[Bug 1832370] Re: Unable to configure or disable TLS 1.3 via openssl.cnf

Dimitri John Ledkov Fri, 14 Jun 2019 01:56:37 -0700

I have started bionic lxd container with nginx and snakeoil
certificates.

# patch /etc/ssl/openssl.cnf cap-to-tls1.2.patch 
patching file /etc/ssl/openssl.cnf
Hunk #1 succeeded at 16 (offset 1 line).
Hunk #2 succeeded at 353 (offset 2 lines).
# systemctl restart nginx


And connect from the host system which has stock openssl.cnf

$ openssl s_client [fd42:3fcc:8a27:4e69:216:3eff:fe4c:5b9e]:443 | grep -e 
Protocol -e Cipher
Can't use SSL_get_servername
depth=0 CN = nearby-osprey.lxd
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = nearby-osprey.lxd
verify return:1
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
^C

Back in the container

# patch -R /etc/ssl/openssl.cnf cap-to-tls1.2.patch 
patching file /etc/ssl/openssl.cnf
Hunk #1 succeeded at 16 (offset 1 line).
Hunk #2 succeeded at 350 (offset 2 lines).

# patch /etc/ssl/openssl.cnf reorder-tls1.3-ciphersuites.patch 
patching file /etc/ssl/openssl.cnf
Hunk #1 succeeded at 16 (offset 1 line).
Hunk #2 succeeded at 353 (offset 2 lines).
# systemctl restart nginx

Connecting to the container again externally:
$ openssl s_client [fd42:3fcc:8a27:4e69:216:3eff:fe4c:5b9e]:443 | grep -e 
Protocol -e Cipher
Can't use SSL_get_servername
depth=0 CN = nearby-osprey.lxd
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = nearby-osprey.lxd
verify return:1
New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
^C

# patch -R /etc/ssl/openssl.cnf reorder-tls1.3-ciphersuites.patch 
patching file /etc/ssl/openssl.cnf
Hunk #1 succeeded at 16 (offset 1 line).
Hunk #2 succeeded at 350 (offset 2 lines).
# systemctl restart nginx


So using the above patches to openssl.cnf I was able to reorder chipersuites of 
stock bionic nginx, and cap to TLSv1.2.

So with attached

** Changed in: openssl (Ubuntu Bionic)
       Status: New => Incomplete

** Changed in: openssl (Ubuntu Disco)
       Status: New => Incomplete

** Changed in: openssl (Ubuntu Cosmic)
       Status: New => Incomplete

** Changed in: openssl (Ubuntu Eoan)
     Assignee: Dimitri John Ledkov (xnox) => (unassigned)

** Changed in: openssl (Ubuntu Eoan)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1832370

Title:
  Unable to configure or disable TLS 1.3 via openssl.cnf

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1832370/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1832370] Re: Unable to configure or disable TLS 1.3 via openssl.cnf

Reply via email to