Your message dated Sun, 25 Sep 2022 02:08:31 +0200 with message-id <Yy+b/6+0dcgph...@roeckx.be> and subject line Re: [Pkg-openssl-devel] Bug#1020652: openssl: tls_process_key_exchange:internal error:../ssl/statem/statem_clnt.c:2254: has caused the Debian Bug report #1020652, regarding openssl: tls_process_key_exchange:internal error:../ssl/statem/statem_clnt.c:2254: to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1020652: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020652 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: openssl Version: 3.0.5-4 Severity: serious Justification: does not work any more X-Debbugs-Cc: t...@mirbsd.de $ openssl s_client -CApath /etc/ssl/certs -connect www.mirbsd.org:443 -legacy_renegotiation -tls1 CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = fish.mirbsd.org verify return:1 00B093C1B27F0000:error:0A0C0103:SSL routines:tls_process_key_exchange:internal error:../ssl/statem/statem_clnt.c:2254: --- Certificate chain 0 s:CN = fish.mirbsd.org i:C = US, O = Let's Encrypt, CN = R3 a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256 v:NotBefore: Aug 14 07:16:16 2022 GMT; NotAfter: Nov 12 07:16:15 2022 GMT 1 s:C = US, O = Let's Encrypt, CN = R3 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIIGMjCCBRqgAwIBAgISA933/gWwGzwPvGuCEliwTrbPMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD EwJSMzAeFw0yMjA4MTQwNzE2MTZaFw0yMjExMTIwNzE2MTVaMBoxGDAWBgNVBAMT D2Zpc2gubWlyYnNkLm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB AMZcYzruTphJh0thHN1SrUba1XNcIDWKBytnd1GSEvAyRHPZPrpbBY4kEFRztdZg iIUuRSQffmmEgdCNpstXkPSZkZ7HPveTQV2oXK/T1EaoZP4PKWbO3sKZX2wMEr0x FmDPeQfcfo3UOPWWwQYeV5ac8De9NPnEXuKafoMBNFPVtDwbJuTMmXUFjm6uxCWb g4UIhGCKywMGhTmP6oxYCNBLi6PCZ3jByRLq/nemkKHl/YOsr9r/oP4LeDay6mDJ xWJ9aX1V6PpbV4J4O6F0VWCNjMSV+KK0FUxny1s6w7ILzubSkGisE2cISIr8lWg+ 0NB+M0sDSV4+GAPTH0bq04Yt3j2btnuH0oG0StZZLjNkRl3BFmnGRzTpEOG6SeEN +M9VF+A7mZY/JagSaFfZlfHYFvPO96jbIAa4Bn8RjhhtW8bKWeLaVi0OG9saahCn VXMXeTm3alET3lOGp+diAl2IrbQk80IUy9bM5eie4gluHkirM5xqO1Xv0rZ5jfJ4 1O5xRhkm71ZT8c8abe2/p0YPhGq2tLHXtDjMdJAYleic+c4iOXPTN3VOOl4Iucz5 F8il7edioa0bf/6Wgz61DpeRFjv85cYX5I2UbWOC7D219A8fJrB9NQTresI/BSz9 THRRydxSiLQmVkb6Ao55FuO7TbEvBIeSCE6OT33bZsBPAgMBAAGjggJYMIICVDAO BgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwG A1UdEwEB/wQCMAAwHQYDVR0OBBYEFCQz8IT0s7sJrskFItZ5nrA3XELqMB8GA1Ud IwQYMBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggr BgEFBQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRw Oi8vcjMuaS5sZW5jci5vcmcvMCoGA1UdEQQjMCGCD2Zpc2gubWlyYnNkLm9yZ4IO d3d3Lm1pcmJzZC5vcmcwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMB AQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEC BgorBgEEAdZ5AgQCBIHzBIHwAO4AdQApeb7wnjk5IfBWc59jpXflvld9nGAK+PlN XSZcJV3HhAAAAYKbbND5AAAEAwBGMEQCIB3PMPGlppnMneCfwDxozkJzKTwhys8Z DhUvU6WDD2KQAiA6sfxnk72LGLxEv7qWjyPBbA9o7/QZKAq34QmMg63KiAB1AEHI yrHfIkZKEMahOglCh15OMYsbA+vrS8do8JBilgb2AAABgpts0wYAAAQDAEYwRAIg Ob+e77xpbe10RPB9sp1IwRc7Bk/Oe1RP5YDmOgk2BVQCIG74jX2VsC6Hhe3hlilr DmlYh3mWRqC/CPKx3N8ymdVxMA0GCSqGSIb3DQEBCwUAA4IBAQCfEGT2fDCjRlTO weYlN8UUc/S2SXHUet+eDQNRBA/+w9HCggLd/Iw0nX+7EEFKP8fXHrYFwTtDwCjG v1qFpEvQFMEfmcRVEQWdvt8VSjBhRxYXFcxWazBfOqo5ZmRVdQChytx7PHwbl1jW CELQ41COfNw9TS8i4VixGxauEIx6YDWuA0cFfe+3UaANosW7y2gPJqGjA1PZaV3E Dn9wTPJGN2F+XkvNxdohqCQLh9N69mR4DMnQ39gd7uhGszobx5u7Y6Ih5zVEqsFF kHrxG9/h69tMCRKhtgmLZwVk/ZZ/dXDKFPDFJbnpwD+FB2O7f+bcBA3uw2809nBo DkHfZ0Rc -----END CERTIFICATE----- subject=CN = fish.mirbsd.org issuer=C = US, O = Let's Encrypt, CN = R3 --- No client certificate CA names sent Server Temp Key: DH, 2048 bits --- SSL handshake has read 4035 bytes and written 134 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Server public key is 4096 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1 Cipher : 0000 Session-ID: 0B21021F7E84628356DF05BD801681058EB87148083C224017E4AA4DEC59B243 Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1664051609 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- $ _ So it opens the connection but cannot use it. (Note that, while -legacy_renegotiation seems to be required now, the server has renegotiation disabled, it just doesn’t have the TLS extension to signal so yet.) -- System Information: Debian Release: bookworm/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'buildd-unstable'), (500, 'unstable'), (1, 'experimental') merged-usr: no Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-10-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_FIRMWARE_WORKAROUND Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/lksh Init: sysvinit (via /sbin/init) Versions of packages openssl depends on: ii libc6 2.35-1 ii libssl3 3.0.5-4 openssl recommends no packages. Versions of packages openssl suggests: ii ca-bundle [ca-certificates] 20190604tarent1 -- Configuration Files: /etc/ssl/openssl.cnf changed: HOME = . # Use this in order to automatically load providers. openssl_conf = openssl_init config_diagnostics = 1 oid_section = new_oids [ new_oids ] tsa_policy1 = 1.2.3.4.1 tsa_policy2 = 1.2.3.4.5.6 tsa_policy3 = 1.2.3.4.5.7 [openssl_init] ssl_conf = ssl_sect [ ca ] default_ca = CA_default # The default ca section [ CA_default ] dir = ./demoCA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. # several certs with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key x509_extensions = usr_cert # The extensions to add to the cert name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = default # use public key default MD preserve = no # keep passed DN ordering policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extensions to add to the self signed cert string_mask = utf8only [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = AU countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Some-State localityName = Locality Name (eg, city) 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Internet Widgits Pty Ltd organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [ usr_cert ] basicConstraints=CA:FALSE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer basicConstraints = critical,CA:true [ crl_ext ] authorityKeyIdentifier=keyid:always [ proxy_cert_ext ] basicConstraints=CA:FALSE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo [ tsa ] default_tsa = tsa_config1 # the default TSA section [ tsa_config1 ] dir = ./demoCA # TSA root directory serial = $dir/tsaserial # The current serial number (mandatory) crypto_device = builtin # OpenSSL engine to use for signing signer_cert = $dir/tsacert.pem # The TSA signing certificate # (optional) certs = $dir/cacert.pem # Certificate chain to include in reply # (optional) signer_key = $dir/private/tsakey.pem # The TSA private key (optional) signer_digest = sha256 # Signing digest to use. (Optional) default_policy = tsa_policy1 # Policy if request did not specify it # (optional) other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) accuracy = secs:1, millisecs:500, microsecs:100 # (optional) clock_precision_digits = 0 # number of digits after dot. (optional) ordering = yes # Is ordering defined for timestamps? # (optional, default: no) tsa_name = yes # Must the TSA name be included in the reply? # (optional, default: no) ess_cert_id_chain = no # Must the ESS cert id chain be included? # (optional, default: no) ess_cert_id_alg = sha1 # algorithm to compute certificate # identifier (optional, default: sha1) [insta] # CMP using Insta Demo CA server = pki.certificate.fi:8700 path = pkix/ recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer ignore_keyusage = 1 # potentially needed quirk unprotected_errors = 1 # potentially needed quirk extracertsout = insta.extracerts.pem ref = 3078 # user identification secret = pass:insta # can be used for both client and server side cmd = ir # default operation, can be overridden on cmd line with, e.g., kur subject = "/CN=openssl-cmp-test" newkey = insta.priv.pem out_trusted = insta.ca.crt certout = insta.cert.pem [pbm] # Password-based protection for Insta CA ref = $insta::ref # 3078 secret = $insta::secret # pass:insta [signature] # Signature-based protection for Insta CA trusted = insta.ca.crt # does not include keyUsage digitalSignature secret = # disable PBM key = $insta::newkey # insta.priv.pem cert = $insta::certout # insta.cert.pem [ir] cmd = ir [cr] cmd = cr [kur] cmd = kur oldcert = $insta::certout # insta.cert.pem [rr] cmd = rr oldcert = $insta::certout # insta.cert.pem [ssl_sect] system_default = system_default_sect [system_default_sect] MinProtocol = TLSv1 CipherString = DEFAULT:@SECLEVEL=1 -- no debconf information
--- End Message ---
--- Begin Message ---On Sat, Sep 24, 2022 at 10:34:19PM +0200, Thorsten Glaser wrote: > $ openssl s_client -CApath /etc/ssl/certs -connect www.mirbsd.org:443 > -legacy_renegotiation -tls1 TLS 1.0 is not supported by default because it's insecure. You need to change the security level to 0, for instance by using the cipher string DEFAULT@SECLEVEL=0 Kurt
--- End Message ---
