[Bug 1865204] Re: Multiple packages broke with openssl 1.1.1 upgrade
Dr. Uwe Meyer-Gruhl
1865204 at bugs.launchpad.net
Sat Feb 29 15:26:48 UTC 2020
** Description changed:
While I welcome the adding of security features by upgrading vital packages like openssl,
there are at least two packages that I know of which ran fine with libssl 1.1.0 and do not with libssl 1.1.1. This bug has been introduced with the migration from openssl 1.1.0 to 1.1.1 in one of the last point releases.
-
1. stunnel4 3:5.44-1ubuntu3
stunnel4 breaks with openssl 1.1.1 (which supports TLS 1.3).
I get errors when a Windows stunnel client connects to the stunnel4
daemon:
Feb 20 14:10:03 peterpan.neverland stunnel[24427]: LOG3[0]: s_connect: connect ::1:3128
: Connection refused (111)
This can be fixed when I manually add "MaxProtocol = TLSv1.2" to
/etc/ssl/openssl.conf, showing that TLS 1.3 introduced by openssl 1.1.1
is the culprit.
stunnel4 needs an update. At least for stunnel4, another fix would be to
specify "sslVersion = TLSv1.2" in its config file.
-
2. pure-ftpd 1.0.46-1build1
Same thing here. You cannot connect once you use "tls=2" or higher if
openssl 1.1.1 with TLS 1.3 is active. Only fix here I found is to limit
- the max protocol. pure-ftpd itself has no means of solving that problem,
- at least not in the bionic version.
+ the max protocol in openssl for all applications. pure-ftpd itself has
+ no means of controlling the TLS version, at least not in the bionic
+ version of it.
+
+ I use Ubuntu Server 18.04.04 LTS, BTW and openssl was
+ 1.1.1-1ubuntu2.1~18.04.5.
- I use Ubuntu Server 18.04.04 LTS, BTW and openssl was 1.1.1-1ubuntu2.1~18.04.5.
+ Both problems could be fixed by backporting stunnel4 and pure-ftpd packages from Focal Fossa.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1865204
Title:
Multiple packages broke with openssl 1.1.1 upgrade
Status in openssl package in Ubuntu:
New
Bug description:
While I welcome the adding of security features by upgrading vital packages like openssl,
there are at least two packages that I know of which ran fine with libssl 1.1.0 and do not with libssl 1.1.1. This bug has been introduced with the migration from openssl 1.1.0 to 1.1.1 in one of the last point releases.
1. stunnel4 3:5.44-1ubuntu3
stunnel4 breaks with openssl 1.1.1 (which supports TLS 1.3).
I get errors when a Windows stunnel client connects to the stunnel4
daemon:
Feb 20 14:10:03 peterpan.neverland stunnel[24427]: LOG3[0]: s_connect: connect ::1:3128
: Connection refused (111)
This can be fixed when I manually add "MaxProtocol = TLSv1.2" to
/etc/ssl/openssl.conf, showing that TLS 1.3 introduced by openssl
1.1.1 is the culprit.
stunnel4 needs an update. At least for stunnel4, another fix would be
to specify "sslVersion = TLSv1.2" in its config file.
2. pure-ftpd 1.0.46-1build1
Same thing here. You cannot connect once you use "tls=2" or higher if
openssl 1.1.1 with TLS 1.3 is active. Only fix here I found is to
limit the max protocol in openssl for all applications. pure-ftpd
itself has no means of controlling the TLS version, at least not in
the bionic version of it.
I use Ubuntu Server 18.04.04 LTS, BTW and openssl was
1.1.1-1ubuntu2.1~18.04.5.
Both problems could be fixed by backporting stunnel4 and pure-ftpd packages from Focal Fossa.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1865204/+subscriptions
More information about the foundations-bugs
mailing list