On Fri, Aug 05, 2022 at 00:35:32 -0000, Don wrote:
> It appears the issue is resolved in libssl3 3.0.4-1ubuntu1 from kinetic
> (in addition to enabling the legacy providers)
I installed a Kinetic test environment, and confirmed that I was able to
connect to my Xenial tinc (1.0.26-1) instance successfully (with the
legacy provider enabled).
I noticed that Jammy and Kinetic actually have the same exact tinc
package, so I figure the difference in functionality must be in libssl3:
Jammy: pool/universe/t/tinc/tinc_1.0.36-2build1_amd64.deb
Kinetic: pool/universe/t/tinc/tinc_1.0.36-2build1_amd64.deb
I experimented with downgrading the libssl3 package:
libssl3 3.0.5-2ubuntu1 (current latest version): worked
3.0.4-1ubuntu1: worked
3.0.3-5ubuntu3: got "Bogus data received from" error message again
Further experimentation running tinc with the OPENSSL_MODULES environment
variable set confirmed that the tinc connection succeeds if libssl3
3.0.3-5ubuntu3 is installed but the ossl-modules/legacy.so file from
3.0.4-1ubuntu1 is used by the tincd process.
Cross-referencing the commit history for legacyprov.c
with the the git commit logs for changes between 3.0.3 and .4:
https://github.com/openssl/openssl/compare/openssl-3.0.3...openssl-3.0.4
, I found the commit "Fix regression in default key length for Blowfish
CFB and OFB ciphers"... which would seem to be the change allows Tinc to
work again (since Tinc 1.0.26 uses the Blowfish algorithm for the
metadata connection).
https://github.com/openssl/openssl/commit/1b8ef23e68b273bb5e59f60df62251153f24768d
https://github.com/openssl/openssl/issues/18359
"OpenSSL 3 cannot decrypt data encrypted with OpenSSL 1.1 with
blowfish in OFB or CFB modes"
Finally, going back to the original issue on Jammy: I copied the
ossl-modules/legacy.so taken from libssl3 3.0.5-2ubuntu1 over to my
Jammy instance and pointed OPENSSL_MODULES to that file (in
/etc/default/tinc)... and sure enough that allowed my Jammy Tinc node to
connect to the Xenial Tinc node successfully as well....
** Bug watch added: github.com/openssl/openssl/issues #18359
https://github.com/openssl/openssl/issues/18359
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1972939
Title:
Jammy tinc incompatibile with older (e.g. Xenial) tinc nodes
Status in Release Notes for Ubuntu:
New
Status in openssl package in Ubuntu:
New
Status in tinc package in Ubuntu:
New
Bug description:
The tinc included in Jammy (1.0.36-2build1 linked with libssl3) cannot
connect to tinc nodes running e.g. tinc from Xenial (1.0.26-1).
(Tinc from Impish, which is also v1.0.36-2 but is linked to libssl1.1,
can connect to these nodes without problems.)
The symptom is a log message (on the system running Jammy) during the
metadata channel negotiation (with debug level set to 5):
Error during initialisation of cipher from tinc_xenial [...]
error:0308010C:digital envelope routines::unsupported
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-release-notes/+bug/1972939/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
