[Touch-packages] [Bug 1832370] Re: Unable to configure or disable TLS 1.3 via openssl.cnf
** Changed in: openssl (Ubuntu Bionic) Status: Incomplete => Invalid ** Changed in: openssl (Ubuntu Cosmic) Status: Incomplete => Invalid ** Changed in: openssl (Ubuntu Disco) Status: Incomplete => Invalid ** Changed in: openssl (Ubuntu Eoan) Status: Incomplete => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1832370 Title: Unable to configure or disable TLS 1.3 via openssl.cnf Status in openssl package in Ubuntu: Invalid Status in openssl source package in Bionic: Invalid Status in openssl source package in Cosmic: Invalid Status in openssl source package in Disco: Invalid Status in openssl source package in Eoan: Invalid Bug description: [Description] Since OpenSSL 1.1.1 was backported to Bionic, some (all?) applications gained access to TLS 1.3 by default. The applications that were not rebuilt against OpenSSL 1.1.1 can't tune the TLS 1.3 settings (protocol, ciphersuites selection, ciphersuites order) like it's possible with 1.2 and below. As such, one should turn to configuring /etc/ssl/openssl.cnf to alter TLS 1.3 settings. Here is how I'd expect to be able to turn off TLS 1.3: # diff -Naur /etc/ssl/openssl.cnf{.orig,} --- /etc/ssl/openssl.cnf.orig 2019-06-11 10:33:02.330143086 -0400 +++ /etc/ssl/openssl.cnf 2019-06-11 11:15:23.805113804 -0400 @@ -12,6 +12,16 @@ HOME = . RANDFILE = $ENV::HOME/.rnd +ssl_conf = ssl_sect + +[ssl_sect] + +system_default = system_default_sect + +[system_default_sect] + +MaxProtocol = TLSv1.2 + # Extra OBJECT IDENTIFIER info: #oid_file= $ENV::HOME/.oid oid_section = new_oids This doesn't work as 'openssl s_client -connect rproxy.sdeziel.info:443' negotiates TLS 1.3 with TLS_AES_256_GCM_SHA384. Similarly, trying to change the 'Ciphers' or the 'Ciphersuites' list with: # diff -Naur /etc/ssl/openssl.cnf{.orig,} --- /etc/ssl/openssl.cnf.orig 2019-06-11 10:33:02.330143086 -0400 +++ /etc/ssl/openssl.cnf 2019-06-11 11:37:23.362889367 -0400 @@ -12,6 +12,17 @@ HOME = . RANDFILE = $ENV::HOME/.rnd +ssl_conf = ssl_sect + +[ssl_sect] + +system_default = system_default_sect + +[system_default_sect] + +Ciphers = TLS_AES_128_GCM_SHA256 +Ciphersuites = TLS_AES_128_GCM_SHA256 + # Extra OBJECT IDENTIFIER info: #oid_file= $ENV::HOME/.oid oid_section = new_oids Doesn't work as s_client keeps negotiating TLS 1.3 with TLS_AES_256_GCM_SHA384 (!= 128) ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: openssl 1.1.1-1ubuntu2.1~18.04.1 ProcVersionSignature: Ubuntu 4.15.0-51.55-generic 4.15.18 Uname: Linux 4.15.0-51-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.9-0ubuntu7.6 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Jun 11 11:22:47 2019 InstallationDate: Installed on 2018-07-15 (331 days ago) InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180714) ProcEnviron: LANG=en_CA.UTF-8 TERM=xterm-256color SHELL=/bin/bash XDG_RUNTIME_DIR= PATH=(custom, no user) SourcePackage: openssl UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1832370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1832370] Re: Unable to configure or disable TLS 1.3 via openssl.cnf
** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1832370 Title: Unable to configure or disable TLS 1.3 via openssl.cnf Status in openssl package in Ubuntu: Incomplete Status in openssl source package in Bionic: Incomplete Status in openssl source package in Cosmic: Incomplete Status in openssl source package in Disco: Incomplete Status in openssl source package in Eoan: Incomplete Bug description: [Description] Since OpenSSL 1.1.1 was backported to Bionic, some (all?) applications gained access to TLS 1.3 by default. The applications that were not rebuilt against OpenSSL 1.1.1 can't tune the TLS 1.3 settings (protocol, ciphersuites selection, ciphersuites order) like it's possible with 1.2 and below. As such, one should turn to configuring /etc/ssl/openssl.cnf to alter TLS 1.3 settings. Here is how I'd expect to be able to turn off TLS 1.3: # diff -Naur /etc/ssl/openssl.cnf{.orig,} --- /etc/ssl/openssl.cnf.orig 2019-06-11 10:33:02.330143086 -0400 +++ /etc/ssl/openssl.cnf 2019-06-11 11:15:23.805113804 -0400 @@ -12,6 +12,16 @@ HOME = . RANDFILE = $ENV::HOME/.rnd +ssl_conf = ssl_sect + +[ssl_sect] + +system_default = system_default_sect + +[system_default_sect] + +MaxProtocol = TLSv1.2 + # Extra OBJECT IDENTIFIER info: #oid_file= $ENV::HOME/.oid oid_section = new_oids This doesn't work as 'openssl s_client -connect rproxy.sdeziel.info:443' negotiates TLS 1.3 with TLS_AES_256_GCM_SHA384. Similarly, trying to change the 'Ciphers' or the 'Ciphersuites' list with: # diff -Naur /etc/ssl/openssl.cnf{.orig,} --- /etc/ssl/openssl.cnf.orig 2019-06-11 10:33:02.330143086 -0400 +++ /etc/ssl/openssl.cnf 2019-06-11 11:37:23.362889367 -0400 @@ -12,6 +12,17 @@ HOME = . RANDFILE = $ENV::HOME/.rnd +ssl_conf = ssl_sect + +[ssl_sect] + +system_default = system_default_sect + +[system_default_sect] + +Ciphers = TLS_AES_128_GCM_SHA256 +Ciphersuites = TLS_AES_128_GCM_SHA256 + # Extra OBJECT IDENTIFIER info: #oid_file= $ENV::HOME/.oid oid_section = new_oids Doesn't work as s_client keeps negotiating TLS 1.3 with TLS_AES_256_GCM_SHA384 (!