[Pkg-openssl-devel] Bug#907049: Bug#907049: openssl: Update to 1.1.1~~pre9-1 makes certain programs unusable

Kurt Roeckx kurt at roeckx.be
Thu Aug 23 21:20:04 BST 2018


clone 907049 -1
reassign -1 offlineimap
severity -1 serious
retitle -1 offlineimap: Not using SNI
thanks

On Thu, Aug 23, 2018 at 02:54:36PM +0200, Antonin Kral wrote:
> Package: openssl
> Version: 1.1.1~~pre9-1
> Severity: critical
> Justification: renders other packages unusable
> 
> Hi,
> 
> I have got openssl 1.1.1~~pre9-1 as it is landed in sid. After upgrading 
> certain applications are not able to establish connection. 
> 
> Example of offlineimap:
> 
> ERROR: Unknown SSL protocol connecting to host 'imap.gmail.com' for repository 'showmax-remote'. OpenSSL responded:
> [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)

This is most likely caused by offlineimap not using SNI and
google sending an invalid in case you use TLS 1.3 without SNI. I'm
cloning this bug issue for that.

> Thu Aug 23 14:46:07 2018 OpenSSL: error:1425F18C:SSL routines:ssl_choose_client_version:version too low
> Thu Aug 23 14:46:07 2018 TLS_ERROR: BIO read tls_read_plaintext error
> Thu Aug 23 14:46:07 2018 TLS Error: TLS object -> incoming plaintext read error
> Thu Aug 23 14:46:07 2018 TLS Error: TLS handshake failed
> 
> I went through changelogs, but was not seen anything what would help me 
> in debugging the issue. Interestingly s_client and curl is able to 
> establish a connection even with new version. Maybe that can be related 
> to different default cipher_set?

This is most likely caused by this in /etc/ssl/openssl.cnf:
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT at SECLEVEL=2

Does openvpn use DTLS? I'm guessing that setting any TLS setting
there is causing problems for anything using DTLS.

Can you try with:
MinProtocol = TLSv1

And with:
#MinProtocol = TLSv1.2

I assume the first will still fail, and the later one will work.
And I'm currently unsure what to do about that, but there are
multiple options.


Kurt



More information about the Pkg-openssl-devel mailing list