[Touch-packages] [Bug 1864689] Re: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox
** Changed in: openssl Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1864689 Title: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox Status in OpenSSL: Fix Released Status in openssl package in Ubuntu: Invalid Bug description: openssl in Ubuntu 20.04 (focal) refuses to connect to a web site that openssl in Ubuntu 19.10 (eoan), Chrome, and Firefox are all happy to connect to. Reproduce with: `curl -v https://www.toodledo.com/' or: `openssl s_client -connect www.toodledo.com:443` or: `python3 -c 'import requests; requests.get("https://www.toodledo.com/";)'` or: `wget https://www.toodledo.com/` These worked in Ubuntu 19.10 and don't work in 20.04. I've tried all sorts of things to debug this further and I've just run into walls. I hope someone who understands more about this stuff will be able to figure it out. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: openssl 1.1.1d-2ubuntu3 ProcVersionSignature: Ubuntu 5.4.0-14.17-generic 5.4.18 Uname: Linux 5.4.0-14-generic x86_64 ApportVersion: 2.20.11-0ubuntu18 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Feb 25 13:01:22 2020 InstallationDate: Installed on 2019-08-16 (192 days ago) InstallationMedia: Ubuntu 19.04 "Disco Dingo" - Release amd64 (20190416) SourcePackage: openssl UpgradeStatus: Upgraded to focal on 2020-01-31 (25 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1864689/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1864689] Re: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox
I mean, the bug is three years old and presumably by now the vast majority of web sites have renewed their certificates and the new ones are compatible with SECLEVEL=2 since all of the signing authorities stopped issuing incompatible ones years ago, so it's kind of moot at this point. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1864689 Title: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox Status in OpenSSL: Unknown Status in openssl package in Ubuntu: Invalid Bug description: openssl in Ubuntu 20.04 (focal) refuses to connect to a web site that openssl in Ubuntu 19.10 (eoan), Chrome, and Firefox are all happy to connect to. Reproduce with: `curl -v https://www.toodledo.com/' or: `openssl s_client -connect www.toodledo.com:443` or: `python3 -c 'import requests; requests.get("https://www.toodledo.com/";)'` or: `wget https://www.toodledo.com/` These worked in Ubuntu 19.10 and don't work in 20.04. I've tried all sorts of things to debug this further and I've just run into walls. I hope someone who understands more about this stuff will be able to figure it out. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: openssl 1.1.1d-2ubuntu3 ProcVersionSignature: Ubuntu 5.4.0-14.17-generic 5.4.18 Uname: Linux 5.4.0-14-generic x86_64 ApportVersion: 2.20.11-0ubuntu18 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Feb 25 13:01:22 2020 InstallationDate: Installed on 2019-08-16 (192 days ago) InstallationMedia: Ubuntu 19.04 "Disco Dingo" - Release amd64 (20190416) SourcePackage: openssl UpgradeStatus: Upgraded to focal on 2020-01-31 (25 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1864689/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1864689] Re: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox
Looking at the bug report opened upstream ( https://github.com/openssl/openssl/issues/11236 ), this is considered a bug on the server side and I'm inclined to follow openssl upstream on this. Moreover, I've tried all the tests provided in this bug and all have succeeded. I'll mark the bug as Invalid. ** Changed in: openssl (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1864689 Title: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox Status in OpenSSL: Unknown Status in openssl package in Ubuntu: Invalid Bug description: openssl in Ubuntu 20.04 (focal) refuses to connect to a web site that openssl in Ubuntu 19.10 (eoan), Chrome, and Firefox are all happy to connect to. Reproduce with: `curl -v https://www.toodledo.com/' or: `openssl s_client -connect www.toodledo.com:443` or: `python3 -c 'import requests; requests.get("https://www.toodledo.com/";)'` or: `wget https://www.toodledo.com/` These worked in Ubuntu 19.10 and don't work in 20.04. I've tried all sorts of things to debug this further and I've just run into walls. I hope someone who understands more about this stuff will be able to figure it out. