Re: [Bug 1972939] Re: Jammy tinc incompatibile with older (e.g. Xenial) tinc nodes
On Wed, May 18, 2022 at 13:41:06 -, Simon Chopin wrote: > Also, does tinc work in a purely Jammy context? :-) Sorry, I just realized that I had not mentioned here on this bug the results of my tests between various Ubuntu versions. I didn't test Jammy-to-Jammy, but (briefly): * Jammy (1.0.36/libssl3) to Xenial (1.0.26/libssl1.0.0) fails * Impish (1.0.36/libssl1.1) works to both Jammy and Xenial (no openssl.cnf changes needed on any node) * Focal (also 1.0.36/libssl1.1]) worked to Xenial. (I did not test that to Jammy.) * Jammy to Bionic (1.0.33/libssl1.1) works (no openssl.cnf changes needed) (I did not test point-releases between Xenial and Bionic.) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1972939 Title: Jammy tinc incompatibile with older (e.g. Xenial) tinc nodes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/1972939/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1972939] Re: Jammy tinc incompatibile with older (e.g. Xenial) tinc nodes
On Wed, May 18, 2022 at 13:37:46 -, Simon Chopin wrote: > Could you give more details about what happens when using the legacy > providers? The short version is that by enabling the legacy provider and setting SECLEVEL to 1, I'm able to get past the "digital envelope routines::unsupported" error during the tinc metadata channel setup... but the Jammy node still (just a step or two later in the negotiation process) reports a "Bogus data received from" error and then aborts the connection. The "Bogus data received from" error is a tinc error message, but as far as I can tell the likely trigger for that message is some sort of failure to decrypt incoming data by the OpenSSL library -- and since Focal, Impish and Jammy all have exactly the same tinc version, it would seem the issue is libssl3-related... but I am not sure precisely how You can find additional details in this tinc-mailing-list thread: https://www.tinc-vpn.org/pipermail/tinc/2022-May/005598.html (but so far the discussion there hasn't managed to narrow down the exact interaction between tinc and libssl that's causing the problem). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1972939 Title: Jammy tinc incompatibile with older (e.g. Xenial) tinc nodes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/1972939/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1972939] Re: Jammy tinc incompatibile with older (e.g. Xenial) tinc nodes
On Wed, May 18, 2022 at 13:41:06 -, Simon Chopin wrote: > Also, does tinc work in a purely Jammy context? :-) As far as I can determine the issue relates to compatibility between libssl3 and the algorithms used by the Xenial-era tinc, and thus I can't imagine Jammy-to-Jammy would be a problem -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1972939 Title: Jammy tinc incompatibile with older (e.g. Xenial) tinc nodes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/1972939/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1972939] Re: Jammy tinc incompatibile with older (e.g. Xenial) tinc nodes
On Wed, May 18, 2022 at 07:42:04 -, Simon Chopin wrote: > I'm guessing there are some SSL certificates involved? If so, this issue Tinc uses openssl's implementations of specific alogorithms, but does not use either TLS or SSL certificates. (So I don't think the Tinc situation is covered by the existing OpenSSL 3.0 section of the Release Notes document.) The Xenial version of Tinc uses the Blowfish algorithm for the metadata connection, which openssl3 does move to the legacy provider -- but even though enabling the legacy provider on the Jammy node allows the connenction setup to get further along, it's not sufficient to get a working connection -- the libssl3 transition seems to have affected some other aspect of the connection as well... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1972939 Title: Jammy tinc incompatibile with older (e.g. Xenial) tinc nodes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/1972939/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1972939] Re: Jammy tinc incompatibile with older (e.g. Xenial) tinc nodes
I'm guessing there are some SSL certificates involved? If so, this issue is mentioned in the release notes: certificates that use e.g. SHA1 as the digest algorithm should be re-issued by your provider with a stronger hash algorithm. Would you be able to check that it is the correct diagnostic? If you have a PEM file, you can see mentions of the hash algorithms in the "Signature Algorithm" fields when using the following command: openssl x509 -in cert.pem -noout -text -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1972939 Title: Jammy tinc incompatibile with older (e.g. Xenial) tinc nodes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/1972939/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs