Re: ssl isues are Eating me alive.
On Sat, Apr 15, 2017 at 08:11:13PM +0300, Reco wrote: Hi, > AFAIK jessie is the last Debian release that provides curl linked with > openssl. We've three flavour of libcurl in the archive and the current "default" is the one linked against openssl. libcurl3 - easy-to-use client-side URL transfer library (OpenSSL flavour) libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour) libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour) That's also the case for wheezy and I did not check older releases, but it's like that for a few years. The curl binary itself is build against the libcurl3 - so the openssl flavour. That is also the case for the upcoming stretch release. Sven
Re: ssl isues are Eating me alive.
On Thu, Apr 13, 2017 at 09:04:01PM +0100, Darac Marjal wrote: > It looks[1] like Squid can do SSL Interception. I imagine it should be > possible, therefore, for squid to perform the HTTPS connection and > either downgrade it to HTTP or to re-encrypt it with a lower grade. YMMV Well automatic downgrade to HTTP could work, not sure how to implement it, but often you'll experience issues due to missing SNI support. For example in the case of elinks you can find the following open wishlist bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797968 So that issue will continue to exist in stretch but that's not the fault of GNUTLS but an application issue. In regards of cipher support at least GNUTLS from jessie should work with most public sites. For wheezy the situation might be more complicated. Regarding Squid I *think* it's also missing SNI support at the moment and for sure in wheezy. Long story short: You need a somewhat recent GNUTLS release (jessie should be fine) and application level support en par with that. Sven
Re: ssl isues are Eating me alive.
Hi. On Sat, 15 Apr 2017 15:14:29 + (UTC) david...@freevolt.org wrote: > On Fri, 14 Apr 2017, Reco wrote: > > > Hi. > > > > On Thu, Apr 13, 2017 at 01:01:24PM -0400, Greg Wooledge wrote: > >> On Thu, Apr 13, 2017 at 11:54:32AM -0500, Martin McCormick wrote: > >>> This started out a year or so ago with the occasional site in > >>> which lynx would report that it was unable to establish a TLS > >>> connection with this or that site. [...] > >> > >> It's not just lynx. It's EVERY single terminal-based browser, and > >> as you noticed, it gets worse every day. > >> > >> Apparently all of the terminal-based browsers in wheezy and jessie are > >> linked with libgnutls instead of libopenssl, and libgnutls (at least as > >> provided by jessie) is completely incapable of forming an SSL connection > >> with half of the Web. > > > > There's one notable exception to this in jessie and it's called w3m. > > > > $ ldd /usr/bin/w3m | grep ssl > >libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 > > In wheezy (at least) I've noticed that curl can also cope, when lynx > (and wget) cannot. AFAIK jessie is the last Debian release that provides curl linked with openssl. Reco
Re: ssl isues are Eating me alive.
On Fri, 14 Apr 2017, Reco wrote: Hi. On Thu, Apr 13, 2017 at 01:01:24PM -0400, Greg Wooledge wrote: On Thu, Apr 13, 2017 at 11:54:32AM -0500, Martin McCormick wrote: This started out a year or so ago with the occasional site in which lynx would report that it was unable to establish a TLS connection with this or that site. [...] It's not just lynx. It's EVERY single terminal-based browser, and as you noticed, it gets worse every day. Apparently all of the terminal-based browsers in wheezy and jessie are linked with libgnutls instead of libopenssl, and libgnutls (at least as provided by jessie) is completely incapable of forming an SSL connection with half of the Web. There's one notable exception to this in jessie and it's called w3m. $ ldd /usr/bin/w3m | grep ssl libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 In wheezy (at least) I've noticed that curl can also cope, when lynx (and wget) cannot.
Re: ssl isues are Eating me alive.
Hi. On Thu, Apr 13, 2017 at 01:01:24PM -0400, Greg Wooledge wrote: > On Thu, Apr 13, 2017 at 11:54:32AM -0500, Martin McCormick wrote: > > This started out a year or so ago with the occasional site in > > which lynx would report that it was unable to establish a TLS > > connection with this or that site. [...] > > It's not just lynx. It's EVERY single terminal-based browser, and > as you noticed, it gets worse every day. > > Apparently all of the terminal-based browsers in wheezy and jessie are > linked with libgnutls instead of libopenssl, and libgnutls (at least as > provided by jessie) is completely incapable of forming an SSL connection > with half of the Web. There's one notable exception to this in jessie and it's called w3m. $ ldd /usr/bin/w3m | grep ssl libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 Reco
Re: ssl isues are Eating me alive.
Greg Wooledgewrites: > Apparently all of the terminal-based browsers in wheezy and jessie are > linked with libgnutls instead of libopenssl, and libgnutls (at least as > provided by jessie) is completely incapable of forming an SSL connection > with half of the Web. > > Every time someone in IRC pastes an https://* link, it's a roll of the > dice whether I'll be able to open it in elinks. https://paste.debian.net/ > is one example of a site that does not work. If you remove the 's' > and just go to http://paste.debian.net/ it's fine. > > Most other paste sites don't offer a working option like that. Yup. The one I needed to go to didn't. At least I don't feel like I just failed to keep something up to date or am doing something stupid so I feel a little better. Who knows? It might get fixed one day. Thank you. Martin
Re: ssl isues are Eating me alive.
It looks[1] like Squid can do SSL Interception. I imagine it should be possible, therefore, for squid to perform the HTTPS connection and either downgrade it to HTTP or to re-encrypt it with a lower grade. YMMV [1] http://wiki.squid-cache.org/Features/HTTPS On 13/04/17 18:01, Greg Wooledge wrote: > On Thu, Apr 13, 2017 at 11:54:32AM -0500, Martin McCormick wrote: >> This started out a year or so ago with the occasional site in >> which lynx would report that it was unable to establish a TLS >> connection with this or that site. [...] > It's not just lynx. It's EVERY single terminal-based browser, and > as you noticed, it gets worse every day. > > Apparently all of the terminal-based browsers in wheezy and jessie are > linked with libgnutls instead of libopenssl, and libgnutls (at least as > provided by jessie) is completely incapable of forming an SSL connection > with half of the Web. > > Every time someone in IRC pastes an https://* link, it's a roll of the > dice whether I'll be able to open it in elinks. https://paste.debian.net/ > is one example of a site that does not work. If you remove the 's' > and just go to http://paste.debian.net/ it's fine. > > Most other paste sites don't offer a working option like that. >
Re: ssl isues are Eating me alive.
On Thu, Apr 13, 2017 at 11:54:32AM -0500, Martin McCormick wrote: > This started out a year or so ago with the occasional site in > which lynx would report that it was unable to establish a TLS > connection with this or that site. [...] It's not just lynx. It's EVERY single terminal-based browser, and as you noticed, it gets worse every day. Apparently all of the terminal-based browsers in wheezy and jessie are linked with libgnutls instead of libopenssl, and libgnutls (at least as provided by jessie) is completely incapable of forming an SSL connection with half of the Web. Every time someone in IRC pastes an https://* link, it's a roll of the dice whether I'll be able to open it in elinks. https://paste.debian.net/ is one example of a site that does not work. If you remove the 's' and just go to http://paste.debian.net/ it's fine. Most other paste sites don't offer a working option like that.