Your message dated Mon, 29 Oct 2018 00:09:58 +0000 with message-id <[email protected]> and subject line Bug#911389: fixed in openssl 1.1.1-2 has caused the Debian Bug report #911389, regarding libssl1.1: loss of WLAN connectivity after upgrading; it's not the library's job to disable TLSv1.0 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 911389: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911389 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: libssl1.1 Version: 1.1.1-1 Severity: grave Justification: renders package unusable I have the following stanza in my /etc/network/interfaces: iface tarent-lan inet dhcp wireless-mode Managed wireless-essid tarent-lan wpa-ssid tarent-lan wpa-key-mgmt WPA-EAP wpa-identity tglase wpa-password XXX # wpa-eap PEAP TTLS # wpa-phase2 auth=MSCHAPV2 autheap=MSCHAPV2 Either without or with the last two lines, I can no longer use “sudo ifup wlan0=tarent-lan” to connect to our WLAN: [ 106.016581] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready Internet Systems Consortium DHCP Client 4.3.5 Copyright 2004-2016 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Listening on LPF/wlan0/00:1f:3b:0d:cb:b1 Sending on LPF/wlan0/00:1f:3b:0d:cb:b1 Sending on Socket/fallback DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 7 [ 110.435975] wlan0: authenticate with 34:fc:b9:60:71:52 [ 110.447304] wlan0: send auth to 34:fc:b9:60:71:52 (try 1/3) [ 110.452025] wlan0: authenticated [ 110.460168] wlan0: associate with 34:fc:b9:60:71:52 (try 1/3) [ 110.465089] wlan0: RX AssocResp from 34:fc:b9:60:71:52 (capab=0x1011 status=0 aid=8) [ 110.498183] wlan0: associated DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 9 [ 115.610155] wlan0: deauthenticating from 34:fc:b9:60:71:52 by local choice (Reason: 3=DEAUTH_LEAVING) DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 12 [ 128.126656] wlan0: authenticate with 34:fc:b9:60:71:42 [ 128.135979] wlan0: send auth to 34:fc:b9:60:71:42 (try 1/3) [ 128.252372] wlan0: send auth to 34:fc:b9:60:71:42 (try 2/3) [ 128.360349] wlan0: send auth to 34:fc:b9:60:71:42 (try 3/3) [ 128.484364] wlan0: authentication with 34:fc:b9:60:71:42 timed out [ 128.679388] wlan0: authenticate with 34:fc:b9:60:71:22 [ 128.679459] wlan0: send auth to 34:fc:b9:60:71:22 (try 1/3) [ 128.689598] wlan0: authenticated [ 128.700133] wlan0: associate with 34:fc:b9:60:71:22 (try 1/3) [ 128.708624] wlan0: RX AssocResp from 34:fc:b9:60:71:22 (capab=0x1431 status=0 aid=3) [ 128.737852] wlan0: associated [ 132.591116] wlan0: deauthenticated from 34:fc:b9:60:71:22 (Reason: 3=DEAUTH_LEAVING) DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 19 A colleague forwarded me the relevant RADIUS server logs: Wed Oct 17 14:59:48 2018 : Error: rlm_eap: SSL error error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number I’ve downgraded libssl1.1 (and openssl) to 1.1.0g-2 (temporarily breaking Python 3.6 and 3.7 in the progress) and, voilà, I can connect. ┌─────────────────────────────────────────────────────────┐ │ IT IS *NOT* THE JOB OF THE OPENSSL *LIBRARY* TO DISABLE │ │ OLD PROTOCOL VERSIONS AS IT’S USED FOR *MORE* THAN JUST │ │ WEBSERVERS AND WEBBROWSERS! │ └─────────────────────────────────────────────────────────┘ Perhaps there may be reasons against using a number of older standards, but most of them are only exploitable if the client is a webbrowser capable of running ECMAscript. This is comparable with RC4 being bad in WEP but not in aRC4random because of how it is used. OpenSSL is not just used in webservers (and, to a lesser extent, HTTPS clients), but also for things like SMTP (I *do* have much more trouble with STARTTLS connections than a year or two ago), IMAP (had to manually hack something there, too), and worst of all, WPA. ┌─────────────────────────────────────────────────────────┐ │ Especially in the WPA case, CONNECTIVITY IS *MUCH* MORE │ │ IMPORTANT THAN SECURITY because I run SSL, SSH or VPN │ │ over wireless connections already *anyway*! │ └─────────────────────────────────────────────────────────┘ Loss of being able to connect to arbitrary WLANs “out in the field”, especially given no other solution to connect to them (even to down‐ load the older OpenSSL I had to connect to a different network first) is a CATASTROPHIC LOSS OF