher, such as TLS_RSA_WITH_3DES_EDE_CBC_SHA, who's presence in the handshake is not problematic.


I figure that servers that do not respond at the TLS/SSL level when they see a client offering certain capabilities have their reasons for doing so, for a 'rep scasw' can't be that buggy.

Yours sincerely,
  Kenney Westerhof


-- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]