There are 2 issues with OpenSSL/TLSv1.2 in Ubuntu. I'm on 12.04, but I see the same patch in newer Ubuntu versions.
1) TLSv1.2 is removed from SSLv23_method(). It's technically fine policy decision. But I think it should be reverted at least new Ubuntu versions. All the sites mentioned in +1y old bugs work fine now with TLSv1.2 requests. And several high-profile browsers are now using TLSv1.2 protocol by default (IE11, Chrome, Safari), so any remaining problematic sites will feel pain if they don't fix. Eg, see site and browser state here: https://www.ssllabs.com/ssltest/analyze.html?d=mediafire.com My suggestion: remove this limitation at least from 14.04. 2) TLSv1.2 ciphersuite list is cut to first 25. Thanks to 1) this will affect only apps requesting TLSv1.2 explicitly. It allows only AES256 ciphersuites, which is not big problem. But it also disables secure renegotation, which is signaled with extra ciphersuite. IOW: apps that want the "newest and most secure TLS version" get crippled protocol instead connection failure if some middleware box fails. My suggestion: please revert this patch from everywhere. It's dumb idea to force "max-compat" to apps that explicitly want TLSv1.2. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1256576 Title: Ubuntu 12.04 LTS: OpenSSL downlevel version is 1.0.0, and does not support TLS 1.2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1256576/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
