Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Problems with openssl
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
micaldas
n00b
n00b


Joined: 12 Mar 2018
Posts: 37

PostPosted: Sun Jul 22, 2018 8:29 pm    Post subject: Problems with openssl Reply with quote

Hi,
I'm using Gentoo amd64 and tried to access python.org, through Firefox 52.8.0 64bit, and after writing the url I just get a blank page with a "New Tab" header.
I then tried to access it through Opera 12.16 and got the following error message:

Quote:
You tried to access the address http://python.org/, which is currently unavailable. Please make sure that the web address (URL) is correctly spelled and punctuated, then try reloading the page.

Secure connection: fatal error (70) from server.

https://www.python.org/

Handshake failed because the server does not want to accept the enabled SSL/TLS protocol versions.
Make sure your internet connection is active and check whether other applications that rely on the same connection are working.
Check that the setup of any internet security software is correct and does not interfere with ordinary web browsing.
If you are behind a firewall on a Local Area Network and think this may be causing problems, talk to your systems administrator.
Try pressing the F12 key on your keyboard and disabling proxy servers, unless you know that you are required to use a proxy to connect to the internet. Reload the page.
Need help?
Open the Opera Help.
Go to Opera's online support desk.


I don't have a firewall or am behind a LAN, but I do use Nordvpn and tried to access python.org after exiting the vpn, same result.

I uninstalled openssl and reinstalled it, making sure all the use flags were included, rebooted, but got the same results.

