openssl 1.1.1f-1ubuntu2 breaks some TLS connections
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssl (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
On a machine with Ubuntu 20.04 and all available updates installed (including openssl and libssl1.1 1.1.1f-1ubuntu2):
user@host:~$ curl 'https:/
curl: (35) error:14094410:SSL routines:
On the same machine, but with the openssl and libssl1.1 packages downgraded to version 1.1.1c-1ubuntu4 from Ubuntu 19.10:
user@host:~$ curl -I 'https:/
HTTP/1.1 302 Found
Server: nginx/1.16.1
Date: Thu, 23 Apr 2020 09:34:38 GMT
Location: https:/
Transfer-Encoding: chunked
Connection: Keep-Alive
Set-Cookie: X-Mapping-
I've also checked this with machines running other distros (OpenWRT and Archlinux), and with those distros, the error occurs neither with OpenSSL/libssl1.1 1.1.1f nor with OpenSSL/libssl1.1 1.1.1g. This leads me to assume that the backported patch for CVE-2020-1967 in openssl/libssl1.1 1.1.1f-1ubuntu2 is broken.
CVE References
description: | updated |
Hi, thanks for reporting this issue.
This isn't caused by the patch for CVE-2020-1967, it is caused by OPENSSL_ TLS_SECURITY_ LEVEL=2 being set as the minimum security level.
You can try it with a lowered security level by doing the following:
curl -v --ciphers 'DEFAULT: @SECLEVEL= 1' https:/ /pub.orcid. org
I believe it is caused by having an insecure SHA1 certificate in their chain:
- Certificate[3] info: "VjLZe/ p3W/PJnd6lL8JVN BCGQBZynFLdZSTI qcO0SJ8= "
- subject `OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US', issuer `OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US', serial 0x00, RSA key 2048 bits, signed using RSA-SHA1 (broken!), activated `2004-06-29 17:06:20 UTC', expires `2034-06-29 17:06:20 UTC', pin-sha256=
As such, I am marking this as a dupe of bug 1864689, you can follow progress on the issue there.
Thanks.