On 2018-11-28 21:25:45 [+0100], Petter Reinholdtsen wrote: > The upgrade from openssl version 1.1.0h-4 to 1.1.1-1 break pagekite on > the FreedomBox. After a debug session with the pagekite author I > discovered the reason is changes in /etc/ssl/openssl.cfg, which now > block connection to the pagekite.net services.
nitpick, .cnf not cfg. > The following change got the pagekite service working again. > > The backdrop for this issue is that some of the pagekite.net servers are > running fairly old software that can not be quickly reconfigured to work > with newer versions of TLS. This make fixing it on the server side > unlikely to happen any time soon. The server still supports SSLv3. Even if nobody wants to touch the server I would suggest disabling SSLv3 be a priority. > CC to the openssl and freedombox teams to make them aware of the issue. We tried to cover this in /usr/share/doc/libssl1.1/NEWS.Debian.gz > The following patch got pagekite working again: > > diff --git a/ssl/openssl.cnf b/ssl/openssl.cnf > index d155d1e..309081a 100644 > --- a/ssl/openssl.cnf > +++ b/ssl/openssl.cnf > @@ -351,12 +351,12 @@ ess_cert_id_chain = no # Must the ESS cert id chain > be included? > # (optional, default: no) > ess_cert_id_alg = sha1 # algorithm to compute certificate > # identifier (optional, default: sha1) > -[default_conf] > -ssl_conf = ssl_sect > - > -[ssl_sect] > -system_default = system_default_sect > - > -[system_default_sect] > -MinProtocol = TLSv1.2 > -CipherString = DEFAULT@SECLEVEL=2 > +#[default_conf] > +#ssl_conf = ssl_sect > +# > +#[ssl_sect] > +#system_default = system_default_sect > +# > +#[system_default_sect] > +#MinProtocol = TLSv1.2 > +#CipherString = DEFAULT@SECLEVEL=2 You might not need to get rid of everything. Judging by https://www.ssllabs.com/ssltest/analyze.html?d=pagekite.net it might be enough to just allow TLS1.0. You might want to add this override only for pagekite and not system wide. Sebastian