Bug#907049: [Pkg-openssl-devel] Bug#907049: openssl: Update to 1.1.1~~pre9-1 makes certain programs unusable
Hi, I confirm this issue. The issue is relate to what TLS version the server supports. Resolution: 1. downgrade to openssl_1.1.0h-4 2. edit /etc/ssl/openssl.cnf and either comment out MinProtocol option, or try different versions from top down until openvpn connection starts to work. I have openvpn connections to NordVPN servers and TLSv1.2 works fine in most cases. However work VPN to Sophos supports only TLSv1.0, so I have to reduce the version it in the openssl.cnf file. -- Jiri
Bug#907049: [Pkg-openssl-devel] Bug#907049: openssl: Update to 1.1.1~~pre9-1 makes certain programs unusable
Hey, for OpenVPN 2.3.4 on Jessie, the problem is solved for me by enforcing TLS 1.2 with tls-version-min 1.2 in the server config. Best Christian
Bug#907049: [Pkg-openssl-devel] Bug#907049: openssl: Update to 1.1.1~~pre9-1 makes certain programs unusable
Hi, On Sun, 26 Aug 2018 16:08:59 +0200 Antonin Kral wrote: > * Antonin Kral [2018-08-25 15:56] wrote: > > According to https://community.openvpn.net/openvpn/wiki/Hardening , > > OpenVPN 2.3.3 and newer should support TLS version negotiation. > > After some poking around, I have figured that server is running > > 2.3.4. So one would expect, that TLSv1.2 will work, but it doesn't. > > TLSv1 is confirmed in log > > > > Sat Aug 25 15:33:33 2018 Control Channel: TLSv1, cipher SSLv3 > > DHE-RSA-AES256-SHA, 2048 bit RSA > > > > I will try to get server upgraded to confirm, that newer version > > will basically work out of the box. > > I do confirm, that updating server side to a newer version > (2.4.0-6+deb9u1 in this case) fully solved the issue and clients are > now able to negotiate at least TLSv2. since I can't upgrade the server (running jessie) I downgraded the client to openssl_1.1.0h-4 which also solved the problem. Regards Günter -- --- Günter Frenz Börschgasse 16a, D-51143 Köln (h) gu...@guefz.de, gu...@freenet.de (w) f...@gso-koeln.de --- pgpZIZz4F05pb.pgp Description: Digitale Signatur von OpenPGP
Bug#907049: openssl: Update to 1.1.1~~pre9-1 makes certain programs unusable
This version of openssl also eventually breaks unbound-control of package unbound for some people: unbound-control may gives an error: 140493601018752:error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small:../ssl/ssl_rsa.c:310 outcommenting #CipherString = DEFAULT@SECLEVEL=2 fixes this. The real fix is probably to generate new keys for unbound-control and unbound with unbound-control-setup. Just calling unbound-control-setup is not enough, though, as unbound-control does not create new ones if these keys already exists. So the existing ones have to be removed first. Regards, -- Wolfgang Walter Studentenwerk München Anstalt des öffentlichen Rechts
Bug#907049: [Pkg-openssl-devel] Bug#907049: openssl: Update to 1.1.1~~pre9-1 makes certain programs unusable
Hi, thank a lot Kurt. > Anyway, that seems to mean that openvpn only supports TLS 1.0 for > some reason. I have no idea how openvpn works, but if it uses > TLS 1.0, it really should switch to 1.2 or 1.3. According to https://community.openvpn.net/openvpn/wiki/Hardening , OpenVPN 2.3.3 and newer should support TLS version negotiation. After some poking around, I have figured that server is running 2.3.4. So one would expect, that TLSv1.2 will work, but it doesn't. TLSv1 is confirmed in log Sat Aug 25 15:33:33 2018 Control Channel: TLSv1, cipher SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA I will try to get server upgraded to confirm, that newer version will basically work out of the box. Sorry for unnecessary noise. Best, Antonin
Bug#907049: [Pkg-openssl-devel] Bug#907049: Bug#907049: openssl: Update to 1.1.1~~pre9-1 makes certain programs unusable
severity 907049 important thanks On Sat, Aug 25, 2018 at 03:06:47PM +0200, Kurt Roeckx wrote: > Anyway, that seems to mean that openvpn only supports TLS 1.0 for > some reason. I have no idea how openvpn works, but if it uses > TLS 1.0, it really should switch to 1.2 or 1.3. So it's my understanding now that it might be a client that tries to connect to your server that doesn't support TLS 1.2. openvpn also supports configurating the minimum TLS version, you can change the openvpn configuration file to override that the minimum should be TLSv1. Kurt
Bug#907049: [Pkg-openssl-devel] Bug#907049: openssl: Update to 1.1.1~~pre9-1 makes certain programs unusable
reassign 907049 openvpn severity 907049 serious retitle 907049 openvpn: ssl_choose_client_version:version too low block 907015 by 907049 thanks On Sat, Aug 25, 2018 at 02:49:12PM +0200, Samuel Hym wrote: > > Can you try with: > > MinProtocol = TLSv1 > > > > And with: > > #MinProtocol = TLSv1.2 > > Both options work in my case. > So I leave the first enabled, I guess it is a bit more secure than > commenting it out. If both work, it's there really isn't much difference. Anyway, that seems to mean that openvpn only supports TLS 1.0 for some reason. I have no idea how openvpn works, but if it uses TLS 1.0, it really should switch to 1.2 or 1.3. Kurt
Bug#907049: [Pkg-openssl-devel] Bug#907049: openssl: Update to 1.1.1~~pre9-1 makes certain programs unusable
Hi Kurt, Le 23 août 2018 à 22h20, Kurt Roeckx disait : > On Thu, Aug 23, 2018 at 02:54:36PM +0200, Antonin Kral wrote: > > Thu Aug 23 14:46:07 2018 OpenSSL: error:1425F18C:SSL > > routines:ssl_choose_client_version:version too low > > Thu Aug 23 14:46:07 2018 TLS_ERROR: BIO read tls_read_plaintext error > > Thu Aug 23 14:46:07 2018 TLS Error: TLS object -> incoming plaintext read > > error > > Thu Aug 23 14:46:07 2018 TLS Error: TLS handshake failed I have the same issue. > This is most likely caused by this in /etc/ssl/openssl.cnf: > [system_default_sect] > MinProtocol = TLSv1.2 > CipherString = DEFAULT@SECLEVEL=2 > > Does openvpn use DTLS? I don’t know about that but… > Can you try with: > MinProtocol = TLSv1 > > And with: > #MinProtocol = TLSv1.2 Both options work in my case. So I leave the first enabled, I guess it is a bit more secure than commenting it out. Thank you very much! Samuel
Bug#907049: [Pkg-openssl-devel] Bug#907049: openssl: Update to 1.1.1~~pre9-1 makes certain programs unusable
clone 907049 -1 reassign -1 offlineimap severity -1 serious retitle -1 offlineimap: Not using SNI thanks On Thu, Aug 23, 2018 at 02:54:36PM +0200, Antonin Kral wrote: > Package: openssl > Version: 1.1.1~~pre9-1 > Severity: critical > Justification: renders other packages unusable > > Hi, > > I have got openssl 1.1.1~~pre9-1 as it is landed in sid. After upgrading > certain applications are not able to establish connection. > > Example of offlineimap: > > ERROR: Unknown SSL protocol connecting to host 'imap.gmail.com' for > repository 'showmax-remote'. OpenSSL responded: > [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726) This is most likely caused by offlineimap not using SNI and google sending an invalid in case you use TLS 1.3 without SNI. I'm cloning this bug issue for that. > Thu Aug 23 14:46:07 2018 OpenSSL: error:1425F18C:SSL > routines:ssl_choose_client_version:version too low > Thu Aug 23 14:46:07 2018 TLS_ERROR: BIO read tls_read_plaintext error > Thu Aug 23 14:46:07 2018 TLS Error: TLS object -> incoming plaintext read > error > Thu Aug 23 14:46:07 2018 TLS Error: TLS handshake failed > > I went through changelogs, but was not seen anything what would help me > in debugging the issue. Interestingly s_client and curl is able to > establish a connection even with new version. Maybe that can be related > to different default cipher_set? This is most likely caused by this in /etc/ssl/openssl.cnf: [system_default_sect] MinProtocol = TLSv1.2 CipherString = DEFAULT@SECLEVEL=2 Does openvpn use DTLS? I'm guessing that setting any TLS setting there is causing problems for anything using DTLS. Can you try with: MinProtocol = TLSv1 And with: #MinProtocol = TLSv1.2 I assume the first will still fail, and the later one will work. And I'm currently unsure what to do about that, but there are multiple options. Kurt
Bug#907049: openssl: Update to 1.1.1~~pre9-1 makes certain programs unusable
Package: openssl Version: 1.1.1~~pre9-1 Severity: critical Justification: renders other packages unusable Hi, I have got openssl 1.1.1~~pre9-1 as it is landed in sid. After upgrading certain applications are not able to establish connection. Example of offlineimap: ERROR: Unknown SSL protocol connecting to host 'imap.gmail.com' for repository 'showmax-remote'. OpenSSL responded: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726) Example of openvpn: Thu Aug 23 14:46:07 2018 OpenSSL: error:1425F18C:SSL routines:ssl_choose_client_version:version too low Thu Aug 23 14:46:07 2018 TLS_ERROR: BIO read tls_read_plaintext error Thu Aug 23 14:46:07 2018 TLS Error: TLS object -> incoming plaintext read error Thu Aug 23 14:46:07 2018 TLS Error: TLS handshake failed I went through changelogs, but was not seen anything what would help me in debugging the issue. Interestingly s_client and curl is able to establish a connection even with new version. Maybe that can be related to different default cipher_set? Thank you for any hints. Antonin signature.asc Description: PGP signature