[Touch-packages] [Bug 1356843] Re: ccs received early errors after openssl security update
There also is an issue with the openssl package in Lucid, which was worked around with the postfix fix. Adding openssl to this bug since it's better if we fix both. ** Also affects: openssl (Ubuntu) Importance: Undecided Status: New ** Also affects: openssl (Ubuntu Lucid) Importance: Undecided Status: New ** Also affects: postfix (Ubuntu Lucid) Importance: Undecided Status: New ** Changed in: openssl (Ubuntu Precise) Status: New = Invalid ** Changed in: openssl (Ubuntu) Status: New = Invalid ** Changed in: openssl (Ubuntu Lucid) Status: New = Confirmed ** Changed in: openssl (Ubuntu Lucid) Assignee: (unassigned) = Marc Deslauriers (mdeslaur) ** Changed in: postfix (Ubuntu Lucid) Status: New = Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1356843 Title: ccs received early errors after openssl security update Status in “openssl” package in Ubuntu: Invalid Status in “postfix” package in Ubuntu: Fix Released Status in “openssl” source package in Lucid: Confirmed Status in “postfix” source package in Lucid: Invalid Status in “openssl” source package in Precise: Invalid Status in “postfix” source package in Precise: Fix Released Bug description: SRU request: [Impact] The CVE-2014-0224 update for openssl will now reject CCS messages when they are received before encryption is negotiated. This has caused an issue for certain sites attempting to send mail to Ubuntu 12.04 servers running postfix. It turns out there is an incompatibility between postfix in Ubuntu 12.04 and openssl in 12.04 that mishandles session ids. This was fixed in Postfix 2.10.2, and the minimal fix is included in this debdiff. [Test Case] Server A = Ubuntu 10.04 with postfix configured to forward mail, ie: relayhost = server b's FQDN smtp_tls_security_level = encrypt Server B = Ubuntu 12.04 with postfix configured to receive mail with forced tls: smtpd_tls_security_level = encrypt Send more than one mail from Server A to Server B, and see if the following error appears in mail.log: warning: TLS library problem: 31807:error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early:s3_pkt.c:1146: [Regression potential] This patch disables TLS session tickets, which is what later postfix versions do. If this introduces a regression, it may cause TLS to ether fail completely, or to break when resuming sessions. Original description: Postfix is causing a TLS error, when relaying mails with TLS encryption: warning: TLS library problem: 31807:error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early:s3_pkt.c:1146: To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1356843/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1356843] Re: ccs received early errors after openssl security update
This bug was fixed in the package openssl - 0.9.8k-7ubuntu8.21 --- openssl (0.9.8k-7ubuntu8.21) lucid-security; urgency=medium * SECURITY UPDATE: Properly fix stateless session support (LP: #1356843) - fixes regression introduced with fix_renegotiation.patch. - debian/patches/fix_stateless_session.patch: added two commits from git to properly handle stateless sessions in ssl/s3_srvr.c, ssl/ssl_asn1.c, ssl/t1_lib.c. -- Marc Deslauriers marc.deslauri...@ubuntu.com Mon, 18 Aug 2014 11:17:08 -0400 ** Changed in: openssl (Ubuntu Lucid) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1356843 Title: ccs received early errors after openssl security update Status in “openssl” package in Ubuntu: Invalid Status in “postfix” package in Ubuntu: Fix Released Status in “openssl” source package in Lucid: Fix Released Status in “postfix” source package in Lucid: Invalid Status in “openssl” source package in Precise: Invalid Status in “postfix” source package in Precise: Fix Released Bug description: SRU request: [Impact] The CVE-2014-0224 update for openssl will now reject CCS messages when they are received before encryption is negotiated. This has caused an issue for certain sites attempting to send mail to Ubuntu 12.04 servers running postfix. It turns out there is an incompatibility between postfix in Ubuntu 12.04 and openssl in 12.04 that mishandles session ids. This was fixed in Postfix 2.10.2, and the minimal fix is included in this debdiff. [Test Case] Server A = Ubuntu 10.04 with postfix configured to forward mail, ie: relayhost = server b's FQDN smtp_tls_security_level = encrypt Server B = Ubuntu 12.04 with postfix configured to receive mail with forced tls: smtpd_tls_security_level = encrypt Send more than one mail from Server A to Server B, and see if the following error appears in mail.log: warning: TLS library problem: 31807:error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early:s3_pkt.c:1146: [Regression potential] This patch disables TLS session tickets, which is what later postfix versions do. If this introduces a regression, it may cause TLS to ether fail completely, or to break when resuming sessions. Original description: Postfix is causing a TLS error, when relaying mails with TLS encryption: warning: TLS library problem: 31807:error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early:s3_pkt.c:1146: To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1356843/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1356843] Re: ccs received early
I have reproduced this issue. It looks like something may be wrong with openssl in Ubuntu 12.04. Attached is a packet capture that shows 12.04 sending a CCS before a Server Key Exchange for some reason. ** Attachment added: problem.pcap https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1356843/+attachment/4178514/+files/problem.pcap -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1356843 Title: ccs received early Status in “openssl” package in Ubuntu: New Bug description: Postfix is causing a TLS error, when relaying mails with TLS encryption: warning: TLS library problem: 31807:error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early:s3_pkt.c:1146: To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1356843/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1356843] Re: ccs received early
Actually, I believe I'm reading that wrong, disregard my last comment. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1356843 Title: ccs received early Status in “openssl” package in Ubuntu: New Bug description: Postfix is causing a TLS error, when relaying mails with TLS encryption: warning: TLS library problem: 31807:error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early:s3_pkt.c:1146: To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1356843/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1356843] Re: ccs received early
So from the irc discussion: two servers, one Ubuntu 10.04, and one Ubuntu 12.04. Both are using postfix. The 12.04 server is running postfix 2.9.6-1~12.04.1. 10.04 is running openssl 0.9.8k-7ubuntu8.20 and 12.04 is running openssl 1.0.1-4ubuntu5.17. The 10.04 is sending mail to the 12.04 server. The 10.04 is getting the following in the log: TLS library problem: 25971:error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early:s3_pkt.c:1146 The 12.04 is getting the following: lost connection after STARTTLS -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1356843 Title: ccs received early Status in “openssl” package in Ubuntu: New Bug description: Postfix is causing a TLS error, when relaying mails with TLS encryption: warning: TLS library problem: 31807:error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early:s3_pkt.c:1146: To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1356843/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1356843] Re: ccs received early
The 10.04 server is running postfix 2.7.0-1ubuntu0.2 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1356843 Title: ccs received early Status in “openssl” package in Ubuntu: New Bug description: Postfix is causing a TLS error, when relaying mails with TLS encryption: warning: TLS library problem: 31807:error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early:s3_pkt.c:1146: To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1356843/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1356843] Re: ccs received early
correct so far. I want to add, when you have configured postfix like this: smtp_tls_security_level=may mails will be transported unencrypted. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1356843 Title: ccs received early Status in “openssl” package in Ubuntu: New Bug description: Postfix is causing a TLS error, when relaying mails with TLS encryption: warning: TLS library problem: 31807:error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early:s3_pkt.c:1146: To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1356843/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
