[Touch-packages] [Bug 2003903] Re: [BPO] openssl/3.0.5-2ubuntu2 from kinetic
Thomas and Marc, thanks for the guidance and time spent here. :) I'll look into the SRU process. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/2003903 Title: [BPO] openssl/3.0.5-2ubuntu2 from kinetic Status in openssl package in Ubuntu: Won't Fix Bug description: Humbly requesting backporting OpenSSL 3.0.5-2ubuntu2 from kinetic to jammy. [Impact] From the OpenSSL 3.0 migration guide: (https://www.openssl.org/docs/man3.0/man7/migration_guide.html) "Secure renegotiation is now required by default for TLS connections Support for RFC 5746 secure renegotiation is now required by default for SSL or TLS connections to succeed. Applications that require the ability to connect to legacy peers will need to explicitly set SSL_OP_LEGACY_SERVER_CONNECT. Accordingly, SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL." OpenSSL 3.0.2 doesn't allow you to enable UnsafeLegacyServerConnect in the openssl.cnf file. The OpenSSL team documented this option but forgot to implement it (https://github.com/openssl/openssl/pull/18296). Users are recommending enabling UnsafeLegacyRenegotiation (see https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1960268/comments/32) (see more examples in "Other Info") When this is enabled, it makes OpenSSL 3 less secure than 1.1.1 (which is what the previous LTS, Focal, uses). Backporting the newer OpenSSL 3.0.5 would allow users to enable UnsafeLegacyConnect, while keeping UnsafeLegacyRenegotiation disabled. [Scope] Backport OpenSSL 3.0.5-2ubuntu2 from kinetic Backport to jammy [Other Info] Other places where users are recommending enabling UnsafeLegacyRenegotiation: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1963834/comments/6 https://ubuntuforums.org/showthread.php?t=2474436=14094091#post14094091 https://www.reddit.com/r/Ubuntu/comments/ufalf4/cannot_connect_to_eduroam_since_2204_update/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2003903/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2003903] [NEW] [BPO] openssl/3.0.5-2ubuntu2 from kinetic
Public bug reported: Humbly requesting backporting OpenSSL 3.0.5-2ubuntu2 from kinetic to jammy. [Impact] >From the OpenSSL 3.0 migration guide: (https://www.openssl.org/docs/man3.0/man7/migration_guide.html) "Secure renegotiation is now required by default for TLS connections Support for RFC 5746 secure renegotiation is now required by default for SSL or TLS connections to succeed. Applications that require the ability to connect to legacy peers will need to explicitly set SSL_OP_LEGACY_SERVER_CONNECT. Accordingly, SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL." OpenSSL 3.0.2 doesn't allow you to enable UnsafeLegacyServerConnect in the openssl.cnf file. The OpenSSL team documented this option but forgot to implement it (https://github.com/openssl/openssl/pull/18296). Users are recommending enabling UnsafeLegacyRenegotiation (see https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1960268/comments/32) (see more examples in "Other Info") When this is enabled, it makes OpenSSL 3 less secure than 1.1.1 (which is what the previous LTS, Focal, uses). Backporting the newer OpenSSL 3.0.5 would allow users to enable UnsafeLegacyConnect, while keeping UnsafeLegacyRenegotiation disabled. [Scope] Backport OpenSSL 3.0.5-2ubuntu2 from kinetic Backport to jammy [Other Info] Other places where users are recommending enabling UnsafeLegacyRenegotiation: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1963834/comments/6 https://ubuntuforums.org/showthread.php?t=2474436=14094091#post14094091 https://www.reddit.com/r/Ubuntu/comments/ufalf4/cannot_connect_to_eduroam_since_2204_update/ ** Affects: openssl (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/2003903 Title: [BPO] openssl/3.0.5-2ubuntu2 from kinetic Status in openssl package in Ubuntu: New Bug description: Humbly requesting backporting OpenSSL 3.0.5-2ubuntu2 from kinetic to jammy. [Impact] From the OpenSSL 3.0 migration guide: (https://www.openssl.org/docs/man3.0/man7/migration_guide.html) "Secure renegotiation is now required by default for TLS connections Support for RFC 5746 secure renegotiation is now required by default for SSL or TLS connections to succeed. Applications that require the ability to connect to legacy peers will need to explicitly set SSL_OP_LEGACY_SERVER_CONNECT. Accordingly, SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL." OpenSSL 3.0.2 doesn't allow you to enable UnsafeLegacyServerConnect in the openssl.cnf file. The OpenSSL team documented this option but forgot to implement it (https://github.com/openssl/openssl/pull/18296). Users are recommending enabling UnsafeLegacyRenegotiation (see https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1960268/comments/32) (see more examples in "Other Info") When this is enabled, it makes OpenSSL 3 less secure than 1.1.1 (which is what the previous LTS, Focal, uses). Backporting the newer OpenSSL 3.0.5 would allow users to enable UnsafeLegacyConnect, while keeping UnsafeLegacyRenegotiation disabled. [Scope] Backport OpenSSL 3.0.5-2ubuntu2 from kinetic Backport to jammy [Other Info] Other places where users are recommending enabling UnsafeLegacyRenegotiation: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1963834/comments/6 https://ubuntuforums.org/showthread.php?t=2474436=14094091#post14094091 https://www.reddit.com/r/Ubuntu/comments/ufalf4/cannot_connect_to_eduroam_since_2204_update/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2003903/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1963834] Re: openssl 3.0 - SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED]
Can we reopen this and potentially backport OpenSSL 3.0.5 from kinetic
to jammy?
The "UnsafeLegacyServerConnect" option was mentioned above in #3.
Unfortunately, that option was documented but not implemented in the
3.0.2 OpenSSL release available in the jammy repos. (See
https://github.com/openssl/openssl/pull/18296)
Enabling UnsafeLegacyRenegotiation is not acceptable and shouldn't be
done. This is actually less secure than version 1.1.1 (which is what the
previous LTS focal has available)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1963834
Title:
openssl 3.0 - SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED]
Status in openssl package in Ubuntu:
Won't Fix
Bug description:
Description:Ubuntu Jammy Jellyfish (development branch)
Release:22.04
openssl:
Installé : 3.0.1-0ubuntu1
Candidat : 3.0.1-0ubuntu1
Table de version :
*** 3.0.1-0ubuntu1 500
500 http://ca.archive.ubuntu.com/ubuntu jammy/main amd64 Packages
100 /var/lib/dpkg/status
Using Ubuntu 22.04, I now get the following error message when
attempting to connect to our office VPN using "gp-saml-gui
(https://github.com/dlenski/gp-saml-gui)" :
#
dominique@Doombuntu:~$ .local/bin/gp-saml-gui server_url
Looking for SAML auth tags in response to
https://server_url/global-protect/prelogin.esp...
usage: gp-saml-gui [-h] [--no-verify] [-C COOKIES | -K] [-g | -p] [-c CERT]
[--key KEY] [-v | -q] [-x | -P | -S] [-u] [--clientos {Windows,Linux,Mac}] [-f
EXTRA] server [openconnect_extra ...]
gp-saml-gui: error: SSL error: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED]
unsafe legacy renegotiation disabled (_ssl.c:997)
#
#
#
gp-saml-gui uses python module requests.
Using python ide, I can get the same results :
#
>>> r = requests.get('https://server_url')
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 699,
in urlopen
httplib_response = self._make_request(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 382,
in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 1012,
in _validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 411, in
connect
self.sock = ssl_wrap_socket(
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 449, in
ssl_wrap_socket
ssl_sock = _ssl_wrap_socket_impl(
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 493, in
_ssl_wrap_socket_impl
return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3.10/ssl.py", line 512, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib/python3.10/ssl.py", line 1070, in _create
self.do_handshake()
File "/usr/lib/python3.10/ssl.py", line 1341, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy
renegotiation disabled (_ssl.c:997)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in
send
resp = conn.urlopen(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 755,
in urlopen
retries = retries.increment(
File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 574, in
increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='server_url',
port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1,
'[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation
disabled (_ssl.c:997)')))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "", line 1, in
File "/usr/lib/python3/dist-packages/requests/api.py", line 76, in get
return request('get', url, params=params, **kwargs)
File "/usr/lib/python3/dist-packages/requests/api.py", line 61, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 542, in
request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 655, in
send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 514, in
send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='server_url',
port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1,
'[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy
