[Pkg-openssl-devel] Bug#789245: libssl1.0.0:amd64: libssl-1.0.1k-3+deb8u1 breaks stunnel4 STARTTLS connections
Christian Kujau
lists at nerdbynature.de
Fri Jun 19 06:08:31 UTC 2015
Package: libssl1.0.0
Version: 1.0.1k-3+deb8u1
Severity: normal
Dear Maintainer,
the last update for openssl/libssl has the following in its changelog:
> openssl (1.0.1k-3+deb8u1) jessie-security; urgency=medium
> * CVE-2015-4000: Have minimum of 768 bit for DH
Which is probably The Right Thing to do, but it breaks a stunnel4 client
connection to a STARTTLS SMTP server (that I have no control over):
=========================================
LOG5[28161]: Service [mailhost] accepted connection from ::1:58363
LOG6[28161]: s_connect: connecting mailhost:25
LOG5[28161]: s_connect: connected mailhost:25
LOG5[28161]: Service [mailhost] connected remote server from 127.0.0.1:54733
LOG6[28161]: SNI: sending servername: localhost
LOG3[28161]: SSL_connect: 14082174: error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small
LOG5[28161]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
=========================================
The stunnel configuration can be found below. I was about to report this as a
bug against the stunnel4 package, but since the last libssl update "broke" it,
I decided to report it against libssl - feel free to re-assign.
I tried the following versions of libssl, with various results:
=== unstable =========================================================================
$ LD_LIBRARY_PATH=$HOME/test/ssl/libssl1.0.0_1.0.2c-1/usr/lib/x86_64-linux-gnu stunnel4 $HOME/.stunnel.conf
2015.06.18 22:39:30 LOG5[30390]: Compiled with OpenSSL 1.0.1j 15 Oct 2014
2015.06.18 22:39:30 LOG5[30390]: Running with OpenSSL 1.0.2c 12 Jun 2015
[...]
2015.06.18 22:40:00 LOG6[30424]: SNI: sending servername: localhost
2015.06.18 22:40:01 LOG3[30424]: SSL_connect: 14082174: error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small
2015.06.18 22:40:01 LOG5[30424]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
=== jessie (latest, 1.0.1k-3+deb8u1) =================================================
$ LD_LIBRARY_PATH=$HOME/test/ssl/libssl1.0.0_1.0.1k-3+deb8u1/usr/lib/x86_64-linux-gnu stunnel4 $HOME/.stunnel.conf
2015.06.18 22:34:54 LOG5[30211]: Compiled with OpenSSL 1.0.1j 15 Oct 2014
2015.06.18 22:34:54 LOG5[30211]: Running with OpenSSL 1.0.1k 8 Jan 2015
[...]
2015.06.18 22:35:10 LOG6[30226]: SNI: sending servername: localhost
2015.06.18 22:35:11 LOG3[30226]: SSL_connect: 14082174: error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small
2015.06.18 22:35:11 LOG5[30226]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
=== jessie (1.0.1k-3) ================================================================
$ LD_LIBRARY_PATH=$HOME/test/ssl/libssl1.0.0_1.0.1k-3/usr/lib/x86_64-linux-gnu stunnel4 $HOME/.stunnel.conf
2015.06.18 22:37:07 LOG5[30282]: Compiled with OpenSSL 1.0.1j 15 Oct 2014
2015.06.18 22:37:07 LOG5[30282]: Running with OpenSSL 1.0.1k 8 Jan 2015
[...]
2015.06.18 22:37:30 LOG6[30289]: SSL connected: new session negotiated
2015.06.18 22:37:30 LOG6[30289]: Negotiated TLSv1 ciphersuite DHE-RSA-AES256-SHA (256-bit encryption)
2015.06.18 22:37:30 LOG6[30289]: Compression: null, expansion: null
=== jessie (1.0.1k-2) ================================================================
$ LD_LIBRARY_PATH=$HOME/test/ssl/libssl1.0.0_1.0.1k-2/usr/lib/x86_64-linux-gnu stunnel4 $HOME/.stunnel.conf
2015.06.18 22:33:15 LOG5[30175]: Compiled with OpenSSL 1.0.1j 15 Oct 2014
2015.06.18 22:33:15 LOG5[30175]: Running with OpenSSL 1.0.1k 8 Jan 2015
[...]
2015.06.18 22:33:28 LOG6[30186]: SSL connected: new session negotiated
2015.06.18 22:33:28 LOG6[30186]: Negotiated TLSv1 ciphersuite DHE-RSA-AES256-SHA (256-bit encryption)
2015.06.18 22:33:28 LOG6[30186]: Compression: null, expansion: null
======================================================================================
Some more notes on the stunnel4 package, from its manpage:
> DH PARAMETERS
> Stunnel 4.40 and later contains hardcoded 2048-bit DH parameters.
> It is also possible to specify DH parameters in the certificate file:
> openssl dhparam 2048 >> stunnel.pem
But this is only possible when running stunnel4 in *server* mode - in client mode
(and without client certificates involved), I don't have any stunnel.pem
configured and thus cannot add any DH parameters. Or maybe it's possible, but I
could not find it documented.
Workaround:
1) Don't upgrade to 1.0.1k-3+deb8u1 :-)
2) Extract an older version of libssl, then use
LD_LIBRARY_PATH=/path/to/older/version stunnel4 stunnel.conf
3) Use a non-DH cipher, if the server supports any. In my case, the
following ciphers were supported by the server:
AES128-SHA ***
AES256-SHA ***
DES-CBC3-SHA
DES-CBC-SHA
DHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA
EDH-RSA-DES-CBC3-SHA
EDH-RSA-DES-CBC-SHA
EXP-DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-RC4-MD5
EXP-RC4-MD5
RC4-MD5
RC4-MD5
RC4-SHA
I went with AES128-SHA resp. AES256-SHA, I wanted to avoid RC4, DH (unusable),
EXP (export) and DES. So, for stunnel, I added the following service-level
option to the configuration file:
ciphers = AES256-SHA
Thanks,
Christian.
============ stunnel.conf ===============
debug = 6
output = /home/christian/.log/stunnel.log
pid = /home/christian/.log/stunnel.pid
syslog = no
foreground = yes
[mailhost]
client = yes
accept = localhost:2024
connect = mailhost:25
protocol = smtp
============ stunnel.conf ===============
-- System Information:
Debian Release: 8.1
APT prefers stable
APT policy: (990, 'stable'), (500, 'stable-updates')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.1.0-rc6 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libssl1.0.0:amd64 depends on:
ii debconf [debconf-2.0] 1.5.56
ii libc6 2.19-18
ii multiarch-support 2.19-18
libssl1.0.0:amd64 recommends no packages.
libssl1.0.0:amd64 suggests no packages.
-- debconf-show failed
More information about the Pkg-openssl-devel
mailing list