TLSv1.2 enabling tracker bug

Bug #1257877 reported by Marc Deslauriers on 2013-12-04
284
This bug affects 6 people
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Undecided
Unassigned

Bug Description

Since the introduction of openssl 1.0.1 in Ubuntu, TLSv1.2 has been disabled on the client side to prevent compatibility issues with certain web sites.

Since then, most web sites have been updated to properly handle TLSv1.2, and except for a single site, I cannot reproduce the failures with all of those listed in the previous bug reports.

Since TLSv1.2 should be enabled for the LTS release, I am re-enabling it. This is the tracker bug.

Related branches

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 1.0.1e-4ubuntu2

---------------
openssl (1.0.1e-4ubuntu2) trusty; urgency=low

  * Re-enable full TLSv1.2 support (LP: #1257877)
    - debian/patches/tls12_workarounds.patch: disable patch to re-enable
      full TLSv1.2 support. Most problematic sites have been fixed now, and
      we really want proper TLSv1.2 support in an LTS.
 -- Marc Deslauriers <email address hidden> Wed, 04 Dec 2013 12:33:44 -0500

Changed in openssl (Ubuntu):
status: New → Fix Released
Scott Moser (smoser) wrote :

fwiw, I'm seeing issues with offlinemap and alpine seemingly as a result of this bug.

offlineimap now prints errors like:
Establishing connection to mail.brickies.net:993
ERROR: While attempting to sync account 'ssm'
  [Errno 104] Connection reset by peer

alpine gives 'connection reset by peer' error also.

Marc Deslauriers (mdeslaur) wrote :

It looks like mail.brickies.net dies when something attempts to connect using TLSv1.2.

Papamatti (matti-lx) wrote :

Please backport it to Ubuntu 12.04 LTS.

Scott Moser (smoser) wrote :

just for my own recollection, to test if this were fixed on the server side:
 openssl s_client -host mail.brickies.net -port 993 -tls1_2

Currently, the above starts with:
CONNECTED(00000003)
write:errno=104

with tls__1, it dies differently, and goes into imap connection with '-tls1'.

Jeffrey Walton (noloader) wrote :

> fwiw, I'm seeing issues with offlinemap and alpine seemingly as a result of this bug.
>
> offlineimap now prints errors like:
> Establishing connection to mail.brickies.net:993
> ERROR: While attempting to sync account 'ssm'
> [Errno 104] Connection reset by peer

If offlinemap is offlinemap.com (with description "OffMaps: Offline Maps App for iPhone, iPad & iPod Touch"), then it could be Apple's broken SecureTransport *if* the server is running Apple software. The bug is courtesy of a bad ECDHE-ECDSA implementation. See [1] and [2] for details.

Apple never published an advisory or credited folks with the bug. So its hard to say what versions of their operating system are affected by the broken SecureTransport. Its believed to affect OS X 10.8 through 10.8.4 or so. Its also believed to affect iOS 7 through iOS 7.4 or so. Its also believed that Apple did not backport the fix, so broken versions of their SecureTransport will remain broken.

The OpenSSL folks provided a workaround to the Apple ECDHE-ECDSA bug. But there are two issues with it. First, a developer must "opt-in" by setting SSL_OP_SAFARI_ECDHE_ECDSA_BUG on the context (SSL_CTX object). Second, I'm not sure if SSL_OP_SAFARI_ECDHE_ECDSA_BUG is available in the 1.0.1 branch.

[1] http://openssl.6102.n7.nabble.com/openssl-org-3068-PATCH-Safari-broken-ECDHE-ECDSA-workaround-td45432.html
[2] http://openssl.6102.n7.nabble.com/Apple-are-apparently-dicks-td45512.html

Haw Loeung (hloeung) wrote :

Jeffrey, I believe it is OfflineIMAP - http://offlineimap.org/

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers