*** This bug is a duplicate of bug 1864689 ***
https://bugs.launchpad.net/bugs/1864689
Hi, thanks for reporting this issue.
This isn't caused by the patch for CVE-2020-1967, it is caused by
OPENSSL_TLS_SECURITY_LEVEL=2 being set as the minimum security level.
You can try it with a lowered security level by doing the following:
curl -v --ciphers 'DEFAULT:@SECLEVEL=1' https://pub.orcid.org
I believe it is caused by having an insecure SHA1 certificate in their
chain:
- Certificate[3] info:
- subject `OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\,
Inc.,C=US', issuer `OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy
Group\, Inc.,C=US', serial 0x00, RSA key 2048 bits, signed using RSA-SHA1
(broken!), activated `2004-06-29 17:06:20 UTC', expires `2034-06-29 17:06:20
UTC', pin-sha256="VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8="
As such, I am marking this as a dupe of bug 1864689, you can follow progress on
the issue there.
Thanks.
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1967
** This bug has been marked a duplicate of bug 1864689
openssl in 20.04 can't connect to site that was fine in 19.10 and is fine in
Chrome and Firefox
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1874413
Title:
openssl 1.1.1f-1ubuntu2 breaks some TLS connections
Status in openssl package in Ubuntu:
New
Bug description:
On a machine with Ubuntu 20.04 and all available updates installed
(including openssl and libssl1.1 1.1.1f-1ubuntu2):
user@host:~$ curl 'https://pub.orcid.org/'
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake
failure
On the same machine, but with the openssl and libssl1.1 packages
downgraded to version 1.1.1c-1ubuntu4 from Ubuntu 19.10:
user@host:~$ curl -I 'https://pub.orcid.org/'
HTTP/1.1 302 Found
Server: nginx/1.16.1
Date: Thu, 23 Apr 2020 09:34:38 GMT
Location: https://pub.orcid.org/v3.0/
Transfer-Encoding: chunked
Connection: Keep-Alive
Set-Cookie: X-Mapping-fjhppofk=EDEB8B375DA428655747278237992826; path=/
I've also checked this with machines running other distros (OpenWRT
and Archlinux), and with those distros, the error occurs neither with
OpenSSL/libssl1.1 1.1.1f nor with OpenSSL/libssl1.1 1.1.1g. This leads
me to assume that the backported patch for CVE-2020-1967 in
openssl/libssl1.1 1.1.1f-1ubuntu2 is broken.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1874413/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