= 128) ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: openssl 1.1.1-1ubuntu2.1~18.04.1 ProcVersionSignature: Ubuntu 4.15.0-51.55-generic 4.15.18 Uname: Linux 4.15.0-51-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.9-0ubuntu7.6 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Jun 11 11:22:47 2019 InstallationDate: Installed on 2018-07-15 (331 days ago) InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180714) ProcEnviron: LANG=en_CA.UTF-8 TERM=xterm-256color SHELL=/bin/bash XDG_RUNTIME_DIR= PATH=(custom, no user) SourcePackage: openssl UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1832370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1832370] Re: Unable to configure or disable TLS 1.3 via openssl.cnf
** Tags removed: rls-ee-incoming -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1832370 Title: Unable to configure or disable TLS 1.3 via openssl.cnf Status in openssl package in Ubuntu: Incomplete Status in openssl source package in Bionic: Incomplete Status in openssl source package in Cosmic: Incomplete Status in openssl source package in Disco: Incomplete Status in openssl source package in Eoan: Incomplete Bug description: [Description] Since OpenSSL 1.1.1 was backported to Bionic, some (all?) applications gained access to TLS 1.3 by default. The applications that were not rebuilt against OpenSSL 1.1.1 can't tune the TLS 1.3 settings (protocol, ciphersuites selection, ciphersuites order) like it's possible with 1.2 and below. As such, one should turn to configuring /etc/ssl/openssl.cnf to alter TLS 1.3 settings. Here is how I'd expect to be able to turn off TLS 1.3: # diff -Naur /etc/ssl/openssl.cnf{.orig,} --- /etc/ssl/openssl.cnf.orig 2019-06-11 10:33:02.330143086 -0400 +++ /etc/ssl/openssl.cnf 2019-06-11 11:15:23.805113804 -0400 @@ -12,6 +12,16 @@ HOME = . RANDFILE = $ENV::HOME/.rnd +ssl_conf = ssl_sect + +[ssl_sect] + +system_default = system_default_sect + +[system_default_sect] + +MaxProtocol = TLSv1.2 + # Extra OBJECT IDENTIFIER info: #oid_file= $ENV::HOME/.oid oid_section = new_oids This doesn't work as 'openssl s_client -connect rproxy.sdeziel.info:443' negotiates TLS 1.3 with TLS_AES_256_GCM_SHA384. Similarly, trying to change the 'Ciphers' or the 'Ciphersuites' list with: # diff -Naur /etc/ssl/openssl.cnf{.orig,} --- /etc/ssl/openssl.cnf.orig 2019-06-11 10:33:02.330143086 -0400 +++ /etc/ssl/openssl.cnf 2019-06-11 11:37:23.362889367 -0400 @@ -12,6 +12,17 @@ HOME = . RANDFILE = $ENV::HOME/.rnd +ssl_conf = ssl_sect + +[ssl_sect] + +system_default = system_default_sect + +[system_default_sect] + +Ciphers = TLS_AES_128_GCM_SHA256 +Ciphersuites = TLS_AES_128_GCM_SHA256 + # Extra OBJECT IDENTIFIER info: #oid_file= $ENV::HOME/.oid oid_section = new_oids Doesn't work as s_client keeps negotiating TLS 1.3 with TLS_AES_256_GCM_SHA384 (!= 128) ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: openssl 1.1.1-1ubuntu2.1~18.04.1 ProcVersionSignature: Ubuntu 4.15.0-51.55-generic 4.15.18 Uname: Linux 4.15.0-51-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.9-0ubuntu7.6 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Jun 11 11:22:47 2019 InstallationDate: Installed on 2018-07-15 (331 days ago) InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180714) ProcEnviron: LANG=en_CA.UTF-8 TERM=xterm-256color SHELL=/bin/bash XDG_RUNTIME_DIR= PATH=(custom, no user) SourcePackage: openssl UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1832370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1832370] Re: Unable to configure or disable TLS 1.3 via openssl.cnf
@xnox, thanks it was indeed an error on my part. The key was to have openssl_conf in the default/unnamed section and then not introduce bogus values: Ciphers is not recognized and causes the config section to be ignored. I believe this bug could be marked as Invalid for all the releases but I'll let you do that as I only tested on Bionic and I don't want to overrule the statuses you set. Thanks again! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1832370 Title: Unable to configure or disable TLS 1.3 via openssl.cnf Status in openssl package in Ubuntu: Incomplete Status in openssl source package in Bionic: Incomplete Status in openssl source package in Cosmic: Incomplete Status in openssl source package in Disco: Incomplete Status in openssl source package in Eoan: Incomplete Bug description: [Description] Since OpenSSL 1.1.1 was backported to Bionic, some (all?) applications gained access to TLS 1.3 by default. The applications that were not rebuilt against OpenSSL 1.1.1 can't tune the TLS 1.3 settings (protocol, ciphersuites selection, ciphersuites order) like it's possible with 1.2 and below. As such, one should turn to configuring /etc/ssl/openssl.cnf to alter TLS 1.3 settings. Here is how I'd expect to be able to turn off TLS 1.3: # diff -Naur /etc/ssl/openssl.cnf{.orig,} --- /etc/ssl/openssl.cnf.orig 2019-06-11 10:33:02.330143086 -0400 +++ /etc/ssl/openssl.cnf 2019-06-11 11:15:23.805113804 -0400 @@ -12,6 +12,16 @@ HOME = . RANDFILE = $ENV::HOME/.rnd +ssl_conf = ssl_sect + +[ssl_sect] + +system_default = system_default_sect + +[system_default_sect] + +MaxProtocol = TLSv1.2 + # Extra OBJECT IDENTIFIER info: #oid_file= $ENV::HOME/.oid oid_section = new_oids This doesn't work as 'openssl s_client -connect rproxy.sdeziel.info:443' negotiates TLS 1.3 with TLS_AES_256_GCM_SHA384. Similarly, trying to change the 'Ciphers' or the 'Ciphersuites' list with: # diff -Naur /etc/ssl/openssl.cnf{.orig,} --- /etc/ssl/openssl.cnf.orig 2019-06-11 10:33:02.330143086 -0400 +++ /etc/ssl/openssl.cnf 2019-06-11 11:37:23.362889367 -0400 @@ -12,6 +12,17 @@ HOME = . RANDFILE = $ENV::HOME/.rnd +ssl_conf = ssl_sect + +[ssl_sect] + +system_default = system_default_sect + +[system_default_sect] + +Ciphers = TLS_AES_128_GCM_SHA256 +Ciphersuites = TLS_AES_128_GCM_SHA256 + # Extra OBJECT IDENTIFIER info: #oid_file= $ENV::HOME/.oid oid_section = new_oids Doesn't work as s_client keeps negotiating TLS 1.3 with TLS_AES_256_GCM_SHA384 (!= 128) ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: openssl 1.1.1-1ubuntu2.1~18.04.1 ProcVersionSignature: Ubuntu 4.15.0-51.55-generic 4.15.18 Uname: Linux 4.15.0-51-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.9-0ubuntu7.6 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Jun 11 11:22:47 2019 InstallationDate: Installed on 2018-07-15 (331 days ago) InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180714) ProcEnviron: LANG=en_CA.UTF-8 TERM=xterm-256color SHELL=/bin/bash XDG_RUNTIME_DIR= PATH=(custom, no user) SourcePackage: openssl UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1832370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1832370] Re: Unable to configure or disable TLS 1.3 via openssl.cnf
** Tags added: id-5d0269c526b1af4a5c615490 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1832370 Title: Unable to configure or disable TLS 1.3 via openssl.cnf Status in openssl package in Ubuntu: Incomplete Status in openssl source package in Bionic: Incomplete Status in openssl source package in Cosmic: Incomplete Status in openssl source package in Disco: Incomplete Status in openssl source package in Eoan: Incomplete Bug description: [Description] Since OpenSSL 1.1.1 was backported to Bionic, some (all?) applications gained access to TLS 1.3 by default. The applications that were not rebuilt against OpenSSL 1.1.1 can't tune the TLS 1.3 settings (protocol, ciphersuites selection, ciphersuites order) like it's possible with 1.2 and below. As such, one should turn to configuring /etc/ssl/openssl.cnf to alter TLS 1.3 settings. Here is how I'd expect to be able to turn off TLS 1.3: # diff -Naur /etc/ssl/openssl.cnf{.orig,} --- /etc/ssl/openssl.cnf.orig 2019-06-11 10:33:02.330143086 -0400 +++ /etc/ssl/openssl.cnf 2019-06-11 11:15:23.805113804 -0400 @@ -12,6 +12,16 @@ HOME = . RANDFILE = $ENV::HOME/.rnd +ssl_conf = ssl_sect + +[ssl_sect] + +system_default = system_default_sect + +[system_default_sect] + +MaxProtocol = TLSv1.2 + # Extra OBJECT IDENTIFIER info: #oid_file= $ENV::HOME/.oid oid_section = new_oids This doesn't work as 'openssl s_client -connect rproxy.sdeziel.info:443' negotiates TLS 1.3 with TLS_AES_256_GCM_SHA384. Similarly, trying to change the 'Ciphers' or the 'Ciphersuites' list with: # diff -Naur /etc/ssl/openssl.cnf{.orig,} --- /etc/ssl/openssl.cnf.orig 2019-06-11 10:33:02.330143086 -0400 +++ /etc/ssl/openssl.cnf 2019-06-11 11:37:23.362889367 -0400 @@ -12,6 +12,17 @@ HOME = . RANDFILE = $ENV::HOME/.rnd +ssl_conf = ssl_sect + +[ssl_sect] + +system_default = system_default_sect + +[system_default_sect] + +Ciphers = TLS_AES_128_GCM_SHA256 +Ciphersuites = TLS_AES_128_GCM_SHA256 + # Extra OBJECT IDENTIFIER info: #oid_file= $ENV::HOME/.oid oid_section = new_oids Doesn't work as s_client keeps negotiating TLS 1.3 with TLS_AES_256_GCM_SHA384 (!