Unable to use TLSv1.1 or 1.2 with OpenSSL compat layer

Bug #1709193 reported by Simon Déziel on 2017-08-07
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gnutls26 (Ubuntu)
Status tracked in Artful
Trusty
Undecided
Unassigned
Xenial
Undecided
Unassigned
Zesty
Undecided
Unassigned
Artful
Undecided
Unassigned
gnutls28 (Debian)
Fix Released
Unknown
gnutls28 (Ubuntu)
Status tracked in Artful
Trusty
Undecided
Unassigned
Xenial
Undecided
Unassigned
Zesty
Undecided
Unassigned
Artful
Undecided
Unassigned
ssmtp (Ubuntu)
Trusty
Undecided
Unassigned
Xenial
Undecided
Unassigned
Zesty
Undecided
Unassigned
Artful
Undecided
Unassigned

Bug Description

[Impact]

Applications using GnuTLS OpenSSL compat layer [1] are be unable to use modern TLS versions (1.1 and 1.2) when relying on the SSLv23_{client,server}_method functions.

There is an industry-wide push to use modern TLS versions, see [2] and [3] for example.

The proposed fix changes the compat layer to use GnuTLS' "NORMAL" priority [4] instead of hard-coding which protocol versions and ciphers to enable.

[Test Case]

1) Setup a mail submission server that uses StartTLS
2) Setup sSMTP (uses GnuTLS OpenSSL compat layer) to relay
   through the mail relay using StartTLS
3) Send an email while capturing with tcpdump/tshark
4) Inspect the submission connection (TCP/587) and look for the protocol
   version negotiated by the client.

Without the fix, you should see TLSv1.0. With the fix, it should be TLSv1.2.

Please see the original issue description for more details.

[Regression Potential]

Regression risk should be low since it's a backport of a simple fix that landed in Debian in April 2017.

[References]

1: $ apt-cache rdepends libgnutls-openssl27
libgnutls-openssl27
Reverse Depends:
  libgnutls-dev
  libgnutls-dev
  zoneminder
  yaskkserv
  tf5
  ssmtp
  snowdrop
  sngrep
  slrnpull
  slrn
  sipsak
  macopix-gtk2
  gnss-sdr
  gkrellm
  freewheeling
  boinctui
  iputils-ping

2: https://lists.debian.org/debian-devel-announce/2017/08/msg00004.html
3: https://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls
4: https://gnutls.org/manual/html_node/Priority-Strings.html

[Original issue description]

sSMTP is limited to using TLSv1.0 and the "old" ciphers that come with it. Here's a packet capture when ssmtp connects to smtp.sdeziel.info:587 that offers TLSv1.0 and higher:

$ tshark -ta -Vr submission.pcap | sed -n '/^Frame 14:/,/^Frame 15:/ p' | grep -E '^[[:space:]]+(Version|Cipher|Handshake Protocol)'
        Version: TLS 1.0 (0x0301)
        Handshake Protocol: Client Hello
            Version: TLS 1.0 (0x0301)
            Cipher Suites Length: 30
            Cipher Suites (15 suites)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
                Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
                Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
                Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
                Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)
                Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)
                Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)

I would expect ssmtp to use TLSv1.2 and a recent cipher like the openssl s_client is able to do:

$ echo | openssl s_client -connect smtp.sdeziel.info:587 -starttls smtp 2>/dev/null | grep -E '^[[:space:]]+(Protocol|Cipher)'
    Protocol : TLSv1.2
    Cipher : ECDHE-RSA-AES128-GCM-SHA256

Additional information:

$ lsb_release -rd
Description: Ubuntu 16.04.3 LTS
Release: 16.04
$ apt-cache policy ssmtp libgnutls-openssl27
ssmtp:
  Installed: 2.64-8ubuntu1
  Candidate: 2.64-8ubuntu1
  Version table:
 *** 2.64-8ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu xenial/universe amd64 Packages
        100 /var/lib/dpkg/status
libgnutls-openssl27:
  Installed: 3.4.10-4ubuntu1.3
  Candidate: 3.4.10-4ubuntu1.3
  Version table:
 *** 3.4.10-4ubuntu1.3 500
        500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
        100 /var/lib/dpkg/status
     3.4.10-4ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: ssmtp 2.64-8ubuntu1 [modified: etc/ssmtp/revaliases]
ProcVersionSignature: Ubuntu 4.4.0-89.112-generic 4.4.76
Uname: Linux 4.4.0-89-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.10
Architecture: amd64
Date: Mon Aug 7 18:13:33 2017
ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: ssmtp
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.ssmtp.revaliases: [modified]
mtime.conffile..etc.ssmtp.revaliases: 2017-08-05T13:44:06.274302

Simon Déziel (sdeziel) wrote :
Simon Déziel (sdeziel) wrote :
Simon Déziel (sdeziel) wrote :

There is a Debian patch (debian/patches/01-374327-use-gnutls.patch) that changed ssmtp to link with GnuTLS OpenSSL compat layer. If I drop this patch and link with "-lssl -lcrypto", ssmtp has no problem using TLSv1.2 and AES GCM:

$ tshark -ta -Vr submission-openssl.pcap | sed -n '/^Frame 11:/,/^Frame 12:/ p' | grep -E '^[[:space:]]+(Version|Cipher|Handshake Protocol)'
        Version: TLS 1.0 (0x0301)
        Handshake Protocol: Client Hello
            Version: TLS 1.2 (0x0303)
            Cipher Suites Length: 170
            Cipher Suites (85 suites)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
                ...
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                ...
                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

Simon Déziel (sdeziel) wrote :

After some research, I found this GnuTLS bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857436 and it's accompanying changelog:

   * OpenSSL wrapper: SSLv23_*_method translates to NORMAL GnuTLS priority,
     which includes TLS1.2 support. Closes: #857436

Maybe it's more an GnuTLS issue than a ssmtp one.

Simon Déziel (sdeziel) on 2017-08-10
no longer affects: ssmtp
Changed in ssmtp (Ubuntu):
status: New → Invalid
summary: - Unable to use TLSv1.1 or 1.2
+ Unable to use TLSv1.1 or 1.2 with OpenSSL compat layer
Simon Déziel (sdeziel) wrote :

I'm attaching a debdiff for gnutls28 from Xenial. It worked in my tests to have ssmtp use TLSv1.2.

I'll try to provide a debdiff for Artful as well.

The attachment "lp1709193-16.04.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Simon Déziel (sdeziel) wrote :
Simon Déziel (sdeziel) wrote :
Simon Déziel (sdeziel) wrote :
Changed in gnutls28 (Debian):
status: Unknown → Fix Released
Changed in gnutls26 (Ubuntu Trusty):
status: New → Confirmed
Changed in gnutls26 (Ubuntu Xenial):
status: New → Invalid
Changed in gnutls26 (Ubuntu Zesty):
status: New → Invalid
Changed in gnutls26 (Ubuntu Artful):
status: New → Invalid
Changed in ssmtp (Ubuntu Trusty):
status: New → Invalid
Changed in ssmtp (Ubuntu Xenial):
status: New → Invalid
no longer affects: ssmtp (Ubuntu)
Changed in ssmtp (Ubuntu Zesty):
status: New → Invalid
Changed in gnutls28 (Ubuntu Trusty):
status: New → Won't Fix
Changed in gnutls28 (Ubuntu Xenial):
status: New → Confirmed
Changed in gnutls28 (Ubuntu Zesty):
status: New → Confirmed
Changed in gnutls28 (Ubuntu Artful):
status: New → Confirmed
Marc Deslauriers (mdeslaur) wrote :

ACK on the artful debdiff. I've uploaded it now with a slight adjustment to put the bug numbers in the patch tags. Thanks!

Changed in gnutls28 (Ubuntu Artful):
status: Confirmed → Fix Committed
Marc Deslauriers (mdeslaur) wrote :

ACK on the trusty, xenial and zesty debdiffs. Uploaded for processing by the SRU team. Thanks!