FUNCTIONALITY. Protocol ossification is a fact that we *have* to live with and accept. What if I had been at a customer’s site? That would have utterly blamed OSS and GNU/Linux. That could have caused my employer more than just extra money. What if I had needed to use the WLAN to send an emergency call? tl;dr: Because OpenSSL is also used in non-Web scenarios, it absolutely MUST NOT disable the older algorithms. Rather, end-user applications (servers, clients, …) using OpenSSL need to provide knobs to configure TLS versions, ciphersuites, etc. if they so wish, and the default MUST be compatible. Things like Apache etc. already contain the necessary knobs, have so for decades, so it’s up to those packages to contain suitable settings. Things like wpa_supplicant-run-via-ifupdown do not. (It was hard enough getting it to work *at all* in the first place.) This is *vital* to being able to continue using Debian in a professional workplace environment. Thank you for listening. -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'buildd-unstable'), (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.18.0-2-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8) Shell: /bin/sh linked to /bin/lksh Init: sysvinit (via /sbin/init)
--- End Message ---
--- Begin Message ---Source: openssl Source-Version: 1.1.1-2 We believe that the bug you reported is fixed in the latest version of openssl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sebastian Andrzej Siewior <[email protected]> (supplier of updated openssl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 28 Oct 2018 23:52:24 +0100 Source: openssl Binary: openssl libssl1.1 libcrypto1.1-udeb libssl1.1-udeb libssl-dev libssl-doc Architecture: source Version: 1.1.1-2 Distribution: unstable Urgency: medium Maintainer: Debian OpenSSL Team <[email protected]> Changed-By: Sebastian Andrzej Siewior <[email protected]> Description: libcrypto1.1-udeb - Secure Sockets Layer toolkit - libcrypto udeb (udeb) libssl-dev - Secure Sockets Layer toolkit - development files libssl-doc - Secure Sockets Layer toolkit - development documentation libssl1.1 - Secure Sockets Layer toolkit - shared libraries libssl1.1-udeb - ssl shared library - udeb (udeb) openssl - Secure Sockets Layer toolkit - cryptographic utility Closes: 875423 907631 910459 911389 912067 Changes: openssl (1.1.1-2) unstable; urgency=medium . [ Sebastian Andrzej Siewior ] * Add Breaks on isync (See: #906955) * Fix autopkgtest (Closes: #910459) . [ Kurt Roeckx ] * Add Breaks on python-imaplib2 (See: #907079) * Add news entry regarding default TLS version and security level (Closes: #875423, #907631, #911389, #912067). Checksums-Sha1: 370f2c56271d1c5921ada195bfaf09f6bd9f3b7e 2604 openssl_1.1.1-2.dsc 6dbb33fedf6ed9f1252a5a7095c9b884874977e1 83652 openssl_1.1.1-2.debian.tar.xz b43ed1e8312efd4b9fab2cf03426f67471e72932 6132 openssl_1.1.1-2_source.buildinfo Checksums-Sha256: 04fc6eda57fbf20b6341c846e99c2b5fea1ea8f681bc714bb59929c688d80a85 2604 openssl_1.1.1-2.dsc 41bb79d0b716aa93d18f6067d5a0aad9890abc09ddd6de893ea1ec6074ec597c 83652 openssl_1.1.1-2.debian.tar.xz cd735f1646ece28cebbe2f0efcff70b0eedeca8dc1783957fc1413a891e31b3e 6132 openssl_1.1.1-2_source.buildinfo Files: d0aa78dc70ad3917f5bc4ce69ccaa70e 2604 utils optional openssl_1.1.1-2.dsc 22b32e1a29a07abcadd4d0d32494c6f8 83652 utils optional openssl_1.1.1-2.debian.tar.xz 2f247508a54703cce0b613116a9f0e68 6132 utils optional openssl_1.1.1-2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEZCVGlf/wqkRmzBnme5boFiqM9dEFAlvWQQAACgkQe5boFiqM 9dEasQ//X8uupZGXRcVRUVqmSKRXhu4mq/MXSAsbvBOWVmqAFHarxKJdyRrPViQK qH2zOvHr8AtAEXPJjvTcI9zN1vtcvw3TVpElqMyWabOfyxEiHRdUU0uEco7CiUla Li4nbJYg6MMPNGy0c+G7yOkYGwDxazONvt7rTZ5sO0zrnVSvK9eSPi5HgcQzpigm ZHdyTpbXU/K1bP3u9357Onw6q4DT3IGgzTfc1zK5W1pQaQSb4wxkZF1pyrPVHizm WNKhb5Q0lLeg0xh2x0G9SnxD5o2wIz2zmn7vgJ666PEwDeI+TRvLgrrIAvotuNJb H2m4x/M5fJVbaO6s0Ck8HIUV/0X7r6anMo4h7G2PC5Yhux7f8nMHBxcWkjvzM6JW n4aLXhfkOxp2Jj9TVOZ6rLtUD6tdDyFNGRAV0TOzediV+JntGFCMMMax0o4ACbm6 9OyXWnZLCTltzpPAdgb1WQ/vfwJKrCaAnRb5xjTPEkE9bln7b7zvhY3OTsXFBKKW 3owN/ieFMSJsMqn0kH8uR2kG/aWry4zuT7U/lH7CHxciILmC5WH8VdOuT0swWU+/ 3Q9iV+urKTvCvOYk8MhywRN1AToOoyh0m1B5FXVeRZWinA61ZGKuU6D1SleCPKLv i4WOTQVm7do9KFOckoBfQbGlLVqBXZcrDln6TVhgrhu9P241DCg= =vDtH -----END PGP SIGNATURE-----
--- End Message ---
