Can we reopen this and potentially backport OpenSSL 3.0.5 from kinetic
to jammy?
The "UnsafeLegacyServerConnect" option was mentioned above in #3.
Unfortunately, that option was documented but not implemented in the
3.0.2 OpenSSL release available in the jammy repos. (See
You'll need to contact your provider. I'm guessing their script isn't
compatible with OpenSSL 3.0, but without more information (such as the
stdout/stderr of the openssl CLI invocation here) there isn't much we
can do on this end.
Whatever the precise issue though, it's almost certainly NOT
I am from this bug post:
https://www.reddit.com/r/Ubuntu/comments/uf68rn/major_issues_connecting_ubuntu_2204_lts_to/
I am wondering if this but report is related to it. I got the following
error message when using the python version of SecureW2 client:
(Pdb) key_valid(self.file,
Can someone please tell the process of the workaround as i upgraded to
ubuntu 22.04 and can't connect to my university wifi and i can't
understand the details you guys are talking about
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is
FYI, to restart wpa-supplicant after these edits:
systemctl restart wpa_supplicant
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1963834
Title:
openssl 3.0 - SSL:
Yes, managing the configurations for the huge variety of cryptography
toolkits on a Linux system is definitely something of a chore. It would
be nice to give people one command they could use to return to unsafe-
but-compatible cryptography -- or enforce only modern cryptography.
Our friends at
It's a bit of an 'own goal' if this gets marked as 'won't fix'. As students
upgrade to 22.04 where I work they will find they can't connect to the
institutions or research centre wireless network. They won't care that the SSL
change is protecting them from an old SSL bug, they will just come
I'm marking this bug as `Won't Fix` as this new behavior is a deliberate
upstream choice that is documented in their migration documentation
https://www.openssl.org/docs/manmaster/man7/migration_guide.html
Granted, the documentation in question isn't exactly obvious (search for
RFC 5746), but
We are having the same issue.
Out setup:
Ubuntu 22.04 (daily) + GlobalProtect Version 6 from Palo Alto Networks + SAML
Auth
We found a system-wide workaround.
Modify the existing openssl config file, path: /usr/lib/ssl/openssl.cnf
with your already mentioned settings (just add the missings ones):
Ok, I did get my case to work by creating ~/ssl.conf containing:
openssl_conf = openssl_init
[openssl_init]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
Options = UnsafeLegacyRenegotiation
And then did OPENSSL_CONF=~/ssl.conf do-my-command
that
I tried also adding the following:
[openssl_init]
providers = provider_sect
ssl_conf = ssl_configuration
as I wasn't sure whether the [ssl_configuration] section would otherwise
get used for anything, but that didn't seem to make a difference.
The end of the file is
[ssl_configuration]
client
FWIW I'm seeing this with the openconnect-sso
(https://github.com/vlaci/openconnect-sso) package on jammy. I just
tried adding the following to my /etc/ssl/openssl.cfg:
[ssl_configuration]
client = client_tls_config
[client_tls_config]
Options = UnsafeLegacyServerConnect
With no luck :(
--
... And while looking for what exactly to suggest upstream, I realized
that GitHub search only prints out the first match in a given file,
which mean I missed the config options part of
https://www.openssl.org/docs/man3.0/man3/SSL_CONF_cmd_value_type.html
(search for UnsafeLegacyServerConnect),
To be clear, the root issue is that the server is using an outdated,
insecure protocol that has been deemed so for more than a decade, and
OpenSSL finally decided to disable it by default. The "proper" way to
fix this would be for them to upgrade.
Now, that being said, we live in the real world
It looks like this was added in:
https://github.com/openssl/openssl/commit/72d2670bd21becfa6a64bb03fa55ad82d6d0c0f3
in order to address servers that have not yet been updated for
CVE-2009-3555.
It's possible to add a flag at the C level to connect insecurely,
SSL_OP_LEGACY_SERVER_CONNECT, but I
** Tags added: openssl3
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1963834
Title:
openssl 3.0 - SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED]
Status in openssl package
16 matches
Mail list logo