Bug#907049: [Pkg-openssl-devel] Bug#907049: openssl: Update to 1.1.1~~pre9-1 makes certain programs unusable
Hi, I confirm this issue. The issue is relate to what TLS version the server supports. Resolution: 1. downgrade to openssl_1.1.0h-4 2. edit /etc/ssl/openssl.cnf and either comment out MinProtocol option, or try different versions from top down until openvpn connection starts to work. I have openvpn connections to NordVPN servers and TLSv1.2 works fine in most cases. However work VPN to Sophos supports only TLSv1.0, so I have to reduce the version it in the openssl.cnf file. -- Jiri
Bug#907049: [Pkg-openssl-devel] Bug#907049: openssl: Update to 1.1.1~~pre9-1 makes certain programs unusable
Hey, for OpenVPN 2.3.4 on Jessie, the problem is solved for me by enforcing TLS 1.2 with tls-version-min 1.2 in the server config. Best Christian
Bug#907049: [Pkg-openssl-devel] Bug#907049: openssl: Update to 1.1.1~~pre9-1 makes certain programs unusable
Hi, On Sun, 26 Aug 2018 16:08:59 +0200 Antonin Kral wrote: > * Antonin Kral [2018-08-25 15:56] wrote: > > According to https://community.openvpn.net/openvpn/wiki/Hardening , > > OpenVPN 2.3.3 and newer should support TLS version negotiation. > > After some poking around, I have figured that server is running > > 2.3.4. So one would expect, that TLSv1.2 will work, but it doesn't. > > TLSv1 is confirmed in log > > > > Sat Aug 25 15:33:33 2018 Control Channel: TLSv1, cipher SSLv3 > > DHE-RSA-AES256-SHA, 2048 bit RSA > > > > I will try to get server upgraded to confirm, that newer version > > will basically work out of the box. > > I do confirm, that updating server side to a newer version > (2.4.0-6+deb9u1 in this case) fully solved the issue and clients are > now able to negotiate at least TLSv2. since I can't upgrade the server (running jessie) I downgraded the client to openssl_1.1.0h-4 which also solved the problem. Regards Günter -- --- Günter Frenz Börschgasse 16a, D-51143 Köln (h) gu...@guefz.de, gu...@freenet.de (w) f...@gso-koeln.de --- pgpZIZz4F05pb.pgp Description: Digitale Signatur von OpenPGP
Bug#907049: [Pkg-openssl-devel] Bug#907049: openssl: Update to 1.1.1~~pre9-1 makes certain programs unusable
Hi, thank a lot Kurt. > Anyway, that seems to mean that openvpn only supports TLS 1.0 for > some reason. I have no idea how openvpn works, but if it uses > TLS 1.0, it really should switch to 1.2 or 1.3. According to https://community.openvpn.net/openvpn/wiki/Hardening , OpenVPN 2.3.3 and newer should support TLS version negotiation. After some poking around, I have figured that server is running 2.3.4. So one would expect, that TLSv1.2 will work, but it doesn't. TLSv1 is confirmed in log Sat Aug 25 15:33:33 2018 Control Channel: TLSv1, cipher SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA I will try to get server upgraded to confirm, that newer version will basically work out of the box. Sorry for unnecessary noise. Best, Antonin
Bug#907049: [Pkg-openssl-devel] Bug#907049: openssl: Update to 1.1.1~~pre9-1 makes certain programs unusable
reassign 907049 openvpn severity 907049 serious retitle 907049 openvpn: ssl_choose_client_version:version too low block 907015 by 907049 thanks On Sat, Aug 25, 2018 at 02:49:12PM +0200, Samuel Hym wrote: > > Can you try with: > > MinProtocol = TLSv1 > > > > And with: > > #MinProtocol = TLSv1.2 > > Both options work in my case. > So I leave the first enabled, I guess it is a bit more secure than > commenting it out. If both work, it's there really isn't much difference. Anyway, that seems to mean that openvpn only supports TLS 1.0 for some reason. I have no idea how openvpn works, but if it uses TLS 1.0, it really should switch to 1.2 or 1.3. Kurt
Bug#907049: [Pkg-openssl-devel] Bug#907049: openssl: Update to 1.1.1~~pre9-1 makes certain programs unusable
Hi Kurt, Le 23 août 2018 à 22h20, Kurt Roeckx disait : > On Thu, Aug 23, 2018 at 02:54:36PM +0200, Antonin Kral wrote: > > Thu Aug 23 14:46:07 2018 OpenSSL: error:1425F18C:SSL > > routines:ssl_choose_client_version:version too low > > Thu Aug 23 14:46:07 2018 TLS_ERROR: BIO read tls_read_plaintext error > > Thu Aug 23 14:46:07 2018 TLS Error: TLS object -> incoming plaintext read > > error > > Thu Aug 23 14:46:07 2018 TLS Error: TLS handshake failed I have the same issue. > This is most likely caused by this in /etc/ssl/openssl.cnf: > [system_default_sect] > MinProtocol = TLSv1.2 > CipherString = DEFAULT@SECLEVEL=2 > > Does openvpn use DTLS? I don’t know about that but… > Can you try with: > MinProtocol = TLSv1 > > And with: > #MinProtocol = TLSv1.2 Both options work in my case. So I leave the first enabled, I guess it is a bit more secure than commenting it out. Thank you very much! Samuel
Bug#907049: [Pkg-openssl-devel] Bug#907049: openssl: Update to 1.1.1~~pre9-1 makes certain programs unusable
clone 907049 -1 reassign -1 offlineimap severity -1 serious retitle -1 offlineimap: Not using SNI thanks On Thu, Aug 23, 2018 at 02:54:36PM +0200, Antonin Kral wrote: > Package: openssl > Version: 1.1.1~~pre9-1 > Severity: critical > Justification: renders other packages unusable > > Hi, > > I have got openssl 1.1.1~~pre9-1 as it is landed in sid. After upgrading > certain applications are not able to establish connection. > > Example of offlineimap: > > ERROR: Unknown SSL protocol connecting to host 'imap.gmail.com' for > repository 'showmax-remote'. OpenSSL responded: > [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726) This is most likely caused by offlineimap not using SNI and google sending an invalid in case you use TLS 1.3 without SNI. I'm cloning this bug issue for that. > Thu Aug 23 14:46:07 2018 OpenSSL: error:1425F18C:SSL > routines:ssl_choose_client_version:version too low > Thu Aug 23 14:46:07 2018 TLS_ERROR: BIO read tls_read_plaintext error > Thu Aug 23 14:46:07 2018 TLS Error: TLS object -> incoming plaintext read > error > Thu Aug 23 14:46:07 2018 TLS Error: TLS handshake failed > > I went through changelogs, but was not seen anything what would help me > in debugging the issue. Interestingly s_client and curl is able to > establish a connection even with new version. Maybe that can be related > to different default cipher_set? This is most likely caused by this in /etc/ssl/openssl.cnf: [system_default_sect] MinProtocol = TLSv1.2 CipherString = DEFAULT@SECLEVEL=2 Does openvpn use DTLS? I'm guessing that setting any TLS setting there is causing problems for anything using DTLS. Can you try with: MinProtocol = TLSv1 And with: #MinProtocol = TLSv1.2 I assume the first will still fail, and the later one will work. And I'm currently unsure what to do about that, but there are multiple options. Kurt
