[Bug 1864689] Re: openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox

[Dr. Uwe Meyer-Gruhl]

This bug affects me too, with a client certificate that now "magically"
does not match the requirements.

Ironically, the error message says only:

OpenSSL error error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md
too weak, (no key found, wrong pass phrase, or wrong file format?)

although there was no MD5 signature involved at all. So, even when you
know that with OpenSSL 1.1, an "SSL security level" has been introduced,
and that Ubuntu has set that level to 2, it is hard to find that it
deprecates SHA1 now (see
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_security_level.html).

Thus, even for more knowledgable people than me this is a major hassle
to find and/or fix. I wonder why Ubuntu has chosen to raise the level
that high considering that the documentation page contains a clear
warning indication:

"WARNING at this time setting the security level higher than 1 for
general internet use is likely to cause considerable interoperability
issues and is not recommended. This is because the SHA1 algorithm is
very widely used in certificates and will be rejected at levels higher
than 1 because it only offers 80 bits of security."

I think that this is an extremely unwise choice for an OS to make.

That being said, here is the fix (also hard to find):

In /etc/ssl/openssl.cnf, add this line before the start of the file:

 openssl_conf = default_conf

At the end of the file, add these lines:

 [default_conf]
 ssl_conf = ssl_sect

 [ssl_sect]
 system_default = system_default_sect

 [system_default_sect]
 CipherString = DEFAULT:@SECLEVEL=1

This will bring down the SSL security level to the former level of 1.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1864689

Title:
  openssl in 20.04 can't connect to site that was fine in 19.10 and is
  fine in Chrome and Firefox

Status in OpenSSL:
  Unknown
Status in openssl package in Ubuntu:
  Confirmed

Bug description:
  openssl in Ubuntu 20.04 (focal) refuses to connect to a web site that
  openssl in Ubuntu 19.10 (eoan), Chrome, and Firefox are all happy to
  connect to.

  Reproduce with: `curl -v https://www.toodledo.com/'

  or: `openssl s_client -connect www.toodledo.com:443`

  or: `python3 -c 'import requests;
  requests.get("https://www.toodledo.com/")'`

  or: `wget https://www.toodledo.com/`

  These worked in Ubuntu 19.10 and don't work in 20.04.

  I've tried all sorts of things to debug this further and I've just run
  into walls. I hope someone who understands more about this stuff will
  be able to figure it out.

  ProblemType: Bug
  DistroRelease: Ubuntu 20.04
  Package: openssl 1.1.1d-2ubuntu3
  ProcVersionSignature: Ubuntu 5.4.0-14.17-generic 5.4.18
  Uname: Linux 5.4.0-14-generic x86_64
  ApportVersion: 2.20.11-0ubuntu18
  Architecture: amd64
  CurrentDesktop: ubuntu:GNOME
  Date: Tue Feb 25 13:01:22 2020
  InstallationDate: Installed on 2019-08-16 (192 days ago)
  InstallationMedia: Ubuntu 19.04 "Disco Dingo" - Release amd64 (20190416)
  SourcePackage: openssl
  UpgradeStatus: Upgraded to focal on 2020-01-31 (25 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1864689/+subscriptions