[Bug 1874413] Re: openssl 1.1.1f-1ubuntu2 breaks some TLS connections

Pascal Ernster 1874413 at bugs.launchpad.net
Thu Apr 23 10:13:48 UTC 2020 

** Description changed:

  On a machine with Ubuntu 20.04 and all available updates installed
- (including openssl and libssl openssl 1.1.1f-1ubuntu2):
+ (including openssl and libssl1.1 1.1.1f-1ubuntu2):
  
  user at host:~$ curl 'https://pub.orcid.org/'
  curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
  
- 
- On the same machine, but with the openssl and libssl packages downgraded
- to version 1.1.1c-1ubuntu4 from Ubuntu 19.10:
+ On the same machine, but with the openssl and libssl1.1 packages
+ downgraded to version 1.1.1c-1ubuntu4 from Ubuntu 19.10:
  
  user at host:~$ curl -I 'https://pub.orcid.org/'
  HTTP/1.1 302 Found
  Server: nginx/1.16.1
  Date: Thu, 23 Apr 2020 09:34:38 GMT
  Location: https://pub.orcid.org/v3.0/
  Transfer-Encoding: chunked
  Connection: Keep-Alive
  Set-Cookie: X-Mapping-fjhppofk=EDEB8B375DA428655747278237992826; path=/
  
- 
  I've also checked this with machines running other distros (OpenWRT and
  Archlinux), and with those distros, the error occurs neither with
- OpenSSL/libssl 1.1.1f nor with OpenSSL/libssl 1.1.1g. This leads me to
- assume that the backported patch for CVE-2020-1967 in openssl/libssl 1.1
- .1f-1ubuntu2 is broken.
+ OpenSSL/libssl1.1 1.1.1f nor with OpenSSL/libssl1.1 1.1.1g. This leads
+ me to assume that the backported patch for CVE-2020-1967 in
+ openssl/libssl1.1 1.1.1f-1ubuntu2 is broken.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1874413

Title:
  openssl 1.1.1f-1ubuntu2 breaks some TLS connections

Status in openssl package in Ubuntu:
  New

Bug description:
  On a machine with Ubuntu 20.04 and all available updates installed
  (including openssl and libssl1.1 1.1.1f-1ubuntu2):

  user at host:~$ curl 'https://pub.orcid.org/'
  curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

  On the same machine, but with the openssl and libssl1.1 packages
  downgraded to version 1.1.1c-1ubuntu4 from Ubuntu 19.10:

  user at host:~$ curl -I 'https://pub.orcid.org/'
  HTTP/1.1 302 Found
  Server: nginx/1.16.1
  Date: Thu, 23 Apr 2020 09:34:38 GMT
  Location: https://pub.orcid.org/v3.0/
  Transfer-Encoding: chunked
  Connection: Keep-Alive
  Set-Cookie: X-Mapping-fjhppofk=EDEB8B375DA428655747278237992826; path=/

  I've also checked this with machines running other distros (OpenWRT
  and Archlinux), and with those distros, the error occurs neither with
  OpenSSL/libssl1.1 1.1.1f nor with OpenSSL/libssl1.1 1.1.1g. This leads
  me to assume that the backported patch for CVE-2020-1967 in
  openssl/libssl1.1 1.1.1f-1ubuntu2 is broken.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1874413/+subscriptions

More information about the foundations-bugs mailing list