openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in Chrome and Firefox

Example output:

jik@jik-x1:~$ curl -v https://www.toodledo.com/
* Trying 146.20.52.175:443...
* TCP_NODELAY set
* Connected to www.toodledo.com (146.20.52.175) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, handshake failure (552):
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

I may be misunderstanding something, but as far as I can tell this is not a cipher mismatch problem.

According to https://www.ssllabs.com/ssltest/analyze.html?d=www.toodledo.com, the site supports TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. According to "openssl ciphers", openssl supports ECDHE-RSA-AES128-GCM-SHA256, which apperas to be the same thing. But `curl -v --ciphers ECDHE-RSA-AES128-GCM-SHA256 --tlsv1.2 --tls-max 1.2 https://www.toodledo.com/` still fails.

Aha! `curl -v --ciphers 'DEFAULT:@SECLEVEL=1' https://www.toodledo.com/` works but `curl -v --ciphers 'DEFAULT:@SECLEVEL=2' https://www.toodledo.com/` fails.

According to https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_get_security_level.html, the default security level for the library is 1 if it isn't specified at compile time. Has Canonical made a decision to set a higher security level by default?

Oh, wait, it appears that yes it has. `openssl version -a` says `-DOPENSSL_TLS_SECURITY_LEVEL=2`.

It appears that this was an intentional change? I question the advisability of this, especially since it doesn't appear that there's any way to override it in a configuration file (is there?).

I am not sure it is advisable for command-line tools in the OS to have stricter security level requirements than users' browsers?

The browsers will require SECLEVEL=2 from April 2020, the change in libraries has already landed.

You can override this via command-line, a system config file, or a local config file + environment variable pointing to it.

On Ubuntu 20.04 LTS:

man SSL_CTX_get_security_level.3ssl

does have:
--
Level 2
On Ubuntu, TLS versions below 1.2 are not permitted.

NOTES
The default security level can be configured when OpenSSL is compiled by setting -DOPENSSL_TLS_SECURITY_LEVEL=level. On Ubuntu, 2 is used.
--

In addition to having TLSv1.2 min, DTLSv1.2 min, bigger keys ie 2048 bit RSA, we are still to land requirement to reject SHA1 signatures on certs.

This is an intentional change.

About the server:

- It's certificate is valid for 2 years, and Apple has started to rejecting any servers for which certificate is valid for more than 13 months.

- It has a SHA1withRSA certificate in its chain, which will be rejected by all clients soon.

- It supports many weak TLSv1.2 ciphersuites

- It is susceptible to OpenSSL 0-Length attack

Please contact the administrators of said website to secure it immediately & acquire certificate with shorter timespan and no SHA1 signatures.

Fair enough, I will contact the web site maintainer. However, regarding this:

>You can override this via command-line, a system config file, or a local config file + environment variable pointing to it.
>
>On Ubuntu 20.04 LTS:
>
>man SSL_CTX_get_security_level.3ssl

1) I searched high, low, and sideways, and couldn't find any documentation of how to override this via a config file or environment variable. Regarding command line, I imagine that is going to be different for each program, and I did manage to figure out how to do it for curl, but it took a huge amount of educated effort that the vast majority of users are not going to be able to figure out.

2) I don't know what deb the man pages for the OpenSSL API are in, but whichever one it is, it's not in the package install set that most people get. That man page is not available on my system, for example.

There is still something wrong here.

The site in question has fixed the issue in response to my query, and SSL Labs now gives it an A grade:

https://www.ssllabs.com/ssltest/analyze.html?d=www.toodledo.com

According to SSL Labs, it supports these two ciphers for TLS 1.2:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)

According to openssl ciphers -s -V, both of these are supported by openssl:

$ openssl ciphers -s -V | egrep '0xC0,0x(30|2F)'
          0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA
Enc=AESGCM(256) Mac=AEAD
          0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD

And yet I'm still unable to connect to this server through openssl unless I downgrade the security level to 1.

