TLS handshake troubles: ssl.irc.perl.org

From: James Cook Sun, 2 Jul 2023 23:25:23 +0000

Hi list,

I'm trying to connect to ssl.irc.perl.org [0]. Pounce 3.1 dies with the
following error when I try to connect:

	pounce: tls_handshake: handshake failed: error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure

After a bit of uninformed debugging, I found that adding a call
	tls_config_set_ciphers(config, "compat")
(or, being more specific,
	tls_config_set_ciphers(config, "AES256-GCM-SHA384")
) to serverConfig (just before the call to tls_configure) fixes the
problem.

Should that change be added to the pounce source? I don't understand the
implications of allowing "compat" ciphers (I guess they're considered a
bit less secure than the default "secure" category?) and am hoping
someone here is more knowledgable about that sort of thing.

I guess I should nag the irc.perl.org admins that some TLS library is
probably out of date, but I don't really understand the severity of the
issue.

-- 
James

[0] port 7062; see https://www.irc.perl.org/

[patch] allow "compat" cyphers (was Re: TLS handshake troubles: ssl.irc.perl.org)

From: James Cook Tue, 4 Jul 2023 21:16:12 +0000

To: list+pounce

On Sun, Jul 02, 2023 at 11:25:23PM +0000, James Cook wrote:
> Hi list,
> 
> I'm trying to connect to ssl.irc.perl.org [0]. Pounce 3.1 dies with the
> following error when I try to connect:
> 
> 	pounce: tls_handshake: handshake failed: error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure
> 
> After a bit of uninformed debugging, I found that adding a call
> 	tls_config_set_ciphers(config, "compat")
> (or, being more specific,
> 	tls_config_set_ciphers(config, "AES256-GCM-SHA384")
> ) to serverConfig (just before the call to tls_configure) fixes the
> problem.
> 
> Should that change be added to the pounce source? I don't understand the
> implications of allowing "compat" ciphers (I guess they're considered a
> bit less secure than the default "secure" category?) and am hoping
> someone here is more knowledgable about that sort of thing.
> 
> I guess I should nag the irc.perl.org admins that some TLS library is
> probably out of date, but I don't really understand the severity of the
> issue.
> 
> -- 
> James
> 
> [0] port 7062; see https://www.irc.perl.org/

Here's a patch that's working for me so far.

-- 
James

diff --git a/server.c b/server.c
index 9d7be14..f932b9b 100644
--- a/server.c
+++ b/server.c
@@ -88,6 +88,9 @@ void serverConfig(
 	client = tls_client();
 	if (!client) errx(EX_SOFTWARE, "tls_client");
 
+	error = tls_config_set_ciphers(config, "compat");
+	if (error) errx(EX_SOFTWARE, "tls_config_set_ciphers");
+
 	error = tls_configure(client, config);
 	if (error) errx(EX_SOFTWARE, "tls_configure: %s", tls_error(client));
 }