[Bug 1256576] Re: Ubuntu 12.04 LTS: OpenSSL downlevel version is 1.0.0, and does not support TLS 1.2

Jeffrey Walton noloader at gmail.com
Fri Dec 6 05:46:33 UTC 2013 

> Ubuntu 12.04 contains openssl 1.0.1, which supports TLS v1.2.
My bad.... I should have been using `apt-cache show` instead of `ldd`.

> Unfortunately, because of the large number of sites which incorrectly handled
> TLS v1.2 negotiation, we had to disable TLS v1.2 on the client.
>
> See the following bugs for more information:
>
> https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/965371
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665452
I think Marko is probably right - it might be time to revisit some of these decisions made to help the users since the reasons appear no longer valid. From the list of broken sites provided in the bug reports above:

Mediafire: OK per Marko
Saleforce now supports TLSv1.2: https://www.ssllabs.com/ssltest/analyze.html?d=salesforce.com
Facebook now supports TLSv1.2: https://www.ssllabs.com/ssltest/analyze.html?d=graph.facebook.com
Payapl now supports TLSv1.2: https://www.ssllabs.com/ssltest/analyze.html?d=paypal.com
Sourceforge now supports TLSv1.2: https://www.ssllabs.com/ssltest/analyze.html?d=sourceforge.net

As for the broken libraries, such as  Python and libcurl, they need to
fix their stuff. I can't speak to Python (I nothing about the developers
or development process). But I know Daniel at the Curl project l is a
awesome leader, the project has a great engineering process and the
library performs to expectations.

> Browsers use NSS, which doesn't have the same compatibility issues OpenSSL has.
Not all clients are browsers. Here's from a dev machine *not* loaded with anything other than compilers and associated tools:

    $ apt-cache rdepends openssl | wc -l
    122

I imaging the number would increase if IRC, chat clients and other
messaging software was added.

The real problem here is philosophical. It includes the "common case" is
taken and not the "worse case". Some folks depend upon these protocols
for their lives. Those people would include dissidents under oppressive
regimes. We have a moral obligation to get it right for folks who have
more to lose than we do. Personally (as a US citizen), I'm embarrassed
by all the US human rights violations perpetrated by my country (privacy
is a right in many non-US countries in the world). ... Unless, of
course, someone thinks Diginotar was a massive spear phishing ploy and
Snowden was lying.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1256576

Title:
  Ubuntu 12.04 LTS: OpenSSL downlevel version is 1.0.0, and does not
  support TLS 1.2

Status in “openssl” package in Ubuntu:
  New

Bug description:
  The long term support version of Ubuntu 12.04 provides OpenSSL 1.0.0.
  A wireshark trace shows the version of OpenSSL used by Ubuntu does not
  support TLS 1.2. According to the change logs, TLS 1.2 support was
  added 14 March 2012. The change log can be found at
  http://www.openssl.org/news/changelog.html, and the TLS additions can
  be found under the heading "Changes between 1.0.0h and 1.0.1".

  $ ldd /usr/lib/x86_64-linux-gnu/libssl.so
      linux-vdso.so.1 =>  (0x00007fffd9d84000)
      libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
  (0x00007f1e0691e000)
      libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f1e0655e000)
      libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f1e06359000)
      libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f1e06142000)
      /lib64/ld-linux-x86-64.so.2 (0x00007f1e06f6d000)

  ***********

  OpenSSL 1.0.1 is compatible with 1.0.0. From the OpenSSL FAQ
  (http://www.openssl.org/support/faq.html):

  8. How does the versioning scheme work?

  After the release of OpenSSL 1.0.0 the versioning scheme changed.
  Letter releases (e.g. 1.0.1a) can only contain bug and security fixes
  and no new features. Minor releases change the last number (e.g.
  1.0.2) and can contain new features that retain binary compatibility.
  Changes to the middle number are considered major releases and neither
  source nor binary compatibility is guaranteed.

  **********

  By the way, its nearly impossible to file a bug report through the
  launch pad. The maze that's been created is impossible to navigate,
  and its worse than one of those phone menu systems. I had to look up
  the URL to file at http://www.cryptopp.com/wiki/Talk:Linux. Great job
  to the designers of the system. Its probably the same idiots who
  thought a tablet manager was a great idea on the desktop..

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1256576/+subscriptions

More information about the foundations-bugs mailing list