= 128) ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: openssl 1.1.1-1ubuntu2.1~18.04.1 ProcVersionSignature: Ubuntu 4.15.0-51.55-generic 4.15.18 Uname: Linux 4.15.0-51-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.9-0ubuntu7.6 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Jun 11 11:22:47 2019 InstallationDate: Installed on 2018-07-15 (331 days ago) InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180714) ProcEnviron: LANG=en_CA.UTF-8 TERM=xterm-256color SHELL=/bin/bash XDG_RUNTIME_DIR= PATH=(custom, no user) SourcePackage: openssl UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1832370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1832370] Re: Unable to configure or disable TLS 1.3 via openssl.cnf
** Patch added: "reorder-tls1.3-ciphersuites.patch" https://bugs.launchpad.net/ubuntu/bionic/+source/openssl/+bug/1832370/+attachment/5270754/+files/reorder-tls1.3-ciphersuites.patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1832370 Title: Unable to configure or disable TLS 1.3 via openssl.cnf Status in openssl package in Ubuntu: Incomplete Status in openssl source package in Bionic: Incomplete Status in openssl source package in Cosmic: Incomplete Status in openssl source package in Disco: Incomplete Status in openssl source package in Eoan: Incomplete Bug description: [Description] Since OpenSSL 1.1.1 was backported to Bionic, some (all?) applications gained access to TLS 1.3 by default. The applications that were not rebuilt against OpenSSL 1.1.1 can't tune the TLS 1.3 settings (protocol, ciphersuites selection, ciphersuites order) like it's possible with 1.2 and below. As such, one should turn to configuring /etc/ssl/openssl.cnf to alter TLS 1.3 settings. Here is how I'd expect to be able to turn off TLS 1.3: # diff -Naur /etc/ssl/openssl.cnf{.orig,} --- /etc/ssl/openssl.cnf.orig 2019-06-11 10:33:02.330143086 -0400 +++ /etc/ssl/openssl.cnf 2019-06-11 11:15:23.805113804 -0400 @@ -12,6 +12,16 @@ HOME = . RANDFILE = $ENV::HOME/.rnd +ssl_conf = ssl_sect + +[ssl_sect] + +system_default = system_default_sect + +[system_default_sect] + +MaxProtocol = TLSv1.2 + # Extra OBJECT IDENTIFIER info: #oid_file= $ENV::HOME/.oid oid_section = new_oids This doesn't work as 'openssl s_client -connect rproxy.sdeziel.info:443' negotiates TLS 1.3 with TLS_AES_256_GCM_SHA384. Similarly, trying to change the 'Ciphers' or the 'Ciphersuites' list with: # diff -Naur /etc/ssl/openssl.cnf{.orig,} --- /etc/ssl/openssl.cnf.orig 2019-06-11 10:33:02.330143086 -0400 +++ /etc/ssl/openssl.cnf 2019-06-11 11:37:23.362889367 -0400 @@ -12,6 +12,17 @@ HOME = . RANDFILE = $ENV::HOME/.rnd +ssl_conf = ssl_sect + +[ssl_sect] + +system_default = system_default_sect + +[system_default_sect] + +Ciphers = TLS_AES_128_GCM_SHA256 +Ciphersuites = TLS_AES_128_GCM_SHA256 + # Extra OBJECT IDENTIFIER info: #oid_file= $ENV::HOME/.oid oid_section = new_oids Doesn't work as s_client keeps negotiating TLS 1.3 with TLS_AES_256_GCM_SHA384 (!= 128) ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: openssl 1.1.1-1ubuntu2.1~18.04.1 ProcVersionSignature: Ubuntu 4.15.0-51.55-generic 4.15.18 Uname: Linux 4.15.0-51-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.9-0ubuntu7.6 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Jun 11 11:22:47 2019 InstallationDate: Installed on 2018-07-15 (331 days ago) InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180714) ProcEnviron: LANG=en_CA.UTF-8 TERM=xterm-256color SHELL=/bin/bash XDG_RUNTIME_DIR= PATH=(custom, no user) SourcePackage: openssl UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1832370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1832370] Re: Unable to configure or disable TLS 1.3 via openssl.cnf
I have started bionic lxd container with nginx and snakeoil certificates. # patch /etc/ssl/openssl.cnf cap-to-tls1.2.patch patching file /etc/ssl/openssl.cnf Hunk #1 succeeded at 16 (offset 1 line). Hunk #2 succeeded at 353 (offset 2 lines). # systemctl restart nginx And connect from the host system which has stock openssl.cnf $ openssl s_client [fd42:3fcc:8a27:4e69:216:3eff:fe4c:5b9e]:443 | grep -e Protocol -e Cipher Can't use SSL_get_servername depth=0 CN = nearby-osprey.lxd verify error:num=18:self signed certificate verify return:1 depth=0 CN = nearby-osprey.lxd verify return:1 New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Protocol : TLSv1.2 Cipher: ECDHE-RSA-AES256-GCM-SHA384 ^C Back in the container # patch -R /etc/ssl/openssl.cnf cap-to-tls1.2.patch patching file /etc/ssl/openssl.cnf Hunk #1 succeeded at 16 (offset 1 line). Hunk #2 succeeded at 350 (offset 2 lines). # patch /etc/ssl/openssl.cnf reorder-tls1.3-ciphersuites.patch patching file /etc/ssl/openssl.cnf Hunk #1 succeeded at 16 (offset 1 line). Hunk #2 succeeded at 353 (offset 2 lines). # systemctl restart nginx Connecting to the container again externally: $ openssl s_client [fd42:3fcc:8a27:4e69:216:3eff:fe4c:5b9e]:443 | grep -e Protocol -e Cipher Can't use SSL_get_servername depth=0 CN = nearby-osprey.lxd verify error:num=18:self signed certificate verify return:1 depth=0 CN = nearby-osprey.lxd verify return:1 New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256 ^C # patch -R /etc/ssl/openssl.cnf reorder-tls1.3-ciphersuites.patch patching file /etc/ssl/openssl.cnf Hunk #1 succeeded at 16 (offset 1 line). Hunk #2 succeeded at 350 (offset 2 lines). # systemctl restart nginx So using the above patches to openssl.cnf I was able to reorder chipersuites of stock bionic nginx, and cap to TLSv1.2. So with attached ** Changed in: openssl (Ubuntu Bionic) Status: New => Incomplete ** Changed in: openssl (Ubuntu Disco) Status: New => Incomplete ** Changed in: openssl (Ubuntu Cosmic) Status: New => Incomplete ** Changed in: openssl (Ubuntu Eoan) Assignee: Dimitri John Ledkov (xnox) => (unassigned) ** Changed in: openssl (Ubuntu Eoan) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1832370 Title: Unable to configure or disable TLS 1.3 via openssl.cnf Status in openssl package in Ubuntu: Incomplete Status in openssl source package in Bionic: Incomplete Status in openssl source package in Cosmic: Incomplete Status in openssl source package in Disco: Incomplete Status in openssl source package in Eoan: Incomplete Bug description: [Description] Since OpenSSL 1.1.1 was backported to Bionic, some (all?) applications gained access to TLS 1.3 by default. The applications that were not rebuilt against OpenSSL 1.1.1 can't tune the TLS 1.3 settings (protocol, ciphersuites selection, ciphersuites order) like it's possible with 1.2 and below. As such, one should turn to configuring /etc/ssl/openssl.cnf to alter TLS 1.3 settings. Here is how I'd expect to be able to turn off TLS 1.3: # diff -Naur /etc/ssl/openssl.cnf{.orig,} --- /etc/ssl/openssl.cnf.orig 2019-06-11 10:33:02.330143086 -0400 +++ /etc/ssl/openssl.cnf 2019-06-11 11:15:23.805113804 -0400 @@ -12,6 +12,16 @@ HOME = . RANDFILE = $ENV::HOME/.rnd +ssl_conf = ssl_sect + +[ssl_sect] + +system_default = system_default_sect + +[system_default_sect] + +MaxProtocol = TLSv1.2 + # Extra OBJECT IDENTIFIER info: #oid_file= $ENV::HOME/.oid oid_section = new_oids This doesn't work as 'openssl s_client -connect rproxy.sdeziel.info:443' negotiates TLS 1.3 with TLS_AES_256_GCM_SHA384. Similarly, trying to change the 'Ciphers' or the 'Ciphersuites' list with: # diff -Naur /etc/ssl/openssl.cnf{.orig,} --- /etc/ssl/openssl.cnf.orig 2019-06-11 10:33:02.330143086 -0400 +++ /etc/ssl/openssl.cnf 2019-06-11 11:37:23.362889367 -0400 @@ -12,6 +12,17 @@ HOME = . RANDFILE = $ENV::HOME/.rnd +ssl_conf = ssl_sect + +[ssl_sect] + +system_default = system_default_sect + +[system_default_sect] + +Ciphers = TLS_AES_128_GCM_SHA256 +Ciphersuites = TLS_AES_128_GCM_SHA256 + # Extra OBJECT IDENTIFIER info: #oid_file= $ENV::HOME/.oid oid_section = new_oids Doesn't work as s_client keeps negotiating TLS 1.3 with TLS_AES_256_GCM_SHA384 (!= 128) ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: openssl 1.1.1-1ubuntu2.1~18.04.1 ProcVersionSignature: Ubuntu 4.15.0-51.55-generic 4.15.18 Uname: Linux 4.15.0-51-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.9-0ubuntu7.6 Architecture: amd64 CurrentDesktop:
[Touch-packages] [Bug 1832370] Re: Unable to configure or disable TLS 1.3 via openssl.cnf
** Patch added: "cap-to-tls1.2.patch" https://bugs.launchpad.net/ubuntu/bionic/+source/openssl/+bug/1832370/+attachment/5270755/+files/cap-to-tls1.2.patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1832370 Title: Unable to configure or disable TLS 1.3 via openssl.cnf Status in openssl package in Ubuntu: Incomplete Status in openssl source package in Bionic: Incomplete Status in openssl source package in Cosmic: Incomplete Status in openssl source package in Disco: Incomplete Status in openssl source package in Eoan: Incomplete Bug description: [Description] Since OpenSSL 1.1.1 was backported to Bionic, some (all?) applications gained access to TLS 1.3 by default. The applications that were not rebuilt against OpenSSL 1.1.1 can't tune the TLS 1.3 settings (protocol, ciphersuites selection, ciphersuites order) like it's possible with 1.2 and below. As such, one should turn to configuring /etc/ssl/openssl.cnf to alter TLS 1.3 settings. Here is how I'd expect to be able to turn off TLS 1.3: # diff -Naur /etc/ssl/openssl.cnf{.orig,} --- /etc/ssl/openssl.cnf.orig 2019-06-11 10:33:02.330143086 -0400 +++ /etc/ssl/openssl.cnf 2019-06-11 11:15:23.805113804 -0400 @@ -12,6 +12,16 @@ HOME = . RANDFILE = $ENV::HOME/.rnd +ssl_conf = ssl_sect + +[ssl_sect] + +system_default = system_default_sect + +[system_default_sect] + +MaxProtocol = TLSv1.2 + # Extra OBJECT IDENTIFIER info: #oid_file= $ENV::HOME/.oid oid_section = new_oids This doesn't work as 'openssl s_client -connect rproxy.sdeziel.info:443' negotiates TLS 1.3 with TLS_AES_256_GCM_SHA384. Similarly, trying to change the 'Ciphers' or the 'Ciphersuites' list with: # diff -Naur /etc/ssl/openssl.cnf{.orig,} --- /etc/ssl/openssl.cnf.orig 2019-06-11 10:33:02.330143086 -0400 +++ /etc/ssl/openssl.cnf 2019-06-11 11:37:23.362889367 -0400 @@ -12,6 +12,17 @@ HOME = . RANDFILE = $ENV::HOME/.rnd +ssl_conf = ssl_sect + +[ssl_sect] + +system_default = system_default_sect + +[system_default_sect] + +Ciphers = TLS_AES_128_GCM_SHA256 +Ciphersuites = TLS_AES_128_GCM_SHA256 + # Extra OBJECT IDENTIFIER info: #oid_file= $ENV::HOME/.oid oid_section = new_oids Doesn't work as s_client keeps negotiating TLS 1.3 with TLS_AES_256_GCM_SHA384 (!= 128) ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: openssl 1.1.1-1ubuntu2.1~18.04.1 ProcVersionSignature: Ubuntu 4.15.0-51.55-generic 4.15.18 Uname: Linux 4.15.0-51-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.9-0ubuntu7.6 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Jun 11 11:22:47 2019 InstallationDate: Installed on 2018-07-15 (331 days ago) InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180714) ProcEnviron: LANG=en_CA.UTF-8 TERM=xterm-256color SHELL=/bin/bash XDG_RUNTIME_DIR= PATH=(custom, no user) SourcePackage: openssl UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1832370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1832370] Re: Unable to configure or disable TLS 1.3 via openssl.cnf
** Also affects: openssl (Ubuntu Cosmic) Importance: Undecided Status: New ** Also affects: openssl (Ubuntu Eoan) Importance: Undecided Assignee: Dimitri John Ledkov (xnox) Status: New ** Also affects: openssl (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: openssl (Ubuntu Disco) Importance: Undecided Status: New ** Changed in: openssl (Ubuntu Bionic) Importance: Undecided => High ** Changed in: openssl (Ubuntu Cosmic) Importance: Undecided => High ** Changed in: openssl (Ubuntu Disco) Importance: Undecided => High ** Changed in: openssl (Ubuntu Eoan) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1832370 Title: Unable to configure or disable TLS 1.3 via openssl.cnf Status in openssl package in Ubuntu: New Status in openssl source package in Bionic: New Status in openssl source package in Cosmic: New Status in openssl source package in Disco: New Status in openssl source package in Eoan: New Bug description: [Description] Since OpenSSL 1.1.1 was backported to Bionic, some (all?) applications gained access to TLS 1.3 by default. The applications that were not rebuilt against OpenSSL 1.1.1 can't tune the TLS 1.3 settings (protocol, ciphersuites selection, ciphersuites order) like it's possible with 1.2 and below. As such, one should turn to configuring /etc/ssl/openssl.cnf to alter TLS 1.3 settings. Here is how I'd expect to be able to turn off TLS 1.3: # diff -Naur /etc/ssl/openssl.cnf{.orig,} --- /etc/ssl/openssl.cnf.orig 2019-06-11 10:33:02.330143086 -0400 +++ /etc/ssl/openssl.cnf 2019-06-11 11:15:23.805113804 -0400 @@ -12,6 +12,16 @@ HOME = . RANDFILE = $ENV::HOME/.rnd +ssl_conf = ssl_sect + +[ssl_sect] + +system_default = system_default_sect + +[system_default_sect] + +MaxProtocol = TLSv1.2 + # Extra OBJECT IDENTIFIER info: #oid_file= $ENV::HOME/.oid oid_section = new_oids This doesn't work as 'openssl s_client -connect rproxy.sdeziel.info:443' negotiates TLS 1.3 with TLS_AES_256_GCM_SHA384. Similarly, trying to change the 'Ciphers' or the 'Ciphersuites' list with: # diff -Naur /etc/ssl/openssl.cnf{.orig,} --- /etc/ssl/openssl.cnf.orig 2019-06-11 10:33:02.330143086 -0400 +++ /etc/ssl/openssl.cnf 2019-06-11 11:37:23.362889367 -0400 @@ -12,6 +12,17 @@ HOME = . RANDFILE = $ENV::HOME/.rnd +ssl_conf = ssl_sect + +[ssl_sect] + +system_default = system_default_sect + +[system_default_sect] + +Ciphers = TLS_AES_128_GCM_SHA256 +Ciphersuites = TLS_AES_128_GCM_SHA256 + # Extra OBJECT IDENTIFIER info: #oid_file= $ENV::HOME/.oid oid_section = new_oids Doesn't work as s_client keeps negotiating TLS 1.3 with TLS_AES_256_GCM_SHA384 (!