On Wed, May 18, 2022 at 01:28:31AM -0400, Nathan Stratton Treadway wrote: > Thus, I believe Xenial's tinc 1.0.26 is attempting to use > EVP_bf_ofb()/EVP_sha1() when setting up the metadata connection -- and > that nothing else related to the metadata connection setup changed > between 1.0.26 and 1.0.33....
That's correct. > According to > https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html > , Blowfish is part of the legacy provider in libssl3, so it makes sense > that it's not available by default on the Jammy node. > > However, as far as I can tell this does get successfully enabled when my > openssl.cnf override-file is in place (on the Jammy node): [...] > I am not sure how many bits of security the EVP_bf_ofb() algorithm is > considered to have, but it seems I need to have "CipherString = > DEFAULT:@SECLEVEL=1" in my override file in order to get past the > "digital envelope routines::unsupported" error during metadata > negotiation. That's weird, why would you need to set that yourself... But very nice work in finding this out! > Does anyone have any suggestions of additional changes to either the > openssl.cnf override file on the Jammy node or the Tinc config files > that would allow Xenial and Jammy nodes to interoperate on the network > while we work to upgrade the all the old network nodes? This is very annoying of course, but I don't see any option but to either upgrade tinc on Xenial or to downgrade tinc's OpenSSL library on Jammy. Upgrading tinc on Xenial might be the easiest option, it means just compiling a newer version of tinc on Xenial that has AES and SHA256 as the default algorithms for meta-connections, and use that instead of the binary from the tinc package that comes with Xenial. I think it should still work with the OpenSSL library provided by Xenial. -- Met vriendelijke groet / with kind regards, Guus Sliepen <g...@tinc-vpn.org>
signature.asc
Description: PGP signature
_______________________________________________ tinc mailing list tinc@tinc-vpn.org https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc