touch-packages team mailing list archive

Thread
Date

[Bug 1376447] Re: When forcing TLSv1.2, the cipher list is truncated

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1376447@xxxxxxxxxxxxxxxxxx>
Date: Thu, 02 Oct 2014 16:22:13 -0000
Reply-to: Bug 1376447 <1376447@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package openssl - 1.0.1-4ubuntu5.18

---------------
openssl (1.0.1-4ubuntu5.18) precise-security; urgency=medium

  * SECURITY IMPROVEMENT: remove cipher length limitation that was set to
    work around problematic servers when using TLSv1.2 back in 2012.
    (LP: #1376447)
    - Although TLSv1.2 is disabled for clients by default, forcing it
      enabled would truncate the cipher list, possibly removing important
      ciphers, and was also breaking secure renegotiations.
    - debian/patches/tls12_workarounds.patch: remove
      OPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 from Configure.
 -- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx>   Wed, 01 Oct 2014 16:15:14 -0400

** Changed in: openssl (Ubuntu Precise)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1376447

Title:
  When forcing TLSv1.2, the cipher list is truncated

Status in “openssl” package in Ubuntu:
  Invalid
Status in “openssl” source package in Precise:
  Fix Released

Bug description:
  Back in 2012, enabling TLSv1.2 would break connecting to certain
  servers. This was worked around in two ways in Ubuntu 12.04 LTS:

  - OPENSSL_MAX_TLS1_2_CIPHER_LENGTH was set to 50, so that the cipher list sent would be truncated and wouldn't cause failures when connecting to certain servers that couldn't handle > 256 bytes
  - OPENSSL_NO_TLS1_2_CLIENT was set to disable TLSv1.2 for clients by default

  Although TLSv1.2 is disabled by default for clients, if it is forced,
  the cipher list gets truncated.

  This will cause the following issues:
  - Important ciphers may get dropped
  - Secure renegotiation breaks

  Ubuntu 14.04 LTS shipped with TLSv1.2 turned on by default, and two
  years later a lot of problematic equipment has been replaced or
  upgraded.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1376447/+subscriptions

References

[Bug 1376447] [NEW] When forcing TLSv1.2, the cipher list is truncated
From: Marc Deslauriers, 2014-10-01