Server incompatible with Focal clients

Status changed to 'Confirmed' because the bug affects multiple users.

I encountered this today too. This seems to be an OpenSSL problem, given that "openssl s_client" refuses to connect to the server, where it succeeds with older releases. Presumably the server only supports ciphers or TLS versions the new OpenSSL rejects.

This is likely caused by bug 1856428, which indicates that support for the older TLS versions can be enabled in a configuration file.

This could work as a temporary fix. However, "re-enable old crypto protocols that should not be used unless absolutely unavoidable since RFC 7525 five years ago" must not be the final resolution for this bug, since it's exactly what Focal wants to avoid. From a crypto standpoint, while TLS1.0 is not utterly broken like SSL, there are still plenty of reasons why one should really not be using it anymore.

Sure. But if this is controllable from a configuration file, then it might be possible to come up with a temporary work around until the server you want to connect to is upgraded. With any luck, the configuration can be changed in such a way that only Mumble is affected.

I detailed the configuration file workaround here:

https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1856428/comments/2

I wonder if the underlying cause of the problem is that Bionic's Mumble is compiled against Qt 4, which predates the newer TLS versions. I would have thought it'd get new versions automatically through new OpenSSL releases, but perhaps there is some incompatibility in there.

If that's the case, I wonder if Bionic's Mumble client can successfully connect to Focal's Mumble server?

Thanks for the openSSL config example! I set up a Bionic and a Focal VM, both with client and server, to test this.

Without this config, the connection does not work in any direction, i.e. the Bionic client won't connect to the Focal server (with a chat message saying "remote host closed connection") and the Focal client won't connect to the Bionic server (with a popup warning about legacy encryption).

Adding the openSSL config snippet on the Focal machine allows a connection in both directions. When using the default mumble config on both sides, TLS1.0 using suite TLS_RSA_WITH_AES_256_CBC_SHA is negotiated on the control channel.

Two Focal instances will correctly negotiate TLS1.3 using TLS_AES_256_GCM_SHA384. Bionic instances using the PPA will also successfully negotiate TLS1.3 and the same cipher but show "UnknownProtocol" in the client's server info dialog.

James Henstridge:
> I detailed the configuration file workaround here:
>
> https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1856428/comments/2
>
> I wonder if the underlying cause of the problem is that Bionic's Mumble
> is compiled against Qt 4, which predates the newer TLS versions. I
> would have thought it'd get new versions automatically through new
> OpenSSL releases, but perhaps there is some incompatibility in there.

Mumble uses Qt's SSL library, and there are differences in the Qt SSL library
between Qt 4 and 5. Mumble 1.3 with Qt 5 is capable of TLS that have perfect
forward secrecy, but Mumble 1.2 with Qt 4 is not, and that's independent of the
particular versions of OpenSSL that are used. i.e. this isn't a limitation of
the OpenSSL version, it's a limitation of the SSL library in Qt 4.

  -- Chris

--
Chris Knadle
<email address hidden>