Re: [Bug 1861791] Re: Server incompatible with Focal clients
James Henstridge: > I detailed the configuration file workaround here: > > https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1856428/comments/2 > > I wonder if the underlying cause of the problem is that Bionic's Mumble > is compiled against Qt 4, which predates the newer TLS versions. I > would have thought it'd get new versions automatically through new > OpenSSL releases, but perhaps there is some incompatibility in there. Mumble uses Qt's SSL library, and there are differences in the Qt SSL library between Qt 4 and 5. Mumble 1.3 with Qt 5 is capable of TLS that have perfect forward secrecy, but Mumble 1.2 with Qt 4 is not, and that's independent of the particular versions of OpenSSL that are used. i.e. this isn't a limitation of the OpenSSL version, it's a limitation of the SSL library in Qt 4. -- Chris -- Chris Knadle chris.kna...@coredump.us -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1861791 Title: Server incompatible with Focal clients To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mumble/+bug/1861791/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1861791] Re: Server incompatible with Focal clients
Thanks for the openSSL config example! I set up a Bionic and a Focal VM, both with client and server, to test this. Without this config, the connection does not work in any direction, i.e. the Bionic client won't connect to the Focal server (with a chat message saying "remote host closed connection") and the Focal client won't connect to the Bionic server (with a popup warning about legacy encryption). Adding the openSSL config snippet on the Focal machine allows a connection in both directions. When using the default mumble config on both sides, TLS1.0 using suite TLS_RSA_WITH_AES_256_CBC_SHA is negotiated on the control channel. Two Focal instances will correctly negotiate TLS1.3 using TLS_AES_256_GCM_SHA384. Bionic instances using the PPA will also successfully negotiate TLS1.3 and the same cipher but show "UnknownProtocol" in the client's server info dialog. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1861791 Title: Server incompatible with Focal clients To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mumble/+bug/1861791/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1861791] Re: Server incompatible with Focal clients
I detailed the configuration file workaround here: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1856428/comments/2 I wonder if the underlying cause of the problem is that Bionic's Mumble is compiled against Qt 4, which predates the newer TLS versions. I would have thought it'd get new versions automatically through new OpenSSL releases, but perhaps there is some incompatibility in there. If that's the case, I wonder if Bionic's Mumble client can successfully connect to Focal's Mumble server? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1861791 Title: Server incompatible with Focal clients To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mumble/+bug/1861791/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1861791] Re: Server incompatible with Focal clients
Sure. But if this is controllable from a configuration file, then it might be possible to come up with a temporary work around until the server you want to connect to is upgraded. With any luck, the configuration can be changed in such a way that only Mumble is affected. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1861791 Title: Server incompatible with Focal clients To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mumble/+bug/1861791/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1861791] Re: Server incompatible with Focal clients
This could work as a temporary fix. However, "re-enable old crypto protocols that should not be used unless absolutely unavoidable since RFC 7525 five years ago" must not be the final resolution for this bug, since it's exactly what Focal wants to avoid. From a crypto standpoint, while TLS1.0 is not utterly broken like SSL, there are still plenty of reasons why one should really not be using it anymore. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1861791 Title: Server incompatible with Focal clients To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mumble/+bug/1861791/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1861791] Re: Server incompatible with Focal clients
This is likely caused by bug 1856428, which indicates that support for the older TLS versions can be enabled in a configuration file. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1861791 Title: Server incompatible with Focal clients To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mumble/+bug/1861791/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1861791] Re: Server incompatible with Focal clients
I encountered this today too. This seems to be an OpenSSL problem, given that "openssl s_client" refuses to connect to the server, where it succeeds with older releases. Presumably the server only supports ciphers or TLS versions the new OpenSSL rejects. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1861791 Title: Server incompatible with Focal clients To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mumble/+bug/1861791/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1861791] Re: Server incompatible with Focal clients
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: mumble (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1861791 Title: Server incompatible with Focal clients To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mumble/+bug/1861791/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
