touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #22825
[Bug 1376447] [NEW] When forcing TLSv1.2, the cipher list is truncated
*** This bug is a security vulnerability ***
Public security bug reported:
Back in 2012, enabling TLSv1.2 would break connecting to certain
servers. This was worked around in two ways in Ubuntu 12.04 LTS:
- OPENSSL_MAX_TLS1_2_CIPHER_LENGTH was set to 50, so that the cipher list sent would be truncated and wouldn't cause failures when connecting to certain servers that couldn't handle > 256 bytes
- OPENSSL_NO_TLS1_2_CLIENT was set to disable TLSv1.2 for clients by default
Although TLSv1.2 is disabled by default for clients, if it is forced,
the cipher list gets truncated.
This will cause the following issues:
- Important ciphers may get dropped
- Secure renegotiation breaks
Ubuntu 14.04 LTS shipped with TLSv1.2 turned on by default, and two
years later a lot of problematic equipment has been replaced or
upgraded.
** Affects: openssl (Ubuntu)
Importance: Undecided
Status: Invalid
** Affects: openssl (Ubuntu Precise)
Importance: Undecided
Assignee: Marc Deslauriers (mdeslaur)
Status: Confirmed
** Also affects: openssl (Ubuntu Precise)
Importance: Undecided
Status: New
** Changed in: openssl (Ubuntu)
Status: New => Invalid
** Changed in: openssl (Ubuntu Precise)
Status: New => Confirmed
** Changed in: openssl (Ubuntu Precise)
Assignee: (unassigned) => Marc Deslauriers (mdeslaur)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1376447
Title:
When forcing TLSv1.2, the cipher list is truncated
Status in “openssl” package in Ubuntu:
Invalid
Status in “openssl” source package in Precise:
Confirmed
Bug description:
Back in 2012, enabling TLSv1.2 would break connecting to certain
servers. This was worked around in two ways in Ubuntu 12.04 LTS:
- OPENSSL_MAX_TLS1_2_CIPHER_LENGTH was set to 50, so that the cipher list sent would be truncated and wouldn't cause failures when connecting to certain servers that couldn't handle > 256 bytes
- OPENSSL_NO_TLS1_2_CLIENT was set to disable TLSv1.2 for clients by default
Although TLSv1.2 is disabled by default for clients, if it is forced,
the cipher list gets truncated.
This will cause the following issues:
- Important ciphers may get dropped
- Secure renegotiation breaks
Ubuntu 14.04 LTS shipped with TLSv1.2 turned on by default, and two
years later a lot of problematic equipment has been replaced or
upgraded.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1376447/+subscriptions
Follow ups
References