Below is the output of openssl s_client -connect www.python.org:443

Code:
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA
verify return:1
depth=0 businessCategory = Private Organization, jurisdictionC = US, jurisdictionST = Delaware, serialNumber = 3359300, C = US, ST = New Hampshire, L = Wolfeboro, O = Python Software Foundation, CN = www.python.org
verify return:1
write:errno=104
---
Certificate chain
 0 s:/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=3359300/C=US/ST=New Hampshire/L=Wolfeboro/O=Python Software Foundation/CN=www.python.org
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIH9zCCBt+gAwIBAgIQDEqEI45zRFWbuE0eDzGIgzANBgkqhkiG9w0BAQsFADB1
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk
IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE4MDMyODAwMDAwMFoXDTE4MDkyNzEy
MDAwMFowgdgxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB
BAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQF
EwczMzU5MzAwMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTmV3IEhhbXBzaGlyZTES
MBAGA1UEBxMJV29sZmVib3JvMSMwIQYDVQQKExpQeXRob24gU29mdHdhcmUgRm91
bmRhdGlvbjEXMBUGA1UEAxMOd3d3LnB5dGhvbi5vcmcwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDB1LZG1YgdWTuFFzVTgBk8HYSupyva2VqB9E3NbGBC
Ys5UPHzAl+aoiV6+by9kTEyFuV6GWOm3Lmtm9MRgCbEyKOC8du4nys2iA7Po24XR
BgZT0dGoLR8b7+DUFwYTaFGFfCsJu+t02buVfeDmfh3DVRtmYvhkSff2/mZLQUDf
bB+AyDauW5jKNpTK3HEAz6VapUxNfFJ5b4dEDS3KwUw28nl7UKny2T92nge9pOtc
HVr1biJEZualZKrdRdf96soss93l2o43Ve3qnS4Bu5obPNq+Sxbr6mlTF2zpZ3Wq
n7NjODIclJIanv6R6JXUP1xYYbzm5NF3K/DcBORuW9fhAgMBAAGjggQdMIIEGTAf
BgNVHSMEGDAWgBQ901Cl1qCt7vNKYApl0yHU+PjWDzAdBgNVHQ4EFgQUaQEj0/XI
KYyyrLVN9NnYEA2n5ZAwggFCBgNVHREEggE5MIIBNYIOd3d3LnB5dGhvbi5vcmeC
D2RvY3MucHl0aG9uLm9yZ4IPYnVncy5weXRob24ub3Jngg93aWtpLnB5dGhvbi5v
cmeCDWhnLnB5dGhvbi5vcmeCD21haWwucHl0aG9uLm9yZ4IPcHlwaS5weXRob24u
b3JnghRwYWNrYWdpbmcucHl0aG9uLm9yZ4IQbG9naW4ucHl0aG9uLm9yZ4ISZGlz
Y3Vzcy5weXRob24ub3Jnggx1cy5weWNvbi5vcmeCB3B5cGkuaW+CDGRvY3MucHlw
aS5pb4IIcHlwaS5vcmeCDWRvY3MucHlwaS5vcmeCD2RvbmF0ZS5weXBpLm9yZ4IT
ZGV2Z3VpZGUucHl0aG9uLm9yZ4ITd3d3LmJ1Z3MucHl0aG9uLm9yZ4IKcHl0aG9u
Lm9yZzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMHUGA1UdHwRuMGwwNKAyoDCGLmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9z
aGEyLWV2LXNlcnZlci1nMi5jcmwwNKAyoDCGLmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0
LmNvbS9zaGEyLWV2LXNlcnZlci1nMi5jcmwwSwYDVR0gBEQwQjA3BglghkgBhv1s
AgEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAH
BgVngQwBATCBiAYIKwYBBQUHAQEEfDB6MCQGCCsGAQUFBzABhhhodHRwOi8vb2Nz
cC5kaWdpY2VydC5jb20wUgYIKwYBBQUHMAKGRmh0dHA6Ly9jYWNlcnRzLmRpZ2lj
ZXJ0LmNvbS9EaWdpQ2VydFNIQTJFeHRlbmRlZFZhbGlkYXRpb25TZXJ2ZXJDQS5j
cnQwDAYDVR0TAQH/BAIwADCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB2ALvZ37wf
inG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABYm2XOKQAAAQDAEcwRQIhAP8A
JukLZLaIMulwFxQHFGoreXVLx397sDgl+XPt8y6oAiBBnYbAzjXczq6hoBuqSkes
YCJ/h5uuNw/tu8OU8csbbQB1AFYUBpov18Ls0/XhvUSyPsdGdrm8mRFcwO+UmFXW
idDdAAABYm2XOKEAAAQDAEYwRAIgJXNv6y7sMRPITc3/ntSX5VIY7RPtq9y1tZhM
adthbjgCICLiyFxrsiRqUUeeBGNvte7YB4VJLhbEnahdkzkmKXBRMA0GCSqGSIb3
DQEBCwUAA4IBAQBawAzb80VNpXwfSiUqxN1QxrV5/dNfrrdnyOHGNwyucSI8k2pK
5VPkSvdCvKn+nSQ3dfpLy8w4kdDW8H4uuO5XwoIBhKyPQSypVe+Rfy7VhNhdwYX/
fhSkmQZCyCRmvkEStJ/gFr0C66INZNXmN+89nsDr+Omqd5U7JPbaJ1xOFFv2uF37
KR/9v04l7k0Ob4KkUj58Ya3Up9risok7hkCcyOtEM9mA9XQ14zhmqOXk+yPL98kB
rgypeNHNsPRv1woG60+M5kRN+yUAuYRS+6EJvvmL74+ZRFjZ1Ww9z/nqopcUpG+3
OVtSWCKzwcEQkezlB5p9dzKIQ/1oiZSAZo39
-----END CERTIFICATE-----
subject=/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=3359300/C=US/ST=New Hampshire/L=Wolfeboro/O=Python Software Foundation/CN=www.python.org
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3655 bytes and written 269 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID:
    Session-ID-ctx:
    Master-Key: 4AEB49D0336B3E65159CEFE678D85B46A5A4F3AF556D67C712643E5A9B0B38E16C5AF9A377B2DF7BA934AD083B64DA88
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1532294823
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---


Honestly I really don't know how to interpret this output, I found the command while looking for information on how to troubleshoot openssl, but I hope it may be of use.

Any help would be greatly appreciated.
Back to top
View user's profile Send private message
LIsLinuxIsSogood
Veteran
Veteran


Joined: 13 Feb 2016
Posts: 1077

PostPosted: Tue Jul 24, 2018 7:04 am    Post subject: Reply with quote

Opera 12 is limited I think in the ability to process secure transactions with websites. I have experienced this on a desktop of mine where I still have both opera and opera-beta installed. Try installing opera-beta, as long as you are not worried about the overhead of storage space and resources used like CPU and RAM.

EDIT: I just remembered you should probably also check if installing firefox-bin, would fix it...or please include some more package information about the currently installed version of firefox maybe. (emerge --info firefox, for example)
Back to top
View user's profile Send private message
micaldas
n00b
n00b


Joined: 12 Mar 2018
Posts: 37

PostPosted: Tue Jul 24, 2018 6:01 pm    Post subject: Reply with quote

Hi and thank you for taking the time to answer.