Changed in gnutls26 (Ubuntu Trusty):
status: Confirmed → In Progress
Changed in gnutls28 (Ubuntu Xenial):
status: Confirmed → In Progress
Changed in gnutls28 (Ubuntu Zesty):
status: Confirmed → In Progress
Simon Déziel (sdeziel) on 2017-08-11
description: updated
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnutls28 - 3.5.8-6ubuntu2

---------------
gnutls28 (3.5.8-6ubuntu2) artful; urgency=medium

  * use_normal_priority_for_openssl_sslv23.diff by Andreas Metzler:
    OpenSSL wrapper: SSLv23_*_method translates to NORMAL GnuTLS priority,
    which includes TLS1.2 support. (LP: #1709193)

 -- Simon Deziel <email address hidden> Thu, 10 Aug 2017 00:34:06 +0000

Changed in gnutls28 (Ubuntu Artful):
status: Fix Committed → Fix Released

Hello Simon, or anyone else affected,

Accepted gnutls28 into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gnutls28/3.5.6-4ubuntu4.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in gnutls28 (Ubuntu Zesty):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-zesty
Changed in gnutls28 (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed-xenial
Brian Murray (brian-murray) wrote :

Hello Simon, or anyone else affected,

Accepted gnutls28 into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gnutls28/3.4.10-4ubuntu1.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in gnutls26 (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed-trusty
Brian Murray (brian-murray) wrote :

Hello Simon, or anyone else affected,

Accepted gnutls26 into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gnutls26/2.12.23-12ubuntu2.9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Simon Déziel (sdeziel) wrote :

Verified on Xenial with:

$ apt-cache policy libgnutls-openssl27:amd64
libgnutls-openssl27:
  Installed: 3.4.10-4ubuntu1.4
  Candidate: 3.4.10-4ubuntu1.4
  Version table:
 *** 3.4.10-4ubuntu1.4 500
        500 http://archive.ubuntu.com/ubuntu xenial-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     3.4.10-4ubuntu1.3 500
        500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
     3.4.10-4ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages

tags: added: verification-done-xenial
removed: verification-needed-xenial
Simon Déziel (sdeziel) wrote :

Verified on Zesty with:

$ apt-cache policy libgnutls-openssl27:amd64
libgnutls-openssl27:
  Installed: 3.5.6-4ubuntu4.2
  Candidate: 3.5.6-4ubuntu4.2
  Version table:
 *** 3.5.6-4ubuntu4.2 500
        500 http://archive.ubuntu.com/ubuntu zesty-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     3.5.6-4ubuntu4.1 500
        500 http://archive.ubuntu.com/ubuntu zesty-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu zesty-security/main amd64 Packages
     3.5.6-4ubuntu4 500
        500 http://archive.ubuntu.com/ubuntu zesty/main amd64 Packages

tags: added: verification-done-zesty verification-needed-xenial
removed: verification-done-xenial verification-needed-zesty
tags: added: verification-done-xenial verification-failed-trusty
removed: verification-needed-trusty verification-needed-xenial
Simon Déziel (sdeziel) wrote :

The trusty-proposed version (2.12.23-12ubuntu2.9) doesn't work and introduces a regression preventing successful TLS/SSL connections. I'll check if there is an easy fix for gnutls26.

Simon Déziel (sdeziel) wrote :

On Truty with 2.12.23-12ubuntu2.9, the sSMTP client would abort the StartTLS connection complaining it didn't support the signature algorithm in use.

When validating I used a mail relay with a RSA-SHA256 cert signed by CAcert.org. CAcert.org is (self-signed) RSA-MD5. It turned out that Trusty also needed the GnuTLS priority string to include %VERIFY_ALLOW_SIGN_RSA_MD5 to support that use case and avoid the regression. It's unclear to me why only gnutls26 needed this since I used the exact same test case for all 3 distro versions.

The version 2 of the debdiff for Trusty was tested with certificates chains including MD5, SHA1 and SHA256 certificates and revealed no problem and fixed the regression previously found.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.