[Pkg-openssl-devel] Bug#907049: Bug#907049: openssl: Update to 1.1.1~~pre9-1 makes certain programs unusable

[Kurt Roeckx]

clone 907049 -1
reassign -1 offlineimap
severity -1 serious
retitle -1 offlineimap: Not using SNI
thanks

On Thu, Aug 23, 2018 at 02:54:36PM +0200, Antonin Kral wrote:
> Package: openssl
> Version: 1.1.1~~pre9-1
> Severity: critical
> Justification: renders other packages unusable
> 
> Hi,
> 
> I have got openssl 1.1.1~~pre9-1 as it is landed in sid. After upgrading 
> certain applications are not able to establish connection. 
> 
> Example of offlineimap:
> 
> ERROR: Unknown SSL protocol connecting to host 'imap.gmail.com' for repository 'showmax-remote'. OpenSSL responded:
> [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)

This is most likely caused by offlineimap not using SNI and
google sending an invalid in case you use TLS 1.3 without SNI. I'm
cloning this bug issue for that.

> Thu Aug 23 14:46:07 2018 OpenSSL: error:1425F18C:SSL routines:ssl_choose_client_version:version too low
> Thu Aug 23 14:46:07 2018 TLS_ERROR: BIO read tls_read_plaintext error
> Thu Aug 23 14:46:07 2018 TLS Error: TLS object -> incoming plaintext read error
> Thu Aug 23 14:46:07 2018 TLS Error: TLS handshake failed
> 
> I went through changelogs, but was not seen anything what would help me 
> in debugging the issue. Interestingly s_client and curl is able to 
> establish a connection even with new version. Maybe that can be related 
> to different default cipher_set?

This is most likely caused by this in /etc/ssl/openssl.cnf:
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT at SECLEVEL=2

Does openvpn use DTLS? I'm guessing that setting any TLS setting
there is causing problems for anything using DTLS.

Can you try with:
MinProtocol = TLSv1

And with:
#MinProtocol = TLSv1.2

I assume the first will still fail, and the later one will work.
And I'm currently unsure what to do about that, but there are
multiple options.


Kurt