[Freedombox-pkg-team] Bug#914931: [Pkg-openssl-devel] Bug#914931: pagekite: Fail to connect to pagekite.me services with openssl installed

Sebastian Andrzej Siewior sebastian at breakpoint.cc
Wed Nov 28 21:59:31 GMT 2018 

On 2018-11-28 21:25:45 [+0100], Petter Reinholdtsen wrote:
> The upgrade from openssl version 1.1.0h-4 to 1.1.1-1 break pagekite on
> the FreedomBox.  After a debug session with the pagekite author I
> discovered the reason is changes in /etc/ssl/openssl.cfg, which now
> block connection to the pagekite.net services.

nitpick, .cnf not cfg.

> The following change got the pagekite service working again.
> 
> The backdrop for this issue is that some of the pagekite.net servers are
> running fairly old software that can not be quickly reconfigured to work
> with newer versions of TLS.  This make fixing it on the server side
> unlikely to happen any time soon.

The server still supports SSLv3. Even if nobody wants to touch the
server I would suggest disabling SSLv3 be a priority.

> CC to the openssl and freedombox teams to make them aware of the issue.

We tried to cover this in
	/usr/share/doc/libssl1.1/NEWS.Debian.gz

> The following patch got pagekite working again:
> 
> diff --git a/ssl/openssl.cnf b/ssl/openssl.cnf
> index d155d1e..309081a 100644
> --- a/ssl/openssl.cnf
> +++ b/ssl/openssl.cnf
> @@ -351,12 +351,12 @@ ess_cert_id_chain = no    # Must the ESS cert id chain be included?
>                                 # (optional, default: no)
>  ess_cert_id_alg                = sha1  # algorithm to compute certificate
>                                 # identifier (optional, default: sha1)
> -[default_conf]
> -ssl_conf = ssl_sect
> -
> -[ssl_sect]
> -system_default = system_default_sect
> -
> -[system_default_sect]
> -MinProtocol = TLSv1.2
> -CipherString = DEFAULT at SECLEVEL=2
> +#[default_conf]
> +#ssl_conf = ssl_sect
> +#
> +#[ssl_sect]
> +#system_default = system_default_sect
> +#
> +#[system_default_sect]
> +#MinProtocol = TLSv1.2
> +#CipherString = DEFAULT at SECLEVEL=2

You might not need to get rid of everything. Judging by
	https://www.ssllabs.com/ssltest/analyze.html?d=pagekite.net

it might be enough to just allow TLS1.0. You might want to add this
override only for pagekite and not system wide.

Sebastian

More information about the Freedombox-pkg-team mailing list