On Wed, May 18, 2022 at 08:16:53 +0200, Guus Sliepen wrote: > On Wed, May 18, 2022 at 01:28:31AM -0400, Nathan Stratton Treadway wrote: > > > Thus, I believe Xenial's tinc 1.0.26 is attempting to use > > EVP_bf_ofb()/EVP_sha1() when setting up the metadata connection -- and > > that nothing else related to the metadata connection setup changed > > between 1.0.26 and 1.0.33.... > > That's correct.
It turns out that upstream OpenSSL had a bug affecting the Blowfish algorithm in early releases of libssl3: "OpenSSL 3 cannot decrypt data encrypted with OpenSSL 1.1 with blowfish in OFB or CFB modes #18359: https://github.com/openssl/openssl/issues/18359 This bug was fixed in libssl3 3.0.4, and thus tincd (v1.0.36-2build1) running on Ubuntu Kinetic system with up-to-date libssl3 packages installed can now establish a metadata connection with tinc nodes running Xenial's tinc (v1.0.26/libssl1.1). I've opened a request for the upstream fix to be backported to libssl3 in Jammy; presumably once that happens tinc (also v1.0.36-2build) will start working in Jammy as well.... https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1990216 > > I am not sure how many bits of security the EVP_bf_ofb() algorithm is > > considered to have, but it seems I need to have "CipherString = > > DEFAULT:@SECLEVEL=1" in my override file in order to get past the > > "digital envelope routines::unsupported" error during metadata > > negotiation. > > That's weird, why would you need to set that yourself... But very nice > work in finding this out! (With the fix for the Blowfish implementation in place, the SECLEVEL=1 adjustment is no longer necessary -- the only special configuration needed on the Jammy node is the activation of the legacy provider.) Nathan ---------------------------------------------------------------------------- Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 _______________________________________________ tinc mailing list tinc@tinc-vpn.org https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc