** Changed in: openssl (Ubuntu)
Status: Confirmed => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1917625
Title:
OpenSSL TLS 1.1 handshake fails
Hi Christian, I'd like to move forward with this ticket and I think that
will mean closing it. But first, have things changed on your side?
Also, like Dimitri I am reluctant to commit there but I don't see things
changing until the next openssl LTS release as I've said in
Opened https://github.com/openssl/openssl/issues/14607
** Bug watch added: github.com/openssl/openssl/issues #14607
https://github.com/openssl/openssl/issues/14607
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl
> to change the security level. Here Ubuntu deviates from standard
OpenSSL 1.1.1 policies. So I ask again: Should we detect and special
case the deviation and document it?
I am reluctant to say yes here. But also want to ask how would you
detect that it's an Ubuntu, or ubuntu derived openssl. I
> Could you hook up the check to SSL_CTX_set_min_proto_version() and
return an error code when level and security policy don't match? It's a
modern setter, so it can return 0 on error.
That is interesting proposal.
However, need to be careful as to potentially not break configs, i.e. if
they
> I feel that openssl upstream needs to add:
server_context.verify_consistent()
Yeah, I agree with you. :) The idea came up three years ago when I filed
issue https://github.com/openssl/openssl/issues/5127
> 1) if openssl version 3.x, and security level is greater than 0, assume no
> TLS1.1 is
> s->cert->sec_cb() and then call it with SSL_SECOP_VERSION operation
with nbits set to TLS1.1 version? then it will return and tell us if it
is acceptable or not, by the security level.
Nice!
Could you hook up the check to SSL_CTX_set_min_proto_version() and return an
error code when level and
Oooh,
can we add bindings for:
s->cert->sec_cb() and then call it with SSL_SECOP_VERSION operation with
nbits set to TLS1.1 version? then it will return and tell us if it is
acceptable or not, by the security level.
--
You received this bug notification because you are a member of Ubuntu
Touch
ideally it would be nice if we could access sec_cb and call it with the
protocol versions to check the versions there.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1917625
I feel that openssl upstream needs to add:
server_context.verify_consistent()
Because in the above example, even before trying to establish the
connection between the two context, the server context is already
internally inconsistent.
And upstream has changed the meaning of security levels in
I didn't include a setter for security level on purpose,
https://bugs.python.org/issue41195 . Most recent Python version only has
a getter to query security level. I strongly believe that user
application should not modify security level. Security level and TLS
versions should be centrally managed
Please note that:
OpenSSL upstream security level 3 only allows TLS v1.1 and above
OpenSSL upstream security level 4 only allows TLS v1.2 and above, DTLS v1.2 and
above
On Ubuntu, these restrictions are brought in earlier at security level
2.
Thus, if one builds upstream OpenSSL with security
** Tags removed: rls-ff-incoming
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1917625
Title:
OpenSSL TLS 1.1 handshake fails internal error
Status in openssl package
I need to verify a few things, but I believe it is to do with
chiphersuites, seclevel callback, and protocol versions.
When setting chiphersuite string ; or changing security level; or
changing the security level callback; or setting min/mas protocol
versions. All of those things are not checked
** Also affects: openssl (Ubuntu Hirsute)
Importance: Undecided
Status: Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1917625
Title:
OpenSSL TLS 1.1
** Tags added: fr-1204
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1917625
Title:
OpenSSL TLS 1.1 handshake fails internal error
Status in openssl package in Ubuntu:
** Tags added: focal rls-ff-incoming
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1917625
Title:
OpenSSL TLS 1.1 handshake fails internal error
Status in openssl
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: openssl (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
18 matches
Mail list logo