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: openssl 1.1.1d-2ubuntu3 ProcVersionSignature: Ubuntu 5.4.0-14.17-generic 5.4.18 Uname: Linux 5.4.0-14-generic x86_64 ApportVersion: 2.20.11-0ubuntu18 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Feb 25 13:01:22 2020 InstallationDate: Installed on 2019-08-16 (192 days ago) InstallationMedia: Ubuntu 19.04 "Disco Dingo" - Release amd64 (20190416) SourcePackage: openssl UpgradeStatus: Upgraded to focal on 2020-01-31 (25 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1864689/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1864689] Re: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox
the openssl.cnf fix doesn't really work... allows me to connect to sites, but when loading their pages, it takes forever. unusable. Also tried SECLEVEL=0... same. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1864689 Title: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox Status in OpenSSL: Unknown Status in openssl package in Ubuntu: Confirmed Bug description: openssl in Ubuntu 20.04 (focal) refuses to connect to a web site that openssl in Ubuntu 19.10 (eoan), Chrome, and Firefox are all happy to connect to. Reproduce with: `curl -v https://www.toodledo.com/' or: `openssl s_client -connect www.toodledo.com:443` or: `python3 -c 'import requests; requests.get("https://www.toodledo.com/";)'` or: `wget https://www.toodledo.com/` These worked in Ubuntu 19.10 and don't work in 20.04. I've tried all sorts of things to debug this further and I've just run into walls. I hope someone who understands more about this stuff will be able to figure it out. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: openssl 1.1.1d-2ubuntu3 ProcVersionSignature: Ubuntu 5.4.0-14.17-generic 5.4.18 Uname: Linux 5.4.0-14-generic x86_64 ApportVersion: 2.20.11-0ubuntu18 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Feb 25 13:01:22 2020 InstallationDate: Installed on 2019-08-16 (192 days ago) InstallationMedia: Ubuntu 19.04 "Disco Dingo" - Release amd64 (20190416) SourcePackage: openssl UpgradeStatus: Upgraded to focal on 2020-01-31 (25 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1864689/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1864689] Re: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox
Also affects me with many HTTPS sites, such as teams.microsoft.com, but haven't been able to post a bug here because SSL or whatever isn't working. I imagine many can't post that it's broken, but tons of websites aren't working in Firefox or chrome or wget for me. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1864689 Title: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox Status in OpenSSL: Unknown Status in openssl package in Ubuntu: Confirmed Bug description: openssl in Ubuntu 20.04 (focal) refuses to connect to a web site that openssl in Ubuntu 19.10 (eoan), Chrome, and Firefox are all happy to connect to. Reproduce with: `curl -v https://www.toodledo.com/' or: `openssl s_client -connect www.toodledo.com:443` or: `python3 -c 'import requests; requests.get("https://www.toodledo.com/";)'` or: `wget https://www.toodledo.com/` These worked in Ubuntu 19.10 and don't work in 20.04. I've tried all sorts of things to debug this further and I've just run into walls. I hope someone who understands more about this stuff will be able to figure it out. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: openssl 1.1.1d-2ubuntu3 ProcVersionSignature: Ubuntu 5.4.0-14.17-generic 5.4.18 Uname: Linux 5.4.0-14-generic x86_64 ApportVersion: 2.20.11-0ubuntu18 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Feb 25 13:01:22 2020 InstallationDate: Installed on 2019-08-16 (192 days ago) InstallationMedia: Ubuntu 19.04 "Disco Dingo" - Release amd64 (20190416) SourcePackage: openssl UpgradeStatus: Upgraded to focal on 2020-01-31 (25 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1864689/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1864689] Re: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox
This bug affects me too, with a client certificate that now "magically" does not match the requirements. Ironically, the error message says only: OpenSSL error error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak, (no key found, wrong pass phrase, or wrong file format?) although there was no MD5 signature involved at all. So, even when you know that with OpenSSL 1.1, an "SSL security level" has been introduced, and that Ubuntu has set that level to 2, it is hard to find that it deprecates SHA1 now (see https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_security_level.html). Thus, even for more knowledgable people than me this is a major hassle to find and/or fix. I wonder why Ubuntu has chosen to raise the level that high considering that the documentation page contains a clear warning indication: "WARNING at this time setting the security level higher than 1 for general internet use is likely to cause considerable interoperability issues and is not recommended. This is because the SHA1 algorithm is very widely used in certificates and will be rejected at levels higher than 1 because it only offers 80 bits of security." I think that this is an extremely unwise choice for an OS to make. That being said, here is the fix (also hard to find): In /etc/ssl/openssl.cnf, add this line before the start of the file: openssl_conf = default_conf At the end of the file, add these lines: [default_conf] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] CipherString = DEFAULT:@SECLEVEL=1 This will bring down the SSL security level to the former level of 1. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1864689 Title: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox Status in OpenSSL: Unknown Status in openssl package in Ubuntu: Confirmed Bug description: openssl in Ubuntu 20.04 (focal) refuses to connect to a web site that openssl in Ubuntu 19.10 (eoan), Chrome, and Firefox are all happy to connect to. Reproduce with: `curl -v https://www.toodledo.com/' or: `openssl s_client -connect www.toodledo.com:443` or: `python3 -c 'import requests; requests.get("https://www.toodledo.com/";)'` or: `wget https://www.toodledo.com/` These worked in Ubuntu 19.10 and don't work in 20.04. I've tried all sorts of things to debug this further and I've just run into walls. I hope someone who understands more about this stuff will be able to figure it out. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: openssl 1.1.1d-2ubuntu3 ProcVersionSignature: Ubuntu 5.4.0-14.17-generic 5.4.18 Uname: Linux 5.4.0-14-generic x86_64 ApportVersion: 2.20.11-0ubuntu18 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Feb 25 13:01:22 2020 InstallationDate: Installed on 2019-08-16 (192 days ago) InstallationMedia: Ubuntu 19.04 "Disco Dingo" - Release amd64 (20190416) SourcePackage: openssl UpgradeStatus: Upgraded to focal on 2020-01-31 (25 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1864689/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1864689] Re: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox
>> You can override this via command-line, a system config file, or a local config file + environment variable pointing to it. Some hints as to how to achieve that "local config file + environment variable" would be extremely useful. I've tried it and got nowhere, although I know that setting SECLEVEL=1 would fix my immediate problem, as I can set it on a command line for openssl s_client. See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1878519 Forcing a minimum SECLEVEL of 2 by default is fine, but there has to be some-way of letting users reduce this when they are talking to external services, or providing services for external clients that cannot, for some reason,change at the moment. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1864689 Title: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox Status in OpenSSL: Unknown Status in openssl package in Ubuntu: Confirmed Bug description: openssl in Ubuntu 20.04 (focal) refuses to connect to a web site that openssl in Ubuntu 19.10 (eoan), Chrome, and Firefox are all happy to connect to. Reproduce with: `curl -v https://www.toodledo.com/' or: `openssl s_client -connect www.toodledo.com:443` or: `python3 -c 'import requests; requests.get("https://www.toodledo.com/";)'` or: `wget https://www.toodledo.com/` These worked in Ubuntu 19.10 and don't work in 20.04. I've tried all sorts of things to debug this further and I've just run into walls. I hope someone who understands more about this stuff will be able to figure it out. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: openssl 1.1.1d-2ubuntu3 ProcVersionSignature: Ubuntu 5.4.0-14.17-generic 5.4.18 Uname: Linux 5.4.0-14-generic x86_64 ApportVersion: 2.20.11-0ubuntu18 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Feb 25 13:01:22 2020 InstallationDate: Installed on 2019-08-16 (192 days ago) InstallationMedia: Ubuntu 19.04 "Disco Dingo" - Release amd64 (20190416) SourcePackage: openssl UpgradeStatus: Upgraded to focal on 2020-01-31 (25 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1864689/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1864689] Re: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox
I've now opened upstream issues about this on the OpenSSL bug tracker. However, todoodle.com could refresh their certificate chain with an up to date G2 godaddy SSL certificate chain, instead of the one that ends on a CA Root certificate which is no longer trustworthy. ** Changed in: openssl (Ubuntu) Importance: Undecided => Low ** Changed in: openssl (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1864689 Title: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox Status in OpenSSL: Unknown Status in openssl package in Ubuntu: Confirmed Bug description: openssl in Ubuntu 20.04 (focal) refuses to connect to a web site that openssl in Ubuntu 19.10 (eoan), Chrome, and Firefox are all happy to connect to. Reproduce with: `curl -v https://www.toodledo.com/' or: `openssl s_client -connect www.toodledo.com:443` or: `python3 -c 'import requests; requests.get("https://www.toodledo.com/";)'` or: `wget https://www.toodledo.com/` These worked in Ubuntu 19.10 and don't work in 20.04. I've tried all sorts of things to debug this further and I've just run into walls. I hope someone who understands more about this stuff will be able to figure it out. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: openssl 1.1.1d-2ubuntu3 ProcVersionSignature: Ubuntu 5.4.0-14.17-generic 5.4.18 Uname: Linux 5.4.0-14-generic x86_64 ApportVersion: 2.20.11-0ubuntu18 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Feb 25 13:01:22 2020 InstallationDate: Installed on 2019-08-16 (192 days ago) InstallationMedia: Ubuntu 19.04 "Disco Dingo" - Release amd64 (20190416) SourcePackage: openssl UpgradeStatus: Upgraded to focal on 2020-01-31 (25 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1864689/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1864689] Re: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox
** Bug watch added: github.com/openssl/openssl/issues #11236 https://github.com/openssl/openssl/issues/11236 ** Also affects: openssl via https://github.com/openssl/openssl/issues/11236 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1864689 Title: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox Status in OpenSSL: Unknown Status in openssl package in Ubuntu: New Bug description: openssl in Ubuntu 20.04 (focal) refuses to connect to a web site that openssl in Ubuntu 19.10 (eoan), Chrome, and Firefox are all happy to connect to. Reproduce with: `curl -v https://www.toodledo.com/' or: `openssl s_client -connect www.toodledo.com:443` or: `python3 -c 'import requests; requests.get("https://www.toodledo.com/";)'` or: `wget https://www.toodledo.com/` These worked in Ubuntu 19.10 and don't work in 20.04. I've tried all sorts of things to debug this further and I've just run into walls. I hope someone who understands more about this stuff will be able to figure it out. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: openssl 1.1.1d-2ubuntu3 ProcVersionSignature: Ubuntu 5.4.0-14.17-generic 5.4.18 Uname: Linux 5.4.0-14-generic x86_64 ApportVersion: 2.20.11-0ubuntu18 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Feb 25 13:01:22 2020 InstallationDate: Installed on 2019-08-16 (192 days ago) InstallationMedia: Ubuntu 19.04 "Disco Dingo" - Release amd64 (20190416) SourcePackage: openssl UpgradeStatus: Upgraded to focal on 2020-01-31 (25 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1864689/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1864689] Re: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox
So, in their chain of certs that they present there is still an RSA-SHA1 certificate. It shouldn't affect validation, as the other certs in the chain are sufficient (for example gnutls-cli toodledo.com connects fine) but it does trip up openssl: - Certificate[3] info: - subject `OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US', issuer `OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US', serial 0x00, RSA key 2048 bits, signed using RSA-SHA1 (broken!), activated `2004-06-29 17:06:20 UTC', expires `2034-06-29 17:06:20 UTC', pin-sha256="VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8=" Now, they could remove that cert from the chain that their server uses. But also they should not need to do this and openssl should just work. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1864689 Title: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox Status in openssl package in Ubuntu: New Bug description: openssl in Ubuntu 20.04 (focal) refuses to connect to a web site that openssl in Ubuntu 19.10 (eoan), Chrome, and Firefox are all happy to connect to. Reproduce with: `curl -v https://www.toodledo.com/' or: `openssl s_client -connect www.toodledo.com:443` or: `python3 -c 'import requests; requests.get("https://www.toodledo.com/";)'` or: `wget https://www.toodledo.com/` These worked in Ubuntu 19.10 and don't work in 20.04. I've tried all sorts of things to debug this further and I've just run into walls. I hope someone who understands more about this stuff will be able to figure it out. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: openssl 1.1.1d-2ubuntu3 ProcVersionSignature: Ubuntu 5.4.0-14.17-generic 5.4.18 Uname: Linux 5.4.0-14-generic x86_64 ApportVersion: 2.20.11-0ubuntu18 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Feb 25 13:01:22 2020 InstallationDate: Installed on 2019-08-16 (192 days ago) InstallationMedia: Ubuntu 19.04 "Disco Dingo" - Release amd64 (20190416) SourcePackage: openssl UpgradeStatus: Upgraded to focal on 2020-01-31 (25 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1864689/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1864689] Re: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox
Lifetimes of more than a year is only implemented by Apple on their products. Longevity of the certifications do not matter on Ubuntu. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1864689 Title: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox Status in openssl package in Ubuntu: New Bug description: openssl in Ubuntu 20.04 (focal) refuses to connect to a web site that openssl in Ubuntu 19.10 (eoan), Chrome, and Firefox are all happy to connect to. Reproduce with: `curl -v https://www.toodledo.com/' or: `openssl s_client -connect www.toodledo.com:443` or: `python3 -c 'import requests; requests.get("https://www.toodledo.com/";)'` or: `wget https://www.toodledo.com/` These worked in Ubuntu 19.10 and don't work in 20.04. I've tried all sorts of things to debug this further and I've just run into walls. I hope someone who understands more about this stuff will be able to figure it out. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: openssl 1.1.1d-2ubuntu3 ProcVersionSignature: Ubuntu 5.4.0-14.17-generic 5.4.18 Uname: Linux 5.4.0-14-generic x86_64 ApportVersion: 2.20.11-0ubuntu18 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Feb 25 13:01:22 2020 InstallationDate: Installed on 2019-08-16 (192 days ago) InstallationMedia: Ubuntu 19.04 "Disco Dingo" - Release amd64 (20190416) SourcePackage: openssl UpgradeStatus: Upgraded to focal on 2020-01-31 (25 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1864689/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1864689] Re: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox
There is still something wrong here. The site in question has fixed the issue in response to my query, and SSL Labs now gives it an A grade: https://www.ssllabs.com/ssltest/analyze.html?d=www.toodledo.com According to SSL Labs, it supports these two ciphers for TLS 1.2: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) According to openssl ciphers -s -V, both of these are supported by openssl: $ openssl ciphers -s -V | egrep '0xC0,0x(30|2F)' 0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD 0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD And yet I'm still unable to connect to this server through openssl unless I downgrade the security level to 1. You mentioned there being an SHA1 certificate in the chain, but I don't see one. The certs all seem to be SHA256. I cannot find any evidence that security level 2 blocks the use of certificates with lifetimes of more than a year. Is that an undocumented "feature" of security level 2? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1864689 Title: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox Status in openssl package in Ubuntu: New Bug description: openssl in Ubuntu 20.04 (focal) refuses to connect to a web site that openssl in Ubuntu 19.10 (eoan), Chrome, and Firefox are all happy to connect to. Reproduce with: `curl -v https://www.toodledo.com/' or: `openssl s_client -connect www.toodledo.com:443` or: `python3 -c 'import requests; requests.get("https://www.toodledo.com/";)'` or: `wget https://www.toodledo.com/` These worked in Ubuntu 19.10 and don't work in 20.04. I've tried all sorts of things to debug this further and I've just run into walls. I hope someone who understands more about this stuff will be able to figure it out. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: openssl 1.1.1d-2ubuntu3 ProcVersionSignature: Ubuntu 5.4.0-14.17-generic 5.4.18 Uname: Linux 5.4.0-14-generic x86_64 ApportVersion: 2.20.11-0ubuntu18 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Feb 25 13:01:22 2020 InstallationDate: Installed on 2019-08-16 (192 days ago) InstallationMedia: Ubuntu 19.04 "Disco Dingo" - Release amd64 (20190416) SourcePackage: openssl UpgradeStatus: Upgraded to focal on 2020-01-31 (25 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1864689/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1864689] Re: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox
Fair enough, I will contact the web site maintainer. However, regarding this: >You can override this via command-line, a system config file, or a local >config file + environment variable pointing to it. > >On Ubuntu 20.04 LTS: > >man SSL_CTX_get_security_level.3ssl 1) I searched high, low, and sideways, and couldn't find any documentation of how to override this via a config file or environment variable. Regarding command line, I imagine that is going to be different for each program, and I did manage to figure out how to do it for curl, but it took a huge amount of educated effort that the vast majority of users are not going to be able to figure out. 2) I don't know what deb the man pages for the OpenSSL API are in, but whichever one it is, it's not in the package install set that most people get. That man page is not available on my system, for example. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1864689 Title: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox Status in openssl package in Ubuntu: New Bug description: openssl in Ubuntu 20.04 (focal) refuses to connect to a web site that openssl in Ubuntu 19.10 (eoan), Chrome, and Firefox are all happy to connect to. Reproduce with: `curl -v https://www.toodledo.com/' or: `openssl s_client -connect www.toodledo.com:443` or: `python3 -c 'import requests; requests.get("https://www.toodledo.com/";)'` or: `wget https://www.toodledo.com/` These worked in Ubuntu 19.10 and don't work in 20.04. I've tried all sorts of things to debug this further and I've just run into walls. I hope someone who understands more about this stuff will be able to figure it out. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: openssl 1.1.1d-2ubuntu3 ProcVersionSignature: Ubuntu 5.4.0-14.17-generic 5.4.18 Uname: Linux 5.4.0-14-generic x86_64 ApportVersion: 2.20.11-0ubuntu18 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Feb 25 13:01:22 2020 InstallationDate: Installed on 2019-08-16 (192 days ago) InstallationMedia: Ubuntu 19.04 "Disco Dingo" - Release amd64 (20190416) SourcePackage: openssl UpgradeStatus: Upgraded to focal on 2020-01-31 (25 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1864689/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1864689] Re: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox
About the server: - It's certificate is valid for 2 years, and Apple has started to rejecting any servers for which certificate is valid for more than 13 months. - It has a SHA1withRSA certificate in its chain, which will be rejected by all clients soon. - It supports many weak TLSv1.2 ciphersuites - It is susceptible to OpenSSL 0-Length attack Please contact the administrators of said website to secure it immediately & acquire certificate with shorter timespan and no SHA1 signatures. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1864689 Title: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox Status in openssl package in Ubuntu: New Bug description: openssl in Ubuntu 20.04 (focal) refuses to connect to a web site that openssl in Ubuntu 19.10 (eoan), Chrome, and Firefox are all happy to connect to. Reproduce with: `curl -v https://www.toodledo.com/' or: `openssl s_client -connect www.toodledo.com:443` or: `python3 -c 'import requests; requests.get("https://www.toodledo.com/";)'` or: `wget https://www.toodledo.com/` These worked in Ubuntu 19.10 and don't work in 20.04. I've tried all sorts of things to debug this further and I've just run into walls. I hope someone who understands more about this stuff will be able to figure it out. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: openssl 1.1.1d-2ubuntu3 ProcVersionSignature: Ubuntu 5.4.0-14.17-generic 5.4.18 Uname: Linux 5.4.0-14-generic x86_64 ApportVersion: 2.20.11-0ubuntu18 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Feb 25 13:01:22 2020 InstallationDate: Installed on 2019-08-16 (192 days ago) InstallationMedia: Ubuntu 19.04 "Disco Dingo" - Release amd64 (20190416) SourcePackage: openssl UpgradeStatus: Upgraded to focal on 2020-01-31 (25 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1864689/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1864689] Re: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox
The browsers will require SECLEVEL=2 from April 2020, the change in libraries has already landed. You can override this via command-line, a system config file, or a local config file + environment variable pointing to it. On Ubuntu 20.04 LTS: man SSL_CTX_get_security_level.3ssl does have: -- Level 2 On Ubuntu, TLS versions below 1.2 are not permitted. NOTES The default security level can be configured when OpenSSL is compiled by setting -DOPENSSL_TLS_SECURITY_LEVEL=level. On Ubuntu, 2 is used. -- In addition to having TLSv1.2 min, DTLSv1.2 min, bigger keys ie 2048 bit RSA, we are still to land requirement to reject SHA1 signatures on certs. This is an intentional change. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1864689 Title: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox Status in openssl package in Ubuntu: New Bug description: openssl in Ubuntu 20.04 (focal) refuses to connect to a web site that openssl in Ubuntu 19.10 (eoan), Chrome, and Firefox are all happy to connect to. Reproduce with: `curl -v https://www.toodledo.com/' or: `openssl s_client -connect www.toodledo.com:443` or: `python3 -c 'import requests; requests.get("https://www.toodledo.com/";)'` or: `wget https://www.toodledo.com/` These worked in Ubuntu 19.10 and don't work in 20.04. I've tried all sorts of things to debug this further and I've just run into walls. I hope someone who understands more about this stuff will be able to figure it out. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: openssl 1.1.1d-2ubuntu3 ProcVersionSignature: Ubuntu 5.4.0-14.17-generic 5.4.18 Uname: Linux 5.4.0-14-generic x86_64 ApportVersion: 2.20.11-0ubuntu18 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Feb 25 13:01:22 2020 InstallationDate: Installed on 2019-08-16 (192 days ago) InstallationMedia: Ubuntu 19.04 "Disco Dingo" - Release amd64 (20190416) SourcePackage: openssl UpgradeStatus: Upgraded to focal on 2020-01-31 (25 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1864689/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1864689] Re: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox
Aha! `curl -v --ciphers 'DEFAULT:@SECLEVEL=1' https://www.toodledo.com/` works but `curl -v --ciphers 'DEFAULT:@SECLEVEL=2' https://www.toodledo.com/` fails. According to https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_get_security_level.html, the default security level for the library is 1 if it isn't specified at compile time. Has Canonical made a decision to set a higher security level by default? Oh, wait, it appears that yes it has. `openssl version -a` says `-DOPENSSL_TLS_SECURITY_LEVEL=2`. It appears that this was an intentional change? I question the advisability of this, especially since it doesn't appear that there's any way to override it in a configuration file (is there?). I am not sure it is advisable for command-line tools in the OS to have stricter security level requirements than users' browsers? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1864689 Title: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox Status in openssl package in Ubuntu: New Bug description: openssl in Ubuntu 20.04 (focal) refuses to connect to a web site that openssl in Ubuntu 19.10 (eoan), Chrome, and Firefox are all happy to connect to. Reproduce with: `curl -v https://www.toodledo.com/' or: `openssl s_client -connect www.toodledo.com:443` or: `python3 -c 'import requests; requests.get("https://www.toodledo.com/";)'` or: `wget https://www.toodledo.com/` These worked in Ubuntu 19.10 and don't work in 20.04. I've tried all sorts of things to debug this further and I've just run into walls. I hope someone who understands more about this stuff will be able to figure it out. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: openssl 1.1.1d-2ubuntu3 ProcVersionSignature: Ubuntu 5.4.0-14.17-generic 5.4.18 Uname: Linux 5.4.0-14-generic x86_64 ApportVersion: 2.20.11-0ubuntu18 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Feb 25 13:01:22 2020 InstallationDate: Installed on 2019-08-16 (192 days ago) InstallationMedia: Ubuntu 19.04 "Disco Dingo" - Release amd64 (20190416) SourcePackage: openssl UpgradeStatus: Upgraded to focal on 2020-01-31 (25 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1864689/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1864689] Re: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox
I may be misunderstanding something, but as far as I can tell this is not a cipher mismatch problem. According to https://www.ssllabs.com/ssltest/analyze.html?d=www.toodledo.com, the site supports TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. According to "openssl ciphers", openssl supports ECDHE-RSA-AES128-GCM-SHA256, which apperas to be the same thing. But `curl -v --ciphers ECDHE-RSA-AES128 -GCM-SHA256 --tlsv1.2 --tls-max 1.2 https://www.toodledo.com/` still fails. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1864689 Title: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox Status in openssl package in Ubuntu: New Bug description: openssl in Ubuntu 20.04 (focal) refuses to connect to a web site that openssl in Ubuntu 19.10 (eoan), Chrome, and Firefox are all happy to connect to. Reproduce with: `curl -v https://www.toodledo.com/' or: `openssl s_client -connect www.toodledo.com:443` or: `python3 -c 'import requests; requests.get("https://www.toodledo.com/";)'` or: `wget https://www.toodledo.com/` These worked in Ubuntu 19.10 and don't work in 20.04. I've tried all sorts of things to debug this further and I've just run into walls. I hope someone who understands more about this stuff will be able to figure it out. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: openssl 1.1.1d-2ubuntu3 ProcVersionSignature: Ubuntu 5.4.0-14.17-generic 5.4.18 Uname: Linux 5.4.0-14-generic x86_64 ApportVersion: 2.20.11-0ubuntu18 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Feb 25 13:01:22 2020 InstallationDate: Installed on 2019-08-16 (192 days ago) InstallationMedia: Ubuntu 19.04 "Disco Dingo" - Release amd64 (20190416) SourcePackage: openssl UpgradeStatus: Upgraded to focal on 2020-01-31 (25 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1864689/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1864689] Re: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox
Example output: jik@jik-x1:~$ curl -v https://www.toodledo.com/ * Trying 146.20.52.175:443... * TCP_NODELAY set * Connected to www.toodledo.com (146.20.52.175) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS alert, handshake failure (552): * error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure * Closing connection 0 curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1864689 Title: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox Status in openssl package in Ubuntu: New Bug description: openssl in Ubuntu 20.04 (focal) refuses to connect to a web site that openssl in Ubuntu 19.10 (eoan), Chrome, and Firefox are all happy to connect to. Reproduce with: `curl -v https://www.toodledo.com/' or: `openssl s_client -connect www.toodledo.com:443` or: `python3 -c 'import requests; requests.get("https://www.toodledo.com/";)'` or: `wget https://www.toodledo.com/` These worked in Ubuntu 19.10 and don't work in 20.04. I've tried all sorts of things to debug this further and I've just run into walls. I hope someone who understands more about this stuff will be able to figure it out. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: openssl 1.1.1d-2ubuntu3 ProcVersionSignature: Ubuntu 5.4.0-14.17-generic 5.4.18 Uname: Linux 5.4.0-14-generic x86_64 ApportVersion: 2.20.11-0ubuntu18 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Feb 25 13:01:22 2020 InstallationDate: Installed on 2019-08-16 (192 days ago) InstallationMedia: Ubuntu 19.04 "Disco Dingo" - Release amd64 (20190416) SourcePackage: openssl UpgradeStatus: Upgraded to focal on 2020-01-31 (25 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1864689/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp