I have started bionic lxd container with nginx and snakeoil
certificates.
# patch /etc/ssl/openssl.cnf cap-to-tls1.2.patch
patching file /etc/ssl/openssl.cnf
Hunk #1 succeeded at 16 (offset 1 line).
Hunk #2 succeeded at 353 (offset 2 lines).
# systemctl restart nginx
And connect from the host system which has stock openssl.cnf
$ openssl s_client [fd42:3fcc:8a27:4e69:216:3eff:fe4c:5b9e]:443 | grep -e
Protocol -e Cipher
Can't use SSL_get_servername
depth=0 CN = nearby-osprey.lxd
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = nearby-osprey.lxd
verify return:1
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
^C
Back in the container
# patch -R /etc/ssl/openssl.cnf cap-to-tls1.2.patch
patching file /etc/ssl/openssl.cnf
Hunk #1 succeeded at 16 (offset 1 line).
Hunk #2 succeeded at 350 (offset 2 lines).
# patch /etc/ssl/openssl.cnf reorder-tls1.3-ciphersuites.patch
patching file /etc/ssl/openssl.cnf
Hunk #1 succeeded at 16 (offset 1 line).
Hunk #2 succeeded at 353 (offset 2 lines).
# systemctl restart nginx
Connecting to the container again externally:
$ openssl s_client [fd42:3fcc:8a27:4e69:216:3eff:fe4c:5b9e]:443 | grep -e
Protocol -e Cipher
Can't use SSL_get_servername
depth=0 CN = nearby-osprey.lxd
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = nearby-osprey.lxd
verify return:1
New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
^C
# patch -R /etc/ssl/openssl.cnf reorder-tls1.3-ciphersuites.patch
patching file /etc/ssl/openssl.cnf
Hunk #1 succeeded at 16 (offset 1 line).
Hunk #2 succeeded at 350 (offset 2 lines).
# systemctl restart nginx
So using the above patches to openssl.cnf I was able to reorder chipersuites of
stock bionic nginx, and cap to TLSv1.2.
So with attached
** Changed in: openssl (Ubuntu Bionic)
Status: New => Incomplete
** Changed in: openssl (Ubuntu Disco)
Status: New => Incomplete
** Changed in: openssl (Ubuntu Cosmic)
Status: New => Incomplete
** Changed in: openssl (Ubuntu Eoan)
Assignee: Dimitri John Ledkov (xnox) => (unassigned)
** Changed in: openssl (Ubuntu Eoan)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1832370
Title:
Unable to configure or disable TLS 1.3 via openssl.cnf
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1832370/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
