Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance

To: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>, 959469@bugs.debian.org, Kurt Roeckx <kurt@roeckx.be>, 959469-quiet@bugs.debian.org
Cc: Paul Gevers <elbrus@debian.org>, 959469-submitter@bugs.debian.org
Subject: Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Tue, 22 Mar 2022 19:37:00 +0000
Message-id: <[🔎] 01688d66035b1d3bf14161f31c751355cc07e3c9.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 959469@bugs.debian.org
In-reply-to: <[🔎] Yje0yxU2d0pcRBZ4@breakpoint.cc>
References: <20200502163642.v4nhomgfa3oen7qp@flow> <[🔎] E1nVXKY-0004FQ-Ty@coccia.debian.org> <[🔎] c00800fe-006c-a651-288c-15bd0bf84d86@debian.org> <20200502163642.v4nhomgfa3oen7qp@flow> <[🔎] YjennU2xkaWuyVfW@roeckx.be> <20200502163642.v4nhomgfa3oen7qp@flow> <[🔎] Yje0yxU2d0pcRBZ4@breakpoint.cc> <20200502163642.v4nhomgfa3oen7qp@flow>

On Mon, 2022-03-21 at 00:12 +0100, Sebastian Andrzej Siewior wrote:
> The change in openssl is commit
>    cc7c6eb8135b ("Check that the default signature type is allowed")
> 
> Before the commit in question it connects as:
>   - Description: (TLS1.0)-(ECDHE-SECP384R1)-(AES-256-CBC)-(SHA1)
> 
> after that, the server throws:
>   140490373015360:error:14201044:SSL
> routines:tls_choose_sigalg:internal error:../ssl/t1_lib.c:2880:
> 
> and it appears that the security level in openssl forbids SHA1 here.
> The argument on the s_server side
> 	 -sigalgs RSA+SHA1:RSA+SHA256:DSA+SHA1:DSA+SHA256
> 
> doesn't help here but
> 	 -cipher "ALL:@SECLEVEL=1"
> 
> does. 
> 

If we wanted to add a note to the release announcement in case users
face similar issue with other software, is "tls_choose:sigalg:internal
error" a reliable signal of this situation occurring? Should the
recommended solution be to lower the security level, or might
specifying -sigalgs work on its own in some scenarios?

Regards,

Adam

Reply to:

Follow-Ups:
- Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance
  - From: Kurt Roeckx <kurt@roeckx.be>

References:
- Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>
- Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance
  - From: Paul Gevers <elbrus@debian.org>
- Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance
  - From: Kurt Roeckx <kurt@roeckx.be>
- Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance
  - From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

Prev by Date: NEW changes in oldstable-new
Next by Date: Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance
Previous by thread: Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance
Next by thread: Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance
Index(es):
- Date
- Thread