Re: ssl isues are Eating me alive.

[Sven Hoexter]

On Sat, Apr 15, 2017 at 08:11:13PM +0300, Reco wrote:

Hi,

> AFAIK jessie is the last Debian release that provides curl linked with
> openssl.

We've three flavour of libcurl in the archive and the current "default"
is the one linked against openssl.
libcurl3 - easy-to-use client-side URL transfer library (OpenSSL flavour)
libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour)
libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour)

That's also the case for wheezy and I did not check older releases, but it's
like that for a few years.

The curl binary itself is build against the libcurl3 - so the openssl flavour.
That is also the case for the upcoming stretch release.

Sven

Re: ssl isues are Eating me alive.

[Sven Hoexter]

On Thu, Apr 13, 2017 at 09:04:01PM +0100, Darac Marjal wrote:
> It looks[1] like Squid can do SSL Interception. I imagine it should be
> possible, therefore, for squid to perform the HTTPS connection and
> either downgrade it to HTTP or to re-encrypt it with a lower grade. YMMV

Well automatic downgrade to HTTP could work, not sure how to implement it,
but often you'll experience issues due to missing SNI support.
For example in the case of elinks you can find the following open wishlist bug
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797968
So that issue will continue to exist in stretch but that's not the fault of
GNUTLS but an application issue.

In regards of cipher support at least GNUTLS from jessie should work with
most public sites. For wheezy the situation might be more complicated.

Regarding Squid I *think* it's also missing SNI support at the moment and
for sure in wheezy.

Long story short: You need a somewhat recent GNUTLS release (jessie should
be fine) and application level support en par with that.

Sven

Re: ssl isues are Eating me alive.

[Reco]

Hi.

On Sat, 15 Apr 2017 15:14:29 + (UTC)
david...@freevolt.org wrote:

> On Fri, 14 Apr 2017, Reco wrote:
> 
> > Hi.
> >
> > On Thu, Apr 13, 2017 at 01:01:24PM -0400, Greg Wooledge wrote:
> >> On Thu, Apr 13, 2017 at 11:54:32AM -0500, Martin McCormick wrote:
> >>> This started out a year or so ago with the occasional site in
> >>> which lynx would report that it was unable to establish a TLS
> >>> connection with this or that site. [...]
> >>
> >> It's not just lynx.  It's EVERY single terminal-based browser, and
> >> as you noticed, it gets worse every day.
> >>
> >> Apparently all of the terminal-based browsers in wheezy and jessie are
> >> linked with libgnutls instead of libopenssl, and libgnutls (at least as
> >> provided by jessie) is completely incapable of forming an SSL connection
> >> with half of the Web.
> >
> > There's one notable exception to this in jessie and it's called w3m.
> >
> > $ ldd /usr/bin/w3m | grep ssl
> >libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
> 
> In wheezy (at least) I've noticed that curl can also cope, when lynx
> (and wget) cannot.

AFAIK jessie is the last Debian release that provides curl linked with
openssl.

Reco

Re: ssl isues are Eating me alive.

[davidson]

On Fri, 14 Apr 2017, Reco wrote:


Hi.

On Thu, Apr 13, 2017 at 01:01:24PM -0400, Greg Wooledge wrote:

On Thu, Apr 13, 2017 at 11:54:32AM -0500, Martin McCormick wrote:

This started out a year or so ago with the occasional site in
which lynx would report that it was unable to establish a TLS
connection with this or that site. [...]


It's not just lynx.  It's EVERY single terminal-based browser, and
as you noticed, it gets worse every day.

Apparently all of the terminal-based browsers in wheezy and jessie are
linked with libgnutls instead of libopenssl, and libgnutls (at least as
provided by jessie) is completely incapable of forming an SSL connection
with half of the Web.


There's one notable exception to this in jessie and it's called w3m.

$ ldd /usr/bin/w3m | grep ssl
   libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0


In wheezy (at least) I've noticed that curl can also cope, when lynx
(and wget) cannot.

Re: ssl isues are Eating me alive.

[Reco]

Hi.

On Thu, Apr 13, 2017 at 01:01:24PM -0400, Greg Wooledge wrote:
> On Thu, Apr 13, 2017 at 11:54:32AM -0500, Martin McCormick wrote:
> > This started out a year or so ago with the occasional site in
> > which lynx would report that it was unable to establish a TLS
> > connection with this or that site. [...]
> 
> It's not just lynx.  It's EVERY single terminal-based browser, and
> as you noticed, it gets worse every day.
> 
> Apparently all of the terminal-based browsers in wheezy and jessie are
> linked with libgnutls instead of libopenssl, and libgnutls (at least as
> provided by jessie) is completely incapable of forming an SSL connection
> with half of the Web.

There's one notable exception to this in jessie and it's called w3m.

$ ldd /usr/bin/w3m | grep ssl
libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0

Reco

Re: ssl isues are Eating me alive.

[Martin McCormick]

Greg Wooledge  writes:
> Apparently all of the terminal-based browsers in wheezy and jessie are
> linked with libgnutls instead of libopenssl, and libgnutls (at least as
> provided by jessie) is completely incapable of forming an SSL connection
> with half of the Web.
> 
> Every time someone in IRC pastes an https://* link, it's a roll of the
> dice whether I'll be able to open it in elinks.  https://paste.debian.net/
> is one example of a site that does not work.  If you remove the 's'
> and just go to http://paste.debian.net/ it's fine.
> 
> Most other paste sites don't offer a working option like that.

Yup. The one I needed to go to didn't.

At least I don't feel like I just failed to keep
something up to date or am doing something stupid so I feel a
little better. Who knows? It might get fixed one day.

Thank you.

Martin

Re: ssl isues are Eating me alive.

[Darac Marjal]

It looks[1] like Squid can do SSL Interception. I imagine it should be
possible, therefore, for squid to perform the HTTPS connection and
either downgrade it to HTTP or to re-encrypt it with a lower grade. YMMV


[1] http://wiki.squid-cache.org/Features/HTTPS

On 13/04/17 18:01, Greg Wooledge wrote:
> On Thu, Apr 13, 2017 at 11:54:32AM -0500, Martin McCormick wrote:
>> This started out a year or so ago with the occasional site in
>> which lynx would report that it was unable to establish a TLS
>> connection with this or that site. [...]
> It's not just lynx.  It's EVERY single terminal-based browser, and
> as you noticed, it gets worse every day.
>
> Apparently all of the terminal-based browsers in wheezy and jessie are
> linked with libgnutls instead of libopenssl, and libgnutls (at least as
> provided by jessie) is completely incapable of forming an SSL connection
> with half of the Web.
>
> Every time someone in IRC pastes an https://* link, it's a roll of the
> dice whether I'll be able to open it in elinks.  https://paste.debian.net/
> is one example of a site that does not work.  If you remove the 's'
> and just go to http://paste.debian.net/ it's fine.
>
> Most other paste sites don't offer a working option like that.
>

Re: ssl isues are Eating me alive.

[Greg Wooledge]

On Thu, Apr 13, 2017 at 11:54:32AM -0500, Martin McCormick wrote:
> This started out a year or so ago with the occasional site in
> which lynx would report that it was unable to establish a TLS
> connection with this or that site. [...]

It's not just lynx.  It's EVERY single terminal-based browser, and
as you noticed, it gets worse every day.

Apparently all of the terminal-based browsers in wheezy and jessie are
linked with libgnutls instead of libopenssl, and libgnutls (at least as
provided by jessie) is completely incapable of forming an SSL connection
with half of the Web.

Every time someone in IRC pastes an https://* link, it's a roll of the
dice whether I'll be able to open it in elinks.  https://paste.debian.net/
is one example of a site that does not work.  If you remove the 's'
and just go to http://paste.debian.net/ it's fine.

Most other paste sites don't offer a working option like that.