Package: openssl Version: 1.1.1-2 Severity: important I've applied all the downgrades recommended to the openssl.cnf file and most services are now working again with the exception of openvpn.
The only failure seems to be a VPN connection to an openwrt router. The router is running Chaos Calmer 15.05 and has an upgraded openssl (to 1.0.2g-1). The error is on the debian server side and only shows up at openvpn extreme verbosity: Sun Nov 4 08:40:04 2018 us=149552 50.35.68.20:56038 OpenSSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol The full verbose negotiation is Sun Nov 4 08:40:04 2018 us=116122 50.35.68.20:56038 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ] Sun Nov 4 08:40:04 2018 us=116160 50.35.68.20:56038 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ] Sun Nov 4 08:40:04 2018 us=116243 50.35.68.20:56038 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server' Sun Nov 4 08:40:04 2018 us=116263 50.35.68.20:56038 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client' RSun Nov 4 08:40:04 2018 us=116336 50.35.68.20:56038 TLS: Initial packet from [AF_INET]50.35.68.20:56038, sid=812b650a 26613bfb WRRWRSun Nov 4 08:40:04 2018 us=149552 50.35.68.20:56038 OpenSSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol Sun Nov 4 08:40:04 2018 us=150331 50.35.68.20:56038 TLS_ERROR: BIO read tls_read_plaintext error Sun Nov 4 08:40:04 2018 us=150984 50.35.68.20:56038 TLS Error: TLS object -> incoming plaintext read error Sun Nov 4 08:40:04 2018 us=151598 50.35.68.20:56038 TLS Error: TLS handshake failed Sun Nov 4 08:40:04 2018 us=152357 50.35.68.20:56038 SIGUSR1[soft,tls-error] received, client-instance restarting Obviously this was all working with 1.1.0 so something seems to have changed in the tls negotiation routines. I can fix this in the client by adding the openssl command --tls-version-min 1.0 so it probably means, the way openvpn works that the openssl version installed in openwrt has some strange TLS version < 1.0 but clearly openssl shouldn't error out when presented with lower ciphers it should negotiate the mutually acceptable version. -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 4.18.0-2-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openssl depends on: ii libc6 2.27-8 ii libssl1.1 1.1.1-2 openssl recommends no packages. Versions of packages openssl suggests: ii ca-certificates 20170717 -- Configuration Files: /etc/ssl/openssl.cnf changed [not included] -- no debconf information