You mentioned there being an SHA1 certificate in the chain, but I don't see one. The certs all seem to be SHA256.

I cannot find any evidence that security level 2 blocks the use of certificates with lifetimes of more than a year. Is that an undocumented "feature" of security level 2?

Lifetimes of more than a year is only implemented by Apple on their products. Longevity of the certifications do not matter on Ubuntu.

So, in their chain of certs that they present there is still an RSA-SHA1 certificate. It shouldn't affect validation, as the other certs in the chain are sufficient (for example gnutls-cli toodledo.com connects fine) but it does trip up openssl:

- Certificate[3] info:
 - subject `OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US', issuer `OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US', serial 0x00, RSA key 2048 bits, signed using RSA-SHA1 (broken!), activated `2004-06-29 17:06:20 UTC', expires `2034-06-29 17:06:20 UTC', pin-sha256="VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8="

Now, they could remove that cert from the chain that their server uses. But also they should not need to do this and openssl should just work.

I've now opened upstream issues about this on the OpenSSL bug tracker.

However, todoodle.com could refresh their certificate chain with an up to date G2 godaddy SSL certificate chain, instead of the one that ends on a CA Root certificate which is no longer trustworthy.

>> You can override this via command-line, a system config file, or a local config file + environment variable pointing to it.

Some hints as to how to achieve that "local config file + environment variable" would be extremely useful.
I've tried it and got nowhere, although I know that setting SECLEVEL=1 would fix my immediate problem, as I can set it on a command line for openssl s_client.

See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1878519

Forcing a minimum SECLEVEL of 2 by default is fine, but there has to be some-way of letting users reduce this when they are talking to external services, or providing services for external clients that cannot, for some reason,change at the moment.

This bug affects me too, with a client certificate that now "magically" does not match the requirements.

Ironically, the error message says only:

OpenSSL error error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak, (no key found, wrong pass phrase, or wrong file format?)

although there was no MD5 signature involved at all. So, even when you know that with OpenSSL 1.1, an "SSL security level" has been introduced, and that Ubuntu has set that level to 2, it is hard to find that it deprecates SHA1 now (see https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_security_level.html).

Thus, even for more knowledgable people than me this is a major hassle to find and/or fix. I wonder why Ubuntu has chosen to raise the level that high considering that the documentation page contains a clear warning indication:

"WARNING at this time setting the security level higher than 1 for general internet use is likely to cause considerable interoperability issues and is not recommended. This is because the SHA1 algorithm is very widely used in certificates and will be rejected at levels higher than 1 because it only offers 80 bits of security."

I think that this is an extremely unwise choice for an OS to make.

That being said, here is the fix (also hard to find):

In /etc/ssl/openssl.cnf, add this line before the start of the file:

 openssl_conf = default_conf

At the end of the file, add these lines:

 [default_conf]
 ssl_conf = ssl_sect

 [ssl_sect]
 system_default = system_default_sect

 [system_default_sect]
 CipherString = DEFAULT:@SECLEVEL=1

This will bring down the SSL security level to the former level of 1.

Also affects me with many HTTPS sites, such as teams.microsoft.com, but haven't been able to post a bug here because SSL or whatever isn't working. I imagine many can't post that it's broken, but tons of websites aren't working in Firefox or chrome or wget for me.

the openssl.cnf fix doesn't really work... allows me to connect to sites, but when loading their pages, it takes forever. unusable. Also tried SECLEVEL=0... same.

Looking at the bug report opened upstream ( https://github.com/openssl/openssl/issues/11236 ), this is considered a bug on the server side and I'm inclined to follow openssl upstream on this.

Moreover, I've tried all the tests provided in this bug and all have succeeded.

I'll mark the bug as Invalid.

I mean, the bug is three years old and presumably by now the vast majority of web sites have renewed their certificates and the new ones are compatible with SECLEVEL=2 since all of the signing authorities stopped issuing incompatible ones years ago, so it's kind of moot at this point.