[Bug 1832370] Re: Unable to configure or disable TLS 1.3 via openssl.cnf
** Changed in: openssl (Ubuntu Bionic) Status: Incomplete => Invalid ** Changed in: openssl (Ubuntu Cosmic) Status: Incomplete => Invalid ** Changed in: openssl (Ubuntu Disco) Status: Incomplete => Invalid ** Changed in: openssl (Ubuntu Eoan) Status: Incomplete => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832370 Title: Unable to configure or disable TLS 1.3 via openssl.cnf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1832370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832370] Re: Unable to configure or disable TLS 1.3 via openssl.cnf
** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832370 Title: Unable to configure or disable TLS 1.3 via openssl.cnf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1832370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832370] Re: Unable to configure or disable TLS 1.3 via openssl.cnf
** Tags removed: rls-ee-incoming -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832370 Title: Unable to configure or disable TLS 1.3 via openssl.cnf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1832370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832370] Re: Unable to configure or disable TLS 1.3 via openssl.cnf
@xnox, thanks it was indeed an error on my part. The key was to have openssl_conf in the default/unnamed section and then not introduce bogus values: Ciphers is not recognized and causes the config section to be ignored. I believe this bug could be marked as Invalid for all the releases but I'll let you do that as I only tested on Bionic and I don't want to overrule the statuses you set. Thanks again! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832370 Title: Unable to configure or disable TLS 1.3 via openssl.cnf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1832370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832370] Re: Unable to configure or disable TLS 1.3 via openssl.cnf
** Tags added: id-5d0269c526b1af4a5c615490 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832370 Title: Unable to configure or disable TLS 1.3 via openssl.cnf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1832370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832370] Re: Unable to configure or disable TLS 1.3 via openssl.cnf
** Patch added: "reorder-tls1.3-ciphersuites.patch" https://bugs.launchpad.net/ubuntu/bionic/+source/openssl/+bug/1832370/+attachment/5270754/+files/reorder-tls1.3-ciphersuites.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832370 Title: Unable to configure or disable TLS 1.3 via openssl.cnf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1832370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832370] Re: Unable to configure or disable TLS 1.3 via openssl.cnf
I have started bionic lxd container with nginx and snakeoil certificates. # patch /etc/ssl/openssl.cnf cap-to-tls1.2.patch patching file /etc/ssl/openssl.cnf Hunk #1 succeeded at 16 (offset 1 line). Hunk #2 succeeded at 353 (offset 2 lines). # systemctl restart nginx And connect from the host system which has stock openssl.cnf $ openssl s_client [fd42:3fcc:8a27:4e69:216:3eff:fe4c:5b9e]:443 | grep -e Protocol -e Cipher Can't use SSL_get_servername depth=0 CN = nearby-osprey.lxd verify error:num=18:self signed certificate verify return:1 depth=0 CN = nearby-osprey.lxd verify return:1 New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Protocol : TLSv1.2 Cipher: ECDHE-RSA-AES256-GCM-SHA384 ^C Back in the container # patch -R /etc/ssl/openssl.cnf cap-to-tls1.2.patch patching file /etc/ssl/openssl.cnf Hunk #1 succeeded at 16 (offset 1 line). Hunk #2 succeeded at 350 (offset 2 lines). # patch /etc/ssl/openssl.cnf reorder-tls1.3-ciphersuites.patch patching file /etc/ssl/openssl.cnf Hunk #1 succeeded at 16 (offset 1 line). Hunk #2 succeeded at 353 (offset 2 lines). # systemctl restart nginx Connecting to the container again externally: $ openssl s_client [fd42:3fcc:8a27:4e69:216:3eff:fe4c:5b9e]:443 | grep -e Protocol -e Cipher Can't use SSL_get_servername depth=0 CN = nearby-osprey.lxd verify error:num=18:self signed certificate verify return:1 depth=0 CN = nearby-osprey.lxd verify return:1 New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256 ^C # patch -R /etc/ssl/openssl.cnf reorder-tls1.3-ciphersuites.patch patching file /etc/ssl/openssl.cnf Hunk #1 succeeded at 16 (offset 1 line). Hunk #2 succeeded at 350 (offset 2 lines). # systemctl restart nginx So using the above patches to openssl.cnf I was able to reorder chipersuites of stock bionic nginx, and cap to TLSv1.2. So with attached ** Changed in: openssl (Ubuntu Bionic) Status: New => Incomplete ** Changed in: openssl (Ubuntu Disco) Status: New => Incomplete ** Changed in: openssl (Ubuntu Cosmic) Status: New => Incomplete ** Changed in: openssl (Ubuntu Eoan) Assignee: Dimitri John Ledkov (xnox) => (unassigned) ** Changed in: openssl (Ubuntu Eoan) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832370 Title: Unable to configure or disable TLS 1.3 via openssl.cnf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1832370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832370] Re: Unable to configure or disable TLS 1.3 via openssl.cnf
** Patch added: "cap-to-tls1.2.patch" https://bugs.launchpad.net/ubuntu/bionic/+source/openssl/+bug/1832370/+attachment/5270755/+files/cap-to-tls1.2.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832370 Title: Unable to configure or disable TLS 1.3 via openssl.cnf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1832370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832370] Re: Unable to configure or disable TLS 1.3 via openssl.cnf
** Changed in: openssl (Ubuntu) Assignee: (unassigned) => Dimitri John Ledkov (xnox) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832370 Title: Unable to configure or disable TLS 1.3 via openssl.cnf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1832370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832370] Re: Unable to configure or disable TLS 1.3 via openssl.cnf
** Also affects: openssl (Ubuntu Cosmic) Importance: Undecided Status: New ** Also affects: openssl (Ubuntu Eoan) Importance: Undecided Assignee: Dimitri John Ledkov (xnox) Status: New ** Also affects: openssl (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: openssl (Ubuntu Disco) Importance: Undecided Status: New ** Changed in: openssl (Ubuntu Bionic) Importance: Undecided => High ** Changed in: openssl (Ubuntu Cosmic) Importance: Undecided => High ** Changed in: openssl (Ubuntu Disco) Importance: Undecided => High ** Changed in: openssl (Ubuntu Eoan) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832370 Title: Unable to configure or disable TLS 1.3 via openssl.cnf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1832370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832370] Re: Unable to configure or disable TLS 1.3 via openssl.cnf
In my tests, I used NGINX with those TLS related params: # grep -r ssl_ /etc/nginx/nginx.conf /etc/nginx/conf.d/ /etc/nginx/sites-enabled/ /etc/nginx/nginx.conf: ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE /etc/nginx/nginx.conf: ssl_prefer_server_ciphers on; /etc/nginx/conf.d/ssl.conf:ssl_ciphers TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384; /etc/nginx/conf.d/ssl.conf:ssl_session_cache shared:SSL:1m; /etc/nginx/conf.d/ssl.conf:ssl_session_timeout 1d; /etc/nginx/conf.d/ssl.conf:ssl_session_tickets off; /etc/nginx/conf.d/ssl.conf:ssl_certificate /etc/nginx/certs/sdeziel.info/fullchain.pem; /etc/nginx/conf.d/ssl.conf:ssl_certificate_key /etc/nginx/certs/sdeziel.info/privkey.pem; /etc/nginx/conf.d/ssl.conf:ssl_stapling on; I used many variations of ssl_ciphers and ssl_protocols to no avail. My main goal is to have TLS 1.3 and 1.2 enabled with this ciphers list from above but that doesn't work as seen here: https://dev.ssllabs.com/ssltest/analyze.html?d=sdeziel.info=2001%3a470%3ab1c3%3a7942%3a0%3a0%3a0%3a80=on -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832370 Title: Unable to configure or disable TLS 1.3 via openssl.cnf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1832370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832370] Re: Unable to configure or disable TLS 1.3 via openssl.cnf
** Tags added: rls-ee-incoming -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832370 Title: Unable to configure or disable TLS 1.3 via openssl.cnf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1832370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs