Public bug reported: On a machine with Ubuntu 20.04 and all available updates installed (including openssl and libssl openssl 1.1.1f-1ubuntu2):
user@host:~$ curl 'https://pub.orcid.org/' curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure On the same machine, but with the openssl and libssl packages downgraded to version 1.1.1c-1ubuntu4 from Ubuntu 19.10: user@host:~$ curl -I 'https://pub.orcid.org/' HTTP/1.1 302 Found Server: nginx/1.16.1 Date: Thu, 23 Apr 2020 09:34:38 GMT Location: https://pub.orcid.org/v3.0/ Transfer-Encoding: chunked Connection: Keep-Alive Set-Cookie: X-Mapping-fjhppofk=EDEB8B375DA428655747278237992826; path=/ I've also checked this with machines running other distros (OpenWRT and Archlinux), and with those distros, the error occurs neither with OpenSSL/libssl 1.1.1f nor with OpenSSL/libssl 1.1.1g. This leads me to assume that the backported patch for CVE-2020-1967 in openssl/libssl 1.1 .1f-1ubuntu2 is broken. ** Affects: openssl (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1874413 Title: openssl 1.1.1f-1ubuntu2 breaks some TLS connections Status in openssl package in Ubuntu: New Bug description: On a machine with Ubuntu 20.04 and all available updates installed (including openssl and libssl openssl 1.1.1f-1ubuntu2): user@host:~$ curl 'https://pub.orcid.org/' curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure On the same machine, but with the openssl and libssl packages downgraded to version 1.1.1c-1ubuntu4 from Ubuntu 19.10: user@host:~$ curl -I 'https://pub.orcid.org/' HTTP/1.1 302 Found Server: nginx/1.16.1 Date: Thu, 23 Apr 2020 09:34:38 GMT Location: https://pub.orcid.org/v3.0/ Transfer-Encoding: chunked Connection: Keep-Alive Set-Cookie: X-Mapping-fjhppofk=EDEB8B375DA428655747278237992826; path=/ I've also checked this with machines running other distros (OpenWRT and Archlinux), and with those distros, the error occurs neither with OpenSSL/libssl 1.1.1f nor with OpenSSL/libssl 1.1.1g. This leads me to assume that the backported patch for CVE-2020-1967 in openssl/libssl 1.1.1f-1ubuntu2 is broken. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1874413/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
