Unable to configure or disable TLS 1.3 via openssl.cnf
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssl (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
Bionic |
Invalid
|
High
|
Unassigned | ||
Cosmic |
Invalid
|
High
|
Unassigned | ||
Disco |
Invalid
|
High
|
Unassigned | ||
Eoan |
Invalid
|
High
|
Unassigned |
Bug Description
[Description]
Since OpenSSL 1.1.1 was backported to Bionic, some (all?) applications gained access to TLS 1.3 by default. The applications that were not rebuilt against OpenSSL 1.1.1 can't tune the TLS 1.3 settings (protocol, ciphersuites selection, ciphersuites order) like it's possible with 1.2 and below. As such, one should turn to configuring /etc/ssl/
Here is how I'd expect to be able to turn off TLS 1.3:
# diff -Naur /etc/ssl/
--- /etc/ssl/
+++ /etc/ssl/
@@ -12,6 +12,16 @@
HOME = .
RANDFILE = $ENV::HOME/.rnd
+ssl_conf = ssl_sect
+
+[ssl_sect]
+
+system_default = system_default_sect
+
+[system_
+
+MaxProtocol = TLSv1.2
+
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
This doesn't work as 'openssl s_client -connect rproxy.
Similarly, trying to change the 'Ciphers' or the 'Ciphersuites' list with:
# diff -Naur /etc/ssl/
--- /etc/ssl/
+++ /etc/ssl/
@@ -12,6 +12,17 @@
HOME = .
RANDFILE = $ENV::HOME/.rnd
+ssl_conf = ssl_sect
+
+[ssl_sect]
+
+system_default = system_default_sect
+
+[system_
+
+Ciphers = TLS_AES_
+Ciphersuites = TLS_AES_
+
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
Doesn't work as s_client keeps negotiating TLS 1.3 with TLS_AES_
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: openssl 1.1.1-1ubuntu2.
ProcVersionSign
Uname: Linux 4.15.0-51-generic x86_64
NonfreeKernelMo
ApportVersion: 2.20.9-0ubuntu7.6
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Tue Jun 11 11:22:47 2019
InstallationDate: Installed on 2018-07-15 (331 days ago)
InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180714)
ProcEnviron:
LANG=en_CA.UTF-8
TERM=xterm-
SHELL=/bin/bash
XDG_RUNTIME_
PATH=(custom, no user)
SourcePackage: openssl
UpgradeStatus: No upgrade log present (probably fresh install)
Changed in openssl (Ubuntu): | |
assignee: | nobody → Dimitri John Ledkov (xnox) |
tags: | added: rls-ee-incoming |
Changed in openssl (Ubuntu): | |
assignee: | Dimitri John Ledkov (xnox) → nobody |
Changed in openssl (Ubuntu): | |
assignee: | nobody → Dimitri John Ledkov (xnox) |
Changed in openssl (Ubuntu Bionic): | |
importance: | Undecided → High |
Changed in openssl (Ubuntu Cosmic): | |
importance: | Undecided → High |
Changed in openssl (Ubuntu Disco): | |
importance: | Undecided → High |
Changed in openssl (Ubuntu Eoan): | |
importance: | Undecided → High |
tags: | added: id-5d0269c526b1af4a5c615490 |
tags: | removed: rls-ee-incoming |
tags: | added: patch |
Changed in openssl (Ubuntu Bionic): | |
status: | Incomplete → Invalid |
Changed in openssl (Ubuntu Cosmic): | |
status: | Incomplete → Invalid |
Changed in openssl (Ubuntu Disco): | |
status: | Incomplete → Invalid |
Changed in openssl (Ubuntu Eoan): | |
status: | Incomplete → Invalid |
In my tests, I used NGINX with those TLS related params:
# grep -r ssl_ /etc/nginx/ nginx.conf /etc/nginx/conf.d/ /etc/nginx/ sites-enabled/ nginx.conf: ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE nginx.conf: ssl_prefer_ server_ ciphers on; conf.d/ ssl.conf: ssl_ciphers TLS_CHACHA20_ POLY1305_ SHA256: TLS_AES_ 128_GCM_ SHA256: TLS_AES_ 256_GCM_ SHA384: ECDHE-RSA- CHACHA20- POLY1305: ECDHE-RSA- AES128- GCM-SHA256: ECDHE-RSA- AES256- GCM-SHA384; conf.d/ ssl.conf: ssl_session_ cache shared:SSL:1m; conf.d/ ssl.conf: ssl_session_ timeout 1d; conf.d/ ssl.conf: ssl_session_ tickets off; conf.d/ ssl.conf: ssl_certificate /etc/nginx/ certs/sdeziel. info/fullchain. pem; conf.d/ ssl.conf: ssl_certificate _key /etc/nginx/ certs/sdeziel. info/privkey. pem; conf.d/ ssl.conf: ssl_stapling on;
/etc/nginx/
/etc/nginx/
/etc/nginx/
/etc/nginx/
/etc/nginx/
/etc/nginx/
/etc/nginx/
/etc/nginx/
/etc/nginx/
I used many variations of ssl_ciphers and ssl_protocols to no avail. My main goal is to have TLS 1.3 and 1.2 enabled with this ciphers list from above but that doesn't work as seen here: /dev.ssllabs. com/ssltest/ analyze. html?d= sdeziel. info&s= 2001%3a470% 3ab1c3% 3a7942% 3a0%3a0% 3a0%3a80& hideResults= on&latest
https:/