[Bug 1256576] Re: Ubuntu 12.04 LTS: OpenSSL downlevel version is 1.0.0, and does not support TLS 1.2

Tue Dec 3 22:31:31 UTC 2013

There are 2 issues with OpenSSL/TLSv1.2 in Ubuntu.  I'm on 12.04, but I
see the same patch in newer Ubuntu versions.

1) TLSv1.2 is removed from SSLv23_method().  It's technically fine
policy decision.  But I think it should be reverted at least new Ubuntu
versions.  All the sites mentioned in +1y old bugs work fine now with
TLSv1.2 requests.  And several high-profile browsers are now using
TLSv1.2 protocol by default (IE11, Chrome, Safari), so any remaining
problematic sites will feel pain if they don't fix.

Eg, see site and browser state here:
https://www.ssllabs.com/ssltest/analyze.html?d=mediafire.com

My suggestion: remove this limitation at least from 14.04.

2) TLSv1.2 ciphersuite list is cut to first 25.  Thanks to 1) this will
affect only apps requesting TLSv1.2 explicitly.  It allows only AES256
ciphersuites, which is not big problem.  But it also disables secure
renegotation, which is signaled with extra ciphersuite.

IOW: apps that want the "newest and most secure TLS version" get
crippled protocol instead connection failure if some middleware box
fails.

My suggestion: please revert this patch from everywhere.  It's dumb idea
to force "max-compat" to apps that explicitly want TLSv1.2.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1256576

Title:
  Ubuntu 12.04 LTS: OpenSSL downlevel version is 1.0.0, and does not
  support TLS 1.2

Status in “openssl” package in Ubuntu:
  New

Bug description:
  The long term support version of Ubuntu 12.04 provides OpenSSL 1.0.0.
  A wireshark trace shows the version of OpenSSL used by Ubuntu does not
  support TLS 1.2. According to the change logs, TLS 1.2 support was
  added 14 March 2012. The change log can be found at
  http://www.openssl.org/news/changelog.html, and the TLS additions can
  be found under the heading "Changes between 1.0.0h and 1.0.1".

  $ ldd /usr/lib/x86_64-linux-gnu/libssl.so
      linux-vdso.so.1 =>  (0x00007fffd9d84000)
      libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
  (0x00007f1e0691e000)
      libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f1e0655e000)
      libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f1e06359000)
      libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f1e06142000)
      /lib64/ld-linux-x86-64.so.2 (0x00007f1e06f6d000)

  ***********

  OpenSSL 1.0.1 is compatible with 1.0.0. From the OpenSSL FAQ
  (http://www.openssl.org/support/faq.html):

  8. How does the versioning scheme work?

  After the release of OpenSSL 1.0.0 the versioning scheme changed.
  Letter releases (e.g. 1.0.1a) can only contain bug and security fixes
  and no new features. Minor releases change the last number (e.g.
  1.0.2) and can contain new features that retain binary compatibility.
  Changes to the middle number are considered major releases and neither
  source nor binary compatibility is guaranteed.

  **********

  By the way, its nearly impossible to file a bug report through the
  launch pad. The maze that's been created is impossible to navigate,
  and its worse than one of those phone menu systems. I had to look up
  the URL to file at http://www.cryptopp.com/wiki/Talk:Linux. Great job
  to the designers of the system. Its probably the same idiots who
  thought a tablet manager was a great idea on the desktop..

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1256576/+subscriptions