I already have firefox-bin installed. Version 60.1.0

The out put of emerge --info firefox is the following:

Code:
www-client/firefox-52.8.0::gentoo was built with the following:
USE="gmp-autoupdate jemalloc pulseaudio -bindist -custom-cflags -custom-optimization -dbus -debug -eme-free -gtk2 -hardened -hwaccel -jack (-neon) -pgo (-rust) (-selinux) -startup-notification (-system-cairo) -system-harfbuzz -system-icu -system-jpeg -system-libevent -system-libvpx -system-sqlite -test -wifi" L10N="-ach -af -an -ar -as -ast -az -bg -bn-BD -bn-IN -br -bs -ca -cak -cs -cy -da -de -dsb -el -en-GB -en-ZA -eo -es-AR -es-CL -es-ES -es-MX -et -eu -fa -ff -fi -fr -fy -ga -gd -gl -gn -gu -he -hi -hr -hsb -hu -hy -id -is -it -ja -ka -kab -kk -km -kn -ko -lij -lt -lv -mai -mk -ml -mr -ms -nb -nl -nn -or -pa -pl -pt-BR -pt-PT -rm -ro -ru -si -sk -sl -son -sq -sr -sv -ta -te -th -tr -uk -uz -vi -xh -zh-CN -zh-TW"
CFLAGS="-march=native -pipe"
CXXFLAGS="-march=native -pipe -fno-delete-null-pointer-checks -fno-lifetime-dse -fno-schedule-insns2"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,-rpath=/usr/lib64/firefox,--enable-new-dtags"


The problem is not Opera, as I had the same problem with firefox 52.8.0.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14159

PostPosted: Wed Jul 25, 2018 1:24 am    Post subject: Reply with quote

What is the output of emerge -pv dev-libs/openssl dev-libs/nss?
Back to top
View user's profile Send private message
micaldas
n00b
n00b


Joined: 12 Mar 2018
Posts: 37

PostPosted: Thu Jul 26, 2018 2:37 am    Post subject: Reply with quote

Hi Hu,

The output is this,

Code:
The following mask changes are necessary to proceed:
 (see "package.unmask" in the portage(5) man page for more details)
# required by app-crypt/rhash-1.3.5::gentoo[ssl,-libressl]
# required by dev-util/cmake-3.9.6::gentoo
# required by media-gfx/graphite2-1.3.10::gentoo
# required by media-libs/harfbuzz-1.7.6::gentoo[graphite]
# required by x11-libs/pango-1.40.14-r1::gentoo
# required by x11-libs/vte-0.48.4::gentoo
# required by x11-terms/terminator-1.91::gentoo
# required by @selected
# required by @world (argument)
# /usr/portage/profiles/package.mask:
# Lars Wendler <polynomial-c@gentoo.org> (26 Aug 2016)
# Masked while being tested and reverse deps aren't fully compatible
=dev-libs/openssl-1.1.1_pre8

NOTE: The --autounmask-keep-masks option will prevent emerge
      from creating package.unmask or ** keyword changes.

 * In order to avoid wasting time, backtracking has terminated early
 * due to the above autounmask change(s). The --autounmask-backtrack=y
 * option can be used to force further backtracking, but there is no
 * guarantee that it will produce a solution.


I'm now convinced that the problem is not in Gentoo.
Today I had to reinstall Sackware on a another computer and, after I did it, I saw that it had the exact same problem. Also I noticed that the problem is not specific to Pythons' site. I had the same situation when I tried to go to Perl's and Ruby's site. I have no problem at all going to any other sites but these.
Back to top
View user's profile Send private message
LIsLinuxIsSogood
Veteran
Veteran


Joined: 13 Feb 2016
Posts: 1077

PostPosted: Fri Aug 17, 2018 12:22 am    Post subject: Reply with quote

So what you are saying is that there is a conspiracy among those three programming languages and their web admins to specifically prevent you or some group of people from having a good experience with browsing the web??? Probably not. :? Although I would suspect that a more thorough set of tests (from a web usability standpoint should be) to check the situation from some other browsers as well, like have you tried: Opera, IE, Chromium, Safari and some of the smaller ones too that do not have the same capabilities, e.g. for JS and other revisions to newer web standards? Checking from at least one of each would be good before jumping to any conclusions about how those sites operate on just any linux computer. If you want to I would suggest looking at the list of packages in the portion of the tree that is located in gentoo main repo within www-client/*
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 4258
Location: Dallas area

PostPosted: Fri Aug 17, 2018 12:41 am    Post subject: Reply with quote

quit trying to use openssl 1.1.*
_________________
Asus m5a99fx, FX 8320 - nouveau, oss4, rx550 for qemu passthrough
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
5.0.13 zen kernel, profile 17.1 (no-pie & modified) amd64-no-multilib
gcc 8.2.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum