I have started bionic lxd container with nginx and snakeoil
certificates.
# patch /etc/ssl/openssl.cnf cap-to-tls1.2.patch
patching file /etc/ssl/openssl.cnf
Hunk #1 succeeded at 16 (offset 1 line).
Hunk #2 succeeded at 353 (offset 2 lines).
# systemctl restart nginx
And connect from the host system which has stock openssl.cnf
$ openssl s_client [fd42:3fcc:8a27:4e69:216:3eff:fe4c:5b9e]:443 | grep -e
Protocol -e Cipher
Can't use SSL_get_servername
depth=0 CN = nearby-osprey.lxd
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = nearby-osprey.lxd
verify return:1
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
^C
Back in the container
# patch -R /etc/ssl/openssl.cnf cap-to-tls1.2.patch
patching file /etc/ssl/openssl.cnf
Hunk #1 succeeded at 16 (offset 1 line).
Hunk #2 succeeded at 350 (offset 2 lines).
# patch /etc/ssl/openssl.cnf reorder-tls1.3-ciphersuites.patch
patching file /etc/ssl/openssl.cnf
Hunk #1 succeeded at 16 (offset 1 line).
Hunk #2 succeeded at 353 (offset 2 lines).
# systemctl restart nginx
Connecting to the container again externally:
$ openssl s_client [fd42:3fcc:8a27:4e69:216:3eff:fe4c:5b9e]:443 | grep -e
Protocol -e Cipher
Can't use SSL_get_servername
depth=0 CN = nearby-osprey.lxd
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = nearby-osprey.lxd
verify return:1
New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
^C
# patch -R /etc/ssl/openssl.cnf reorder-tls1.3-ciphersuites.patch
patching file /etc/ssl/openssl.cnf
Hunk #1 succeeded at 16 (offset 1 line).
Hunk #2 succeeded at 350 (offset 2 lines).
# systemctl restart nginx
So using the above patches to openssl.cnf I was able to reorder chipersuites of
stock bionic nginx, and cap to TLSv1.2.
So with attached
** Changed in: openssl (Ubuntu Bionic)
Status: New => Incomplete
** Changed in: openssl (Ubuntu Disco)
Status: New => Incomplete
** Changed in: openssl (Ubuntu Cosmic)
Status: New => Incomplete
** Changed in: openssl (Ubuntu Eoan)
Assignee: Dimitri John Ledkov (xnox) => (unassigned)
** Changed in: openssl (Ubuntu Eoan)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1832370
Title:
Unable to configure or disable TLS 1.3 via openssl.cnf
Status in openssl package in Ubuntu:
Incomplete
Status in openssl source package in Bionic:
Incomplete
Status in openssl source package in Cosmic:
Incomplete
Status in openssl source package in Disco:
Incomplete
Status in openssl source package in Eoan:
Incomplete
Bug description:
[Description]
Since OpenSSL 1.1.1 was backported to Bionic, some (all?) applications
gained access to TLS 1.3 by default. The applications that were not
rebuilt against OpenSSL 1.1.1 can't tune the TLS 1.3 settings
(protocol, ciphersuites selection, ciphersuites order) like it's
possible with 1.2 and below. As such, one should turn to configuring
/etc/ssl/openssl.cnf to alter TLS 1.3 settings.
Here is how I'd expect to be able to turn off TLS 1.3:
# diff -Naur /etc/ssl/openssl.cnf{.orig,}
--- /etc/ssl/openssl.cnf.orig 2019-06-11 10:33:02.330143086 -0400
+++ /etc/ssl/openssl.cnf 2019-06-11 11:15:23.805113804 -0400
@@ -12,6 +12,16 @@
HOME = .
RANDFILE = $ENV::HOME/.rnd
+ssl_conf = ssl_sect
+
+[ssl_sect]
+
+system_default = system_default_sect
+
+[system_default_sect]
+
+MaxProtocol = TLSv1.2
+
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
This doesn't work as 'openssl s_client -connect
rproxy.sdeziel.info:443' negotiates TLS 1.3 with
TLS_AES_256_GCM_SHA384.
Similarly, trying to change the 'Ciphers' or the 'Ciphersuites' list with:
# diff -Naur /etc/ssl/openssl.cnf{.orig,}
--- /etc/ssl/openssl.cnf.orig 2019-06-11 10:33:02.330143086 -0400
+++ /etc/ssl/openssl.cnf 2019-06-11 11:37:23.362889367 -0400
@@ -12,6 +12,17 @@
HOME = .
RANDFILE = $ENV::HOME/.rnd
+ssl_conf = ssl_sect
+
+[ssl_sect]
+
+system_default = system_default_sect
+
+[system_default_sect]
+
+Ciphers = TLS_AES_128_GCM_SHA256
+Ciphersuites = TLS_AES_128_GCM_SHA256
+
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
Doesn't work as s_client keeps negotiating TLS 1.3 with
TLS_AES_256_GCM_SHA384 (!= 128)
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: openssl 1.1.1-1ubuntu2.1~18.04.1
ProcVersionSignature: Ubuntu 4.15.0-51.55-generic 4.15.18
Uname: Linux 4.15.0-51-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.9-0ubuntu7.6
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Tue Jun 11 11:22:47 2019
InstallationDate: Installed on 2018-07-15 (331 days ago)
InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180714)
ProcEnviron:
LANG=en_CA.UTF-8
TERM=xterm-256color
SHELL=/bin/bash
XDG_RUNTIME_DIR=<set>
PATH=(custom, no user)
SourcePackage: openssl
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1832370/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
