[Bug 1874413] Re: openssl 1.1.1f-1ubuntu2 breaks some TLS connections
*** This bug is a duplicate of bug 1864689 *** https://bugs.launchpad.net/bugs/1864689 This might be a duplicate of bug #1864689 "openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1864689 https://github.com/openssl/openssl/issues/11236 pub.orcid.org is probably running CentOS 8 or RHEL 8 (educated guess based upon the HTTP Server header "nginx/1.16.1"). ** Bug watch added: github.com/openssl/openssl/issues #11236 https://github.com/openssl/openssl/issues/11236 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1874413 Title: openssl 1.1.1f-1ubuntu2 breaks some TLS connections To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1874413/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1874413] Re: openssl 1.1.1f-1ubuntu2 breaks some TLS connections
*** This bug is a duplicate of bug 1864689 *** https://bugs.launchpad.net/bugs/1864689 Hi, thanks for reporting this issue. This isn't caused by the patch for CVE-2020-1967, it is caused by OPENSSL_TLS_SECURITY_LEVEL=2 being set as the minimum security level. You can try it with a lowered security level by doing the following: curl -v --ciphers 'DEFAULT:@SECLEVEL=1' https://pub.orcid.org I believe it is caused by having an insecure SHA1 certificate in their chain: - Certificate[3] info: - subject `OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US', issuer `OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US', serial 0x00, RSA key 2048 bits, signed using RSA-SHA1 (broken!), activated `2004-06-29 17:06:20 UTC', expires `2034-06-29 17:06:20 UTC', pin-sha256="VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8=" As such, I am marking this as a dupe of bug 1864689, you can follow progress on the issue there. Thanks. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1967 ** This bug has been marked a duplicate of bug 1864689 openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1874413 Title: openssl 1.1.1f-1ubuntu2 breaks some TLS connections To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1874413/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1874413] Re: openssl 1.1.1f-1ubuntu2 breaks some TLS connections
** Description changed: On a machine with Ubuntu 20.04 and all available updates installed - (including openssl and libssl openssl 1.1.1f-1ubuntu2): + (including openssl and libssl1.1 1.1.1f-1ubuntu2): user@host:~$ curl 'https://pub.orcid.org/' curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure - - On the same machine, but with the openssl and libssl packages downgraded - to version 1.1.1c-1ubuntu4 from Ubuntu 19.10: + On the same machine, but with the openssl and libssl1.1 packages + downgraded to version 1.1.1c-1ubuntu4 from Ubuntu 19.10: user@host:~$ curl -I 'https://pub.orcid.org/' HTTP/1.1 302 Found Server: nginx/1.16.1 Date: Thu, 23 Apr 2020 09:34:38 GMT Location: https://pub.orcid.org/v3.0/ Transfer-Encoding: chunked Connection: Keep-Alive Set-Cookie: X-Mapping-fjhppofk=EDEB8B375DA428655747278237992826; path=/ - I've also checked this with machines running other distros (OpenWRT and Archlinux), and with those distros, the error occurs neither with - OpenSSL/libssl 1.1.1f nor with OpenSSL/libssl 1.1.1g. This leads me to - assume that the backported patch for CVE-2020-1967 in openssl/libssl 1.1 - .1f-1ubuntu2 is broken. + OpenSSL/libssl1.1 1.1.1f nor with OpenSSL/libssl1.1 1.1.1g. This leads + me to assume that the backported patch for CVE-2020-1967 in + openssl/libssl1.1 1.1.1f-1ubuntu2 is broken. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1874413 Title: openssl 1.1.1f-1ubuntu2 breaks some TLS connections To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1874413/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs