** Changed in: openssl
Status: Unknown => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1864689
Title:
openssl in 20.04 can't connect to site that
I mean, the bug is three years old and presumably by now the vast
majority of web sites have renewed their certificates and the new ones
are compatible with SECLEVEL=2 since all of the signing authorities
stopped issuing incompatible ones years ago, so it's kind of moot at
this point.
--
You
Looking at the bug report opened upstream (
https://github.com/openssl/openssl/issues/11236 ), this is considered a
bug on the server side and I'm inclined to follow openssl upstream on
this.
Moreover, I've tried all the tests provided in this bug and all have
succeeded.
I'll mark the bug as
the openssl.cnf fix doesn't really work... allows me to connect to
sites, but when loading their pages, it takes forever. unusable. Also
tried SECLEVEL=0... same.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in
Also affects me with many HTTPS sites, such as teams.microsoft.com, but
haven't been able to post a bug here because SSL or whatever isn't
working. I imagine many can't post that it's broken, but tons of
websites aren't working in Firefox or chrome or wget for me.
--
You received this bug
This bug affects me too, with a client certificate that now "magically"
does not match the requirements.
Ironically, the error message says only:
OpenSSL error error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md
too weak, (no key found, wrong pass phrase, or wrong file format?)
although
>> You can override this via command-line, a system config file, or a
local config file + environment variable pointing to it.
Some hints as to how to achieve that "local config file + environment variable"
would be extremely useful.
I've tried it and got nowhere, although I know that setting
I've now opened upstream issues about this on the OpenSSL bug tracker.
However, todoodle.com could refresh their certificate chain with an up
to date G2 godaddy SSL certificate chain, instead of the one that ends
on a CA Root certificate which is no longer trustworthy.
** Changed in: openssl
** Bug watch added: github.com/openssl/openssl/issues #11236
https://github.com/openssl/openssl/issues/11236
** Also affects: openssl via
https://github.com/openssl/openssl/issues/11236
Importance: Unknown
Status: Unknown
--
You received this bug notification because you are a
So, in their chain of certs that they present there is still an RSA-SHA1
certificate. It shouldn't affect validation, as the other certs in the
chain are sufficient (for example gnutls-cli toodledo.com connects fine)
but it does trip up openssl:
- Certificate[3] info:
- subject `OU=Go Daddy
Lifetimes of more than a year is only implemented by Apple on their
products. Longevity of the certifications do not matter on Ubuntu.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
There is still something wrong here.
The site in question has fixed the issue in response to my query, and
SSL Labs now gives it an A grade:
https://www.ssllabs.com/ssltest/analyze.html?d=www.toodledo.com
According to SSL Labs, it supports these two ciphers for TLS 1.2:
Fair enough, I will contact the web site maintainer. However, regarding
this:
>You can override this via command-line, a system config file, or a local
>config file + environment variable pointing to it.
>
>On Ubuntu 20.04 LTS:
>
>man SSL_CTX_get_security_level.3ssl
1) I searched high, low, and
About the server:
- It's certificate is valid for 2 years, and Apple has started to
rejecting any servers for which certificate is valid for more than 13
months.
- It has a SHA1withRSA certificate in its chain, which will be rejected
by all clients soon.
- It supports many weak TLSv1.2
The browsers will require SECLEVEL=2 from April 2020, the change in
libraries has already landed.
You can override this via command-line, a system config file, or a local
config file + environment variable pointing to it.
On Ubuntu 20.04 LTS:
man SSL_CTX_get_security_level.3ssl
does have:
--
Aha! `curl -v --ciphers 'DEFAULT:@SECLEVEL=1' https://www.toodledo.com/`
works but `curl -v --ciphers 'DEFAULT:@SECLEVEL=2'
https://www.toodledo.com/` fails.
According to
https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_get_security_level.html,
the default security level for the library is 1 if
I may be misunderstanding something, but as far as I can tell this is
not a cipher mismatch problem.
According to
https://www.ssllabs.com/ssltest/analyze.html?d=www.toodledo.com, the
site supports TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. According to
"openssl ciphers", openssl supports
Example output:
jik@jik-x1:~$ curl -v https://www.toodledo.com/
* Trying 146.20.52.175:443...
* TCP_NODELAY set
* Connected to www.toodledo.com (146.20.52.175) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile:
18 matches
Mail list logo