= 128) ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: openssl 1.1.1-1ubuntu2.1~18.04.1 ProcVersionSignature: Ubuntu 4.15.0-51.55-generic 4.15.18 Uname: Linux 4.15.0-51-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.9-0ubuntu7.6 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Jun 11 11:22:47 2019 InstallationDate: Installed on 2018-07-15 (331 days ago) InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180714) ProcEnviron: LANG=en_CA.UTF-8 TERM=xterm-256color SHELL=/bin/bash XDG_RUNTIME_DIR= PATH=(custom, no user) SourcePackage: openssl UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1832370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1832370] Re: Unable to configure or disable TLS 1.3 via openssl.cnf
** Changed in: openssl (Ubuntu) Assignee: (unassigned) => Dimitri John Ledkov (xnox) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1832370 Title: Unable to configure or disable TLS 1.3 via openssl.cnf Status in openssl package in Ubuntu: New Status in openssl source package in Bionic: New Status in openssl source package in Cosmic: New Status in openssl source package in Disco: New Status in openssl source package in Eoan: New Bug description: [Description] Since OpenSSL 1.1.1 was backported to Bionic, some (all?) applications gained access to TLS 1.3 by default. The applications that were not rebuilt against OpenSSL 1.1.1 can't tune the TLS 1.3 settings (protocol, ciphersuites selection, ciphersuites order) like it's possible with 1.2 and below. As such, one should turn to configuring /etc/ssl/openssl.cnf to alter TLS 1.3 settings. Here is how I'd expect to be able to turn off TLS 1.3: # diff -Naur /etc/ssl/openssl.cnf{.orig,} --- /etc/ssl/openssl.cnf.orig 2019-06-11 10:33:02.330143086 -0400 +++ /etc/ssl/openssl.cnf 2019-06-11 11:15:23.805113804 -0400 @@ -12,6 +12,16 @@ HOME = . RANDFILE = $ENV::HOME/.rnd +ssl_conf = ssl_sect + +[ssl_sect] + +system_default = system_default_sect + +[system_default_sect] + +MaxProtocol = TLSv1.2 + # Extra OBJECT IDENTIFIER info: #oid_file= $ENV::HOME/.oid oid_section = new_oids This doesn't work as 'openssl s_client -connect rproxy.sdeziel.info:443' negotiates TLS 1.3 with TLS_AES_256_GCM_SHA384. Similarly, trying to change the 'Ciphers' or the 'Ciphersuites' list with: # diff -Naur /etc/ssl/openssl.cnf{.orig,} --- /etc/ssl/openssl.cnf.orig 2019-06-11 10:33:02.330143086 -0400 +++ /etc/ssl/openssl.cnf 2019-06-11 11:37:23.362889367 -0400 @@ -12,6 +12,17 @@ HOME = . RANDFILE = $ENV::HOME/.rnd +ssl_conf = ssl_sect + +[ssl_sect] + +system_default = system_default_sect + +[system_default_sect] + +Ciphers = TLS_AES_128_GCM_SHA256 +Ciphersuites = TLS_AES_128_GCM_SHA256 + # Extra OBJECT IDENTIFIER info: #oid_file= $ENV::HOME/.oid oid_section = new_oids Doesn't work as s_client keeps negotiating TLS 1.3 with TLS_AES_256_GCM_SHA384 (!= 128) ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: openssl 1.1.1-1ubuntu2.1~18.04.1 ProcVersionSignature: Ubuntu 4.15.0-51.55-generic 4.15.18 Uname: Linux 4.15.0-51-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.9-0ubuntu7.6 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Jun 11 11:22:47 2019 InstallationDate: Installed on 2018-07-15 (331 days ago) InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180714) ProcEnviron: LANG=en_CA.UTF-8 TERM=xterm-256color SHELL=/bin/bash XDG_RUNTIME_DIR= PATH=(custom, no user) SourcePackage: openssl UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1832370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1832370] Re: Unable to configure or disable TLS 1.3 via openssl.cnf
In my tests, I used NGINX with those TLS related params: # grep -r ssl_ /etc/nginx/nginx.conf /etc/nginx/conf.d/ /etc/nginx/sites-enabled/ /etc/nginx/nginx.conf: ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE /etc/nginx/nginx.conf: ssl_prefer_server_ciphers on; /etc/nginx/conf.d/ssl.conf:ssl_ciphers TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384; /etc/nginx/conf.d/ssl.conf:ssl_session_cache shared:SSL:1m; /etc/nginx/conf.d/ssl.conf:ssl_session_timeout 1d; /etc/nginx/conf.d/ssl.conf:ssl_session_tickets off; /etc/nginx/conf.d/ssl.conf:ssl_certificate /etc/nginx/certs/sdeziel.info/fullchain.pem; /etc/nginx/conf.d/ssl.conf:ssl_certificate_key /etc/nginx/certs/sdeziel.info/privkey.pem; /etc/nginx/conf.d/ssl.conf:ssl_stapling on; I used many variations of ssl_ciphers and ssl_protocols to no avail. My main goal is to have TLS 1.3 and 1.2 enabled with this ciphers list from above but that doesn't work as seen here: https://dev.ssllabs.com/ssltest/analyze.html?d=sdeziel.info=2001%3a470%3ab1c3%3a7942%3a0%3a0%3a0%3a80=on -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1832370 Title: Unable to configure or disable TLS 1.3 via openssl.cnf Status in openssl package in Ubuntu: New Bug description: [Description] Since OpenSSL 1.1.1 was backported to Bionic, some (all?) applications gained access to TLS 1.3 by default. The applications that were not rebuilt against OpenSSL 1.1.1 can't tune the TLS 1.3 settings (protocol, ciphersuites