Package: libssl1.0.0 Version: 1.0.1k-3+deb8u1 Severity: normal Dear Maintainer,
the last update for openssl/libssl has the following in its changelog: > openssl (1.0.1k-3+deb8u1) jessie-security; urgency=medium > * CVE-2015-4000: Have minimum of 768 bit for DH Which is probably The Right Thing to do, but it breaks a stunnel4 client connection to a STARTTLS SMTP server (that I have no control over): ========================================= LOG5[28161]: Service [mailhost] accepted connection from ::1:58363 LOG6[28161]: s_connect: connecting mailhost:25 LOG5[28161]: s_connect: connected mailhost:25 LOG5[28161]: Service [mailhost] connected remote server from 127.0.0.1:54733 LOG6[28161]: SNI: sending servername: localhost LOG3[28161]: SSL_connect: 14082174: error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small LOG5[28161]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket ========================================= The stunnel configuration can be found below. I was about to report this as a bug against the stunnel4 package, but since the last libssl update "broke" it, I decided to report it against libssl - feel free to re-assign. I tried the following versions of libssl, with various results: === unstable ========================================================================= $ LD_LIBRARY_PATH=$HOME/test/ssl/libssl1.0.0_1.0.2c-1/usr/lib/x86_64-linux-gnu stunnel4 $HOME/.stunnel.conf 2015.06.18 22:39:30 LOG5[30390]: Compiled with OpenSSL 1.0.1j 15 Oct 2014 2015.06.18 22:39:30 LOG5[30390]: Running with OpenSSL 1.0.2c 12 Jun 2015 [...] 2015.06.18 22:40:00 LOG6[30424]: SNI: sending servername: localhost 2015.06.18 22:40:01 LOG3[30424]: SSL_connect: 14082174: error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small 2015.06.18 22:40:01 LOG5[30424]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket === jessie (latest, 1.0.1k-3+deb8u1) ================================================= $ LD_LIBRARY_PATH=$HOME/test/ssl/libssl1.0.0_1.0.1k-3+deb8u1/usr/lib/x86_64-linux-gnu stunnel4 $HOME/.stunnel.conf 2015.06.18 22:34:54 LOG5[30211]: Compiled with OpenSSL 1.0.1j 15 Oct 2014 2015.06.18 22:34:54 LOG5[30211]: Running with OpenSSL 1.0.1k 8 Jan 2015 [...] 2015.06.18 22:35:10 LOG6[30226]: SNI: sending servername: localhost 2015.06.18 22:35:11 LOG3[30226]: SSL_connect: 14082174: error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small 2015.06.18 22:35:11 LOG5[30226]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket === jessie (1.0.1k-3) ================================================================ $ LD_LIBRARY_PATH=$HOME/test/ssl/libssl1.0.0_1.0.1k-3/usr/lib/x86_64-linux-gnu stunnel4 $HOME/.stunnel.conf 2015.06.18 22:37:07 LOG5[30282]: Compiled with OpenSSL 1.0.1j 15 Oct 2014 2015.06.18 22:37:07 LOG5[30282]: Running with OpenSSL 1.0.1k 8 Jan 2015 [...] 2015.06.18 22:37:30 LOG6[30289]: SSL connected: new session negotiated 2015.06.18 22:37:30 LOG6[30289]: Negotiated TLSv1 ciphersuite DHE-RSA-AES256-SHA (256-bit encryption) 2015.06.18 22:37:30 LOG6[30289]: Compression: null, expansion: null === jessie (1.0.1k-2) ================================================================ $ LD_LIBRARY_PATH=$HOME/test/ssl/libssl1.0.0_1.0.1k-2/usr/lib/x86_64-linux-gnu stunnel4 $HOME/.stunnel.conf 2015.06.18 22:33:15 LOG5[30175]: Compiled with OpenSSL 1.0.1j 15 Oct 2014 2015.06.18 22:33:15 LOG5[30175]: Running with OpenSSL 1.0.1k 8 Jan 2015 [...] 2015.06.18 22:33:28 LOG6[30186]: SSL connected: new session negotiated 2015.06.18 22:33:28 LOG6[30186]: Negotiated TLSv1 ciphersuite DHE-RSA-AES256-SHA (256-bit encryption) 2015.06.18 22:33:28 LOG6[30186]: Compression: null, expansion: null ====================================================================================== Some more notes on the stunnel4 package, from its manpage: > DH PARAMETERS > Stunnel 4.40 and later contains hardcoded 2048-bit DH parameters. > It is also possible to specify DH parameters in the certificate file: > openssl dhparam 2048 >> stunnel.pem But this is only possible when running stunnel4 in *server* mode - in client mode (and without client certificates involved), I don't have any stunnel.pem configured and thus cannot add any DH parameters. Or maybe it's possible, but I could not find it documented. Workaround: 1) Don't upgrade to 1.0.1k-3+deb8u1 :-) 2) Extract an older version of libssl, then use LD_LIBRARY_PATH=/path/to/older/version stunnel4 stunnel.conf 3) Use a non-DH cipher, if the server supports any. In my case, the following ciphers were supported by the server: AES128-SHA *** AES256-SHA *** DES-CBC3-SHA DES-CBC-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA EDH-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC-SHA EXP-DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA EXP-RC4-MD5 EXP-RC4-MD5 RC4-MD5 RC4-MD5 RC4-SHA I went with AES128-SHA resp. AES256-SHA, I wanted to avoid RC4, DH (unusable), EXP (export) and DES. So, for stunnel, I added the following service-level option to the configuration file: ciphers = AES256-SHA Thanks, Christian. ============ stunnel.conf =============== debug = 6 output = /home/christian/.log/stunnel.log pid = /home/christian/.log/stunnel.pid syslog = no foreground = yes [mailhost] client = yes accept = localhost:2024 connect = mailhost:25 protocol = smtp ============ stunnel.conf =============== -- System Information: Debian Release: 8.1 APT prefers stable APT policy: (990, 'stable'), (500, 'stable-updates') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.1.0-rc6 (SMP w/8 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libssl1.0.0:amd64 depends on: ii debconf [debconf-2.0] 1.5.56 ii libc6 2.19-18 ii multiarch-support 2.19-18 libssl1.0.0:amd64 recommends no packages. libssl1.0.0:amd64 suggests no packages. -- debconf-show failed -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
