Bug#1012564: openssl: ckermit can't connect to telnetd-ssl with openssl 3.0.3-7
- Original Message - From: "Sebastian Andrzej Siewior" To:"Arthur Marsh" , Cc: Sent:Mon, 20 Jun 2022 19:16:36 +0200 Subject:Re: Bug#1012564: openssl: ckermit can't connect to telnetd-ssl with openssl 3.0.3-7 On 2022-06-20 19:10:27 [+0200], To Arthur Marsh wrote: > I have here > telnet-ssl 0.17.41+0.2-3.3+b1 > telnetd-ssl 0.17.41+0.2-3.3+b1 > libssl3 3.0.3-8 > openssl 3.0.3-8 adding ckermit 305~alpha07-1+b1 When upgrading telnetd-ssl (017.41+0.2-3.3+b1) over (0.17.41+0.2-3.3)I received the line:You already have /etc/telnetd-ssl/telnetd.pem After upgrading both telnetd-ssl as above and openssl (3.0.3-8) over (3.0.3-6),I still had telnet-ssl localhost failing:$ telnet-ssl localhost Trying ::1... Connected to localhost. Escape character is '^]'. Error loading CRT /etc/telnetd-ssl/telnetd.pem: , ee key too small do_ssleay_init() failed 408788F4E87F:error:0A00018F:SSL routines:SSL_CTX_use_certificate:ee key too small:../ssl/ssl_rsa.c:221: Connection closed by foreign host.ckermit run as a symbolic link from telnet also was unsuccessful:$ telnet localhost DNS Lookup... Trying 127.0.0.1... Reverse DNS Lookup... (OK) localhost connected on port telnet ?Connection closed by peer. can't open host connection Closing localhost:23...OK I renamed /etc/telnetd-ssl/telnetd.pem to /etc/telnetd-ssl/oldtelnetd-ssl.pem and re-installed telnetd-ssl 0.17.41+0.2-3.3+b1telnetd-ssl still failed:$ telnet-ssl localhost xprop: unable to open display '127.0.0.1:0' Trying ::1.. Connected to localhost. Escape character is '^]'. telnetd: SSL required - connection rejected. Connection closed by foreign host. but ckermit run as a symbolic link from telnet now works:$ telnet localhost xprop: unable to open display '127.0.0.1:0' DNS Lookup... Trying 127.0.0.1... Reverse DNS Lookup... (OK) localhost connected on port telnet Authenticating with SSL Warning: Server has a self-signed certificate [0] Certificate Subject= O=Internet Widgits Pty Ltd OU=am64 telnetd CN=am64 emailAddress=root@am64 [0] Certificate Issuer= O=Internet Widgits Pty Ltd OU=am64 telnetd CN=am64 emailAddress=root@am64 Continue? (Y/N) y [TLS - TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(25 6) Mac=AEAD Compression: None Password: This solves the issue I was having and the /etc/telnetd-ssl/telnetd.pem "ee key too small" may be a clue to what was causing problems for me.Thanks for your time looking at this.Arthur Marsh.
Bug#1012564: openssl: ckermit can't connect to telnetd-ssl with openssl 3.0.3-7
On 2022-06-20 19:10:27 [+0200], To Arthur Marsh wrote: > I have here >telnet-ssl 0.17.41+0.2-3.3+b1 >telnetd-ssl 0.17.41+0.2-3.3+b1 >libssl3 3.0.3-8 >openssl 3.0.3-8 adding ckermit305~alpha07-1+b1 and then: | ~$ kermit | C-Kermit 9.0.305 OPEN SOURCE: Alpha.07, 24 Jan 2022, for Linux+SSL (64-bit) | Copyright (C) 1985, 2022, | Trustees of Columbia University in the City of New York. | Type ? or HELP for help. | (~/) C-Kermit>help | | C-Kermit 9.0.305 OPEN SOURCE: Alpha.07, 24 Jan 2022, Copyright (C) 1985, 2022, | Trustees of Columbia University in the City of New York. | | Type EXITto exit. | Type INTRO for a brief introduction to C-Kermit. | Type LICENSE to see the C-Kermit license. | Type HELPfollowed by a command name for help about a specific command. | Type MANUAL to access the C-Kermit manual page. | Type NEWSfor news about new features. | Type SUPPORT to learn how to get technical support. | Press ? (question mark) at the prompt, or anywhere within a command, |for a menu (context-sensitive help, menu on demand). | | Type HELP OPTIONS for help with command-line options. | | DOCUMENTATION: "Using C-Kermit" by Frank da Cruz and Christine M. Gianone, | 2nd Edition, Digital Press / Butterworth-Heinemann 1997, ISBN 1-8-164-1, | plus supplements at http://www.kermitproject.org/ckermit.html#doc. | | (~/) C-Kermit>telnet /auth:ssl debsidi386 | DNS Lookup... Trying 172.123.10.178... Reverse DNS Lookup... (OK) | Authenticating with SSL | Warning: Server has a self-signed certificate | [0] Certificate Subject= | O=breakpoint.cc | OU=debsidi386 telnetd | CN=debsidi386.breakpoint.cc | emailAddress=r...@debsidi386.breakpoint.cc | [0] Certificate Issuer= | O=breakpoint.cc | OU=debsidi386 telnetd | CN=debsidi386.breakpoint.cc | emailAddress=r...@debsidi386.breakpoint.cc | Continue? (Y/N) y | [TLS - TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256)Mac=AEAD | Compression: None | Connecting to host debsidi386.breakpoint.cc:23 | Escape character: Ctrl-\ (ASCII 28, FS): enabled | Type the escape character followed by C to get back, | or followed by ? to see other options. | | Password: | Linux debsidi386 5.18.0-2-686-pae #1 SMP PREEMPT_DYNAMIC Debian 5.18.5-1 (2022-06-16) i686 | | The programs included with the Debian GNU/Linux system are free software; | the exact distribution terms for each program are described in the | individual files in /usr/share/doc/*/copyright. | | Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent | permitted by applicable law. | Last login: Mon Jun 20 18:50:36 CEST 2022 from 172.123.10.9 on pts/0 | You have mail. | bigeasy@debsidi386:~$ so I'm in the mood of closing this bug. Sebastian
Bug#1012564: openssl: ckermit can't connect to telnetd-ssl with openssl 3.0.3-7
On 2022-06-16 11:33:13 [+0930], Arthur Marsh wrote: >* What led up to the situation? > > I also found that telnet-ssl and ckermit could not connect to telnetd-ssl > if openssl 3.0.3-8 was installed. > >* What exactly did you do (or not do) that was effective (or > ineffective)? > > If I kept openssl at version 3.0.3-6, both ckermit and telnet-ssl could > connect to telnetd-ssl. I have here telnet-ssl 0.17.41+0.2-3.3+b1 telnetd-ssl 0.17.41+0.2-3.3+b1 libssl3 3.0.3-8 openssl 3.0.3-8 and then this happens: | ~$ telnet-ssl debsidi386 | Trying 172.123.10.178... | Connected to debsidi386.breakpoint.cc. | Escape character is '^]'. | [SSL - attempting to switch on SSL] | [SSL - handshake starting] | SSL: Server has a self-signed certificate | SSL: unknown Issuer: /O=breakpoint.cc/OU=debsidi386 telnetd/CN=debsidi386.breakpoint.cc/emailAddress=r...@debsidi386.breakpoint.cc | [SSL - OK] | Debian GNU/Linux bookworm/sid | debsidi386 login: root | Password: | Linux debsidi386 5.18.0-2-686-pae #1 SMP PREEMPT_DYNAMIC Debian 5.18.5-1 (2022-06-16) i686 | | The programs included with the Debian GNU/Linux system are free software; | the exact distribution terms for each program are described in the | individual files in /usr/share/doc/*/copyright. | | Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent | permitted by applicable law. | Last login: Sun Feb 9 19:59:50 CET 2020 on tty1 | root@debsidi386:~# so at least telnet-ssl + telnetd-ssl works. Can you confirm? Sebastian
Bug#1012564: openssl: ckermit can't connect to telnetd-ssl with openssl 3.0.3-7
Package: openssl Version: 3.0.3-8 Followup-For: Bug #1012564 Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? I also found that telnet-ssl and ckermit could not connect to telnetd-ssl if openssl 3.0.3-8 was installed. * What exactly did you do (or not do) that was effective (or ineffective)? If I kept openssl at version 3.0.3-6, both ckermit and telnet-ssl could connect to telnetd-ssl. * What was the outcome of this action? * What outcome did you expect instead? *** End of the template - remove these template lines *** -- System Information: Debian Release: bookworm/sid APT prefers experimental APT policy: (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.19.0-rc2+ (SMP w/4 CPU threads; PREEMPT) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages openssl depends on: ii libc62.33-7 ii libssl3 3.0.3-8 openssl recommends no packages. Versions of packages openssl suggests: ii ca-certificates 20211016 -- no debconf information
Bug#1012564: [Pkg-openssl-devel] Bug#1012564: openssl: ckermit can't connect to telnetd-ssl with openssl 3.0.3-7
On 10 June 2022 3:51:29 am ACST, Sebastian Andrzej Siewior wrote: >On 2022-06-09 23:18:07 [+0930], Arthur Marsh wrote: >… >> *** Reporter, please consider answering these questions, where appropriate >> *** >> >>* What led up to the situation? >> >> Upgrading openssl, libssl3 to 3.0.3-7 from 3.0.3-6 on host system prevented >> ckermit 305~alpha07-1+b1 on client system with libssl3 3.0.3-6 from >> connecting to telnetd-ssl 0.17.41+0.2-3.3 on host system. >> >> >>* What exactly did you do (or not do) that was effective (or >> ineffective)? >> >> I first downgraded libssl3 from 3.0.3-7 on host system to 3.0.3-6 but that >> didn't resolve the issue. After I downgraded openssl from 3.0.3-7 to 3.0.3-6 >> on the host system, I was able to connect from the client system which still >> runs openssl 3.0.3-6 and libssl3 3.0.3-6. > >How do I setup a telnet-ssl server to begin with? >I installed telnetd-ssl from testing just to be sure and > telnet -z ssl localhost > >does nothing. Any idea? > >Sebastian Hi, I was using ckermit as the telnet client, with a symbolic link from /usr/local/bin/telnet to /usr/bin/kermit Alternatively, simply run kermit and at the C-Kermit prompt enter: telnet localhost If using telnet from package telnet-ssl, one can connect using: telnet 127.0.0.1 (provided you are not doing so as root). Hope this helps, Arthur. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Bug#1012564: [Pkg-openssl-devel] Bug#1012564: openssl: ckermit can't connect to telnetd-ssl with openssl 3.0.3-7
On 2022-06-09 23:18:07 [+0930], Arthur Marsh wrote: … > *** Reporter, please consider answering these questions, where appropriate *** > >* What led up to the situation? > > Upgrading openssl, libssl3 to 3.0.3-7 from 3.0.3-6 on host system prevented > ckermit 305~alpha07-1+b1 on client system with libssl3 3.0.3-6 from > connecting to telnetd-ssl 0.17.41+0.2-3.3 on host system. > > >* What exactly did you do (or not do) that was effective (or > ineffective)? > > I first downgraded libssl3 from 3.0.3-7 on host system to 3.0.3-6 but that > didn't resolve the issue. After I downgraded openssl from 3.0.3-7 to 3.0.3-6 > on the host system, I was able to connect from the client system which still > runs openssl 3.0.3-6 and libssl3 3.0.3-6. How do I setup a telnet-ssl server to begin with? I installed telnetd-ssl from testing just to be sure and telnet -z ssl localhost does nothing. Any idea? Sebastian
Bug#1012564: openssl: ckermit can't connect to telnetd-ssl with openssl 3.0.3-7
Package: openssl Version: 3.0.3-7 Severity: important Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? Upgrading openssl, libssl3 to 3.0.3-7 from 3.0.3-6 on host system prevented ckermit 305~alpha07-1+b1 on client system with libssl3 3.0.3-6 from connecting to telnetd-ssl 0.17.41+0.2-3.3 on host system. * What exactly did you do (or not do) that was effective (or ineffective)? I first downgraded libssl3 from 3.0.3-7 on host system to 3.0.3-6 but that didn't resolve the issue. After I downgraded openssl from 3.0.3-7 to 3.0.3-6 on the host system, I was able to connect from the client system which still runs openssl 3.0.3-6 and libssl3 3.0.3-6. Note, I am NOT running telnetd-ssl 0.17.41+0.2-3.3+b1 due to bug #1010968 * What was the outcome of this action? * What outcome did you expect instead? *** End of the template - remove these template lines *** -- System Information: Debian Release: bookworm/sid APT prefers experimental APT policy: (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.19.0-rc1+ (SMP w/4 CPU threads; PREEMPT) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages openssl depends on: ii libc62.33-7 ii libssl3 3.0.3-6 openssl recommends no packages. Versions of packages openssl suggests: ii ca-certificates 20211016 -- no debconf information