selection, ciphersuites order) like it's possible with 1.2 and below. As such, one should turn to configuring /etc/ssl/openssl.cnf to alter TLS 1.3 settings. Here is how I'd expect to be able to turn off TLS 1.3: # diff -Naur /etc/ssl/openssl.cnf{.orig,} --- /etc/ssl/openssl.cnf.orig 2019-06-11 10:33:02.330143086 -0400 +++ /etc/ssl/openssl.cnf 2019-06-11 11:15:23.805113804 -0400 @@ -12,6 +12,16 @@ HOME = . RANDFILE = $ENV::HOME/.rnd +ssl_conf = ssl_sect + +[ssl_sect] + +system_default = system_default_sect + +[system_default_sect] + +MaxProtocol = TLSv1.2 + # Extra OBJECT IDENTIFIER info: #oid_file= $ENV::HOME/.oid oid_section = new_oids This doesn't work as 'openssl s_client -connect rproxy.sdeziel.info:443' negotiates TLS 1.3 with TLS_AES_256_GCM_SHA384. Similarly, trying to change the 'Ciphers' or the 'Ciphersuites' list with: # diff -Naur /etc/ssl/openssl.cnf{.orig,} --- /etc/ssl/openssl.cnf.orig 2019-06-11 10:33:02.330143086 -0400 +++ /etc/ssl/openssl.cnf 2019-06-11 11:37:23.362889367 -0400 @@ -12,6 +12,17 @@ HOME = . RANDFILE = $ENV::HOME/.rnd +ssl_conf = ssl_sect + +[ssl_sect] + +system_default = system_default_sect + +[system_default_sect] + +Ciphers = TLS_AES_128_GCM_SHA256 +Ciphersuites = TLS_AES_128_GCM_SHA256 + # Extra OBJECT IDENTIFIER info: #oid_file= $ENV::HOME/.oid oid_section = new_oids Doesn't work as s_client keeps negotiating TLS 1.3 with TLS_AES_256_GCM_SHA384 (!= 128) ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: openssl 1.1.1-1ubuntu2.1~18.04.1 ProcVersionSignature: Ubuntu 4.15.0-51.55-generic 4.15.18 Uname: Linux 4.15.0-51-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.9-0ubuntu7.6 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Jun 11 11:22:47 2019 InstallationDate: Installed on 2018-07-15 (331 days ago) InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180714) ProcEnviron: LANG=en_CA.UTF-8 TERM=xterm-256color SHELL=/bin/bash XDG_RUNTIME_DIR= PATH=(custom, no user) SourcePackage: openssl UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1832370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1832370] Re: Unable to configure or disable TLS 1.3 via openssl.cnf
** Tags added: rls-ee-incoming -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1832370 Title: Unable to configure or disable TLS 1.3 via openssl.cnf Status in openssl package in Ubuntu: New Bug description: [Description] Since OpenSSL 1.1.1 was backported to Bionic, some (all?) applications gained access to TLS 1.3 by default. The applications that were not rebuilt against OpenSSL 1.1.1 can't tune the TLS 1.3 settings (protocol, ciphersuites selection, ciphersuites order) like it's possible with 1.2 and below. As such, one should turn to configuring /etc/ssl/openssl.cnf to alter TLS 1.3 settings. Here is how I'd expect to be able to turn off TLS 1.3: # diff -Naur /etc/ssl/openssl.cnf{.orig,} --- /etc/ssl/openssl.cnf.orig 2019-06-11 10:33:02.330143086 -0400 +++ /etc/ssl/openssl.cnf 2019-06-11 11:15:23.805113804 -0400 @@ -12,6 +12,16 @@ HOME = . RANDFILE = $ENV::HOME/.rnd +ssl_conf = ssl_sect + +[ssl_sect] + +system_default = system_default_sect + +[system_default_sect] + +MaxProtocol = TLSv1.2 + # Extra OBJECT IDENTIFIER info: #oid_file= $ENV::HOME/.oid oid_section = new_oids This doesn't work as 'openssl s_client -connect rproxy.sdeziel.info:443' negotiates TLS 1.3 with TLS_AES_256_GCM_SHA384. Similarly, trying to change the 'Ciphers' or the 'Ciphersuites' list with: # diff -Naur /etc/ssl/openssl.cnf{.orig,} --- /etc/ssl/openssl.cnf.orig 2019-06-11 10:33:02.330143086 -0400 +++ /etc/ssl/openssl.cnf 2019-06-11 11:37:23.362889367 -0400 @@ -12,6 +12,17 @@ HOME = . RANDFILE = $ENV::HOME/.rnd +ssl_conf = ssl_sect + +[ssl_sect] + +system_default = system_default_sect + +[system_default_sect] + +Ciphers = TLS_AES_128_GCM_SHA256 +Ciphersuites = TLS_AES_128_GCM_SHA256 + # Extra OBJECT IDENTIFIER info: #oid_file= $ENV::HOME/.oid oid_section = new_oids Doesn't work as s_client keeps negotiating TLS 1.3 with TLS_AES_256_GCM_SHA384 (!= 128) ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: openssl 1.1.1-1ubuntu2.1~18.04.1 ProcVersionSignature: Ubuntu 4.15.0-51.55-generic 4.15.18 Uname: Linux 4.15.0-51-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.9-0ubuntu7.6 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Jun 11 11:22:47 2019 InstallationDate: Installed on 2018-07-15 (331 days ago) InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180714) ProcEnviron: LANG=en_CA.UTF-8 TERM=xterm-256color SHELL=/bin/bash XDG_RUNTIME_DIR= PATH=(custom, no user) SourcePackage: openssl UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1832370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp