Bug#907807: After upgrading to OpenSSL 1.1.1, many sites are unreachable
On 2018-09-05 10:30:23 [-0400], Antoine Beaupré wrote: > Control: block 907807 by 907015 > > On 2018-09-05 15:53:46, Vincent Bernat wrote: > > ❦ 5 septembre 2018 09:30 -0400, Antoine Beaupré : > > > >> So I've forwarded the bug upstream to see if we can get a hint there. I > >> originally thought this was a 1.1 transition problem, but as it turns > >> out, linkchecker loads those sites fine in buster, which still has > >> 1.1.0. > > > > It's 1.1.1 which comes with more strict checks on everything. I think > > there is a metabug about this: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907015 > > I see. So I guess this blocks that then, adding to the pile. but why? | - ones without SNI huh. If linkchecker is lacking SNI support than please add this to linkcheker. Once this is done, I can a versioned break to libssl. Otherwise I don't understand. | - ones with DH parameters too small | - ones using TLS 1.0 | - ones still using SHA1 for the signature (get.adobe.com) This is a limitation of the remote site. You can either get the remote site fix it (TLS1.0 in 2018, srsly?) or override the default openssl policy (please consider this as the last resort). > A. Sebastian
Bug#907807: After upgrading to OpenSSL 1.1.1, many sites are unreachable
Control: block 907807 by 907015 On 2018-09-05 15:53:46, Vincent Bernat wrote: > ❦ 5 septembre 2018 09:30 -0400, Antoine Beaupré : > >> So I've forwarded the bug upstream to see if we can get a hint there. I >> originally thought this was a 1.1 transition problem, but as it turns >> out, linkchecker loads those sites fine in buster, which still has >> 1.1.0. > > It's 1.1.1 which comes with more strict checks on everything. I think > there is a metabug about this: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907015 I see. So I guess this blocks that then, adding to the pile. A. -- Travail, du latin Tri Palium trois pieux, instrument de torture.
Bug#907807: After upgrading to OpenSSL 1.1.1, many sites are unreachable
❦ 5 septembre 2018 09:30 -0400, Antoine Beaupré : > So I've forwarded the bug upstream to see if we can get a hint there. I > originally thought this was a 1.1 transition problem, but as it turns > out, linkchecker loads those sites fine in buster, which still has > 1.1.0. It's 1.1.1 which comes with more strict checks on everything. I think there is a metabug about this: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907015 > So I have moved this to the python-requests package and will see if > there's an issue upstream to act on accordingly. Yes, this makes sense. -- When one burns one's bridges, what a very nice fire it makes. -- Dylan Thomas signature.asc Description: PGP signature
Bug#907807: After upgrading to OpenSSL 1.1.1, many sites are unreachable
Control: forwarded 907807 https://github.com/requests/requests/issues/4775 On 2018-09-05 09:30:09, Antoine Beaupré wrote: > So I have moved this to the python-requests package and will see if > there's an issue upstream to act on accordingly. There wasn't, so I filed one. -- I believe that love is a better teacher than a sense of duty. - Albert Einstein
Bug#907807: After upgrading to OpenSSL 1.1.1, many sites are unreachable
Control: forwarded 907807 https://github.com/linkchecker/linkchecker/issues/188 Control: reassign 907807 python-requests 2.18.4-2 Control: affects 907807 linkchecker On 2018-09-02 14:53:15, Vincent Bernat wrote: > Hey! > > Since the upgrade to OpenSSL 1.1.1pre9 in sid, linkchecker is unable > to check many sites including: > > - ones without SNI > - ones with DH parameters too small > - ones using TLS 1.0 > - ones still using SHA1 for the signature (get.adobe.com) So I've forwarded the bug upstream to see if we can get a hint there. I originally thought this was a 1.1 transition problem, but as it turns out, linkchecker loads those sites fine in buster, which still has 1.1.0. Any idea what is causing this? It seems to me a minor upgrade like this shouldn't break third-party software... I've found this in the release notes: *) OpenSSL now fails if it receives an unrecognised record type in TLS1.0 or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to prevent issues where no progress is being made and the peer continually sends unrecognised record types, using up resources processing them. [Matt Caswell] This could explain case 3. But not the other ones. I wonder if the problem wouldn't be in one of the upstream libraries. If I remember correctly, linkchecker uses "requests" to do its dirty work. And indeed, request fails on all three sites you mentioned: >>> requests.get('https://get.adobe.com') Traceback (most recent call last): File "", line 1, in File "/usr/lib/python2.7/dist-packages/requests/api.py", line 72, in get return request('get', url, params=params, **kwargs) File "/usr/lib/python2.7/dist-packages/requests/api.py", line 58, in request return session.request(method=method, url=url, **kwargs) File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 508, in request resp = self.send(prep, **send_kwargs) File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 618, in send r = adapter.send(request, **kwargs) File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 506, in send raise SSLError(e, request=request) requests.exceptions.SSLError: HTTPSConnectionPool(host='get.adobe.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, u'[SSL: WRONG_SIGNATURE_TYPE] wrong signature type (_ssl.c:726)'),)) >>> requests.get('https://www.nada.kth.se') Traceback (most recent call last): File "", line 1, in File "/usr/lib/python2.7/dist-packages/requests/api.py", line 72, in get return request('get', url, params=params, **kwargs) File "/usr/lib/python2.7/dist-packages/requests/api.py", line 58, in request return session.request(method=method, url=url, **kwargs) File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 508, in request resp = self.send(prep, **send_kwargs) File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 618, in send r = adapter.send(request, **kwargs) File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 506, in send raise SSLError(e, request=request) requests.exceptions.SSLError: HTTPSConnectionPool(host='www.nada.kth.se', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, u'[SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:726)'),)) >>> requests.get('https://caniuse.com') Traceback (most recent call last): File "", line 1, in File "/usr/lib/python2.7/dist-packages/requests/api.py", line 72, in get return request('get', url, params=params, **kwargs) File "/usr/lib/python2.7/dist-packages/requests/api.py", line 58, in request return session.request(method=method, url=url, **kwargs) File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 508, in request resp = self.send(prep, **send_kwargs) File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 618, in send r = adapter.send(request, **kwargs) File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 506, in send raise SSLError(e, request=request) requests.exceptions.SSLError: HTTPSConnectionPool(host='caniuse.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, u'[SSL: VERSION_TOO_LOW] version too low (_ssl.c:726)'),)) So I have moved this to the python-requests package and will see if there's an issue upstream to act on accordingly. A. -- What people say, what people do, and what they say they do are entirely different things. - Margaret Mead
Bug#907807: After upgrading to OpenSSL 1.1.1, many sites are unreachable
On 2018-09-03 18:17:07, Vincent Bernat wrote: > ❦ 3 septembre 2018 09:49 -0400, Antoine Beaupré : > >>> Since the upgrade to OpenSSL 1.1.1pre9 in sid, linkchecker is unable >>> to check many sites including: >>> >>> - ones without SNI > > Don't remember for this one. > >>> - ones with DH parameters too small > > Result: SSLError: HTTPSConnectionPool(host='www.nada.kth.se', port=443): Max > retries exceeded with url: > /~snilsson/publications/IP-address-lookup-using-LC-tries/ (Caused by > SSLError(SSLError(1, u'[SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:726... > >>> - ones using TLS 1.0 > > Result: SSLError: HTTPSConnectionPool(host='caniuse.com', port=443): Max > retries exceeded with url: / (Caused by SSLError(SSLError(1, u'[SSL: > VERSION_TOO_LOW] version too low (_ssl.c:726)'),)) > >>> - ones still using SHA1 for the signature (get.adobe.com) > > Result: SSLError: HTTPSConnectionPool(host='get.adobe.com', port=443): Max > retries exceeded with url: /flashplayer/?loc=fr (Caused by > SSLError(SSLError(1, u'[SSL: WRONG_SIGNATURE_TYPE] wrong signature type > (_ssl.c:726)'),)) Thanks! -- Il n'existe aucune limite sacrée ou non à l'action de l'homme dans l'univers. Depuis nos origines nous avons le choix: être aveuglé par la vérité ou coudre nos paupières. - [no one is innocent]
Bug#907807: After upgrading to OpenSSL 1.1.1, many sites are unreachable
❦ 3 septembre 2018 09:49 -0400, Antoine Beaupré : >> Since the upgrade to OpenSSL 1.1.1pre9 in sid, linkchecker is unable >> to check many sites including: >> >> - ones without SNI Don't remember for this one. >> - ones with DH parameters too small Result: SSLError: HTTPSConnectionPool(host='www.nada.kth.se', port=443): Max retries exceeded with url: /~snilsson/publications/IP-address-lookup-using-LC-tries/ (Caused by SSLError(SSLError(1, u'[SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:726... >> - ones using TLS 1.0 Result: SSLError: HTTPSConnectionPool(host='caniuse.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, u'[SSL: VERSION_TOO_LOW] version too low (_ssl.c:726)'),)) >> - ones still using SHA1 for the signature (get.adobe.com) Result: SSLError: HTTPSConnectionPool(host='get.adobe.com', port=443): Max retries exceeded with url: /flashplayer/?loc=fr (Caused by SSLError(SSLError(1, u'[SSL: WRONG_SIGNATURE_TYPE] wrong signature type (_ssl.c:726)'),)) -- I'll burn my books. -- Christopher Marlowe signature.asc Description: PGP signature
Bug#907807: After upgrading to OpenSSL 1.1.1, many sites are unreachable
On 2018-09-02 14:53:15, Vincent Bernat wrote: > Package: linkchecker > Version: 9.4.0-2 > Severity: normal > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Hey! > > Since the upgrade to OpenSSL 1.1.1pre9 in sid, linkchecker is unable > to check many sites including: > > - ones without SNI > - ones with DH parameters too small > - ones using TLS 1.0 > - ones still using SHA1 for the signature (get.adobe.com) Would you mind citing an example for each of those? Thanks, A. -- There is no power on earth from which we should be prepared to accept an order to kill. - Albert Einstein
Bug#907807: After upgrading to OpenSSL 1.1.1, many sites are unreachable
Package: linkchecker Version: 9.4.0-2 Severity: normal -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hey! Since the upgrade to OpenSSL 1.1.1pre9 in sid, linkchecker is unable to check many sites including: - ones without SNI - ones with DH parameters too small - ones using TLS 1.0 - ones still using SHA1 for the signature (get.adobe.com) - -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (101, 'experimental-debug'), (101, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.17.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages linkchecker depends on: ii libc6 2.27-5 ii python2.7.15-3 ii python-dnspython 1.15.0-1 ii python-requests 2.18.4-2 ii python-urllib31.22-1 ii python-xdg0.25-4 linkchecker recommends no packages. Versions of packages linkchecker suggests: pn clamav-daemon pn linkchecker-web ii python-argcomplete 1.8.1-1 ii python-cssutils 1.0.2-1 ii python-gconf2.28.1+dfsg-1.2 ii python-geoip1.3.2-1+b4 pn python-meliae - -- no debconf information -BEGIN PGP SIGNATURE- iQJGBAEBCAAwFiEErvI0h2bzccaJpzYAlaQv6DU1JfkFAluL3TsSHGJlcm5hdEBk ZWJpYW4ub3JnAAoJEJWkL+g1NSX5PXgP/0oiB8DwZJm5jzXNAKa31/n5hMUaBQK3 Yb5iEWFFrBf4N5FAxYxzK0eKcMyV1uKwoP6xaMZa0W1fabWx0NAva0wQBtyDhXwz JXBZ//pZatUDR/MfvFbdy7EDSphjXnQEqaHT4kvTlAaPueP5hZGJ1EZFxnacHMEl ahRP6QlTBdkzndOHPfVURhhLlB0SPUDjiBDlY//ftBtM+01GO5KvOogUAZq5Tbdn UzGLfYbrddkd9gsSOsXrly2QjrmW7kdZdaJ3CFNjRlWVqXk+p+eZhmRpLqZ39pyv y5g/Yt+90+Jr+uWh8wocs2jqzxKaRmZ6kDUdbQcTP6/pvkvZW9RUEIqoyL68HcbE XfptM8Xz9apVuu8EG5maLEn49j4o1kgRbC99rMzM7wP/c6M2MwcIhXmI5mZt/0ck J8c6CUBCY6pdQquyF6Y50dsUQDfFiQxhH1FQOsEvuMD7Kxal/UT0SekYZSXkOCau BRURI4S/7V71Tf+BGrVsQaPfaN0FFN/ulH7bn05Vm3umNMSjQBXoGCeRuSz9a56W nTNn3g9hN6SKs82R0cD/8pX1SJTLi8KuDJF5E7IQytZkItBnRrtWNEBgt7qehjTN coPqgMw4lmNcTaBuv1nOKpHB5HVL/DxNs6ET4twQeiGXBx9s2iWm+TCTcdbfpiwV 0oaniV1frxcJ =UJMB -END PGP SIGNATURE-