[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )

On 5 September 2017 at 22:40, Sven Hartge <sven@svenhartge.de> wrote:
> Michael Grant <mgrant@grant.org> wrote:
>> Is there something I can set on Debian side to force this newer
>> openssl to accept older 1.x connections?
> No, you can't.
> Kurt Roeckx, the DD maintaining OpenSSL, patched it in such a way that a
> program needs to call a special function of OpenSSL to override the
> default minimum TLS-version of TLS1.2.
> Problem is: next to no program implements this as of yet.
> The Dovecot developers may introduce the needed change in some of the
> coming versions, with sendmail I believe you will be out of luck.

Ugh no!

> First help: Grab an older OpenSSL version from snapshots.debian.org to
> get going again.
> My solution (other than complaining on the debian-devel mailinglist) was
> to recompile OpenSSL with the patch in question removed.
> Of course in doing so I burdened myself with tracking any new release of
> the OpenSSL packages and recompile them until this situation has been
> resolved in some other way.

Thanks for confirming that I did the best thing I could: reinstall the
previous version of libssl.

I was surprised that this problem affected fairly recent MacOS and
Windows Outlook users.  I was also surprised that not many people had
reported this and as I continued to google around for this, I found
only this chain of posts!  And this has been in the wild now for about
10 days.

I'm sure this fix needs to be in there, forcing it on people without
making sure major mailers are going to accept it is just going to
create more problems.  It probably would have been a good idea to put
a loud warning in the log files about this.  The message given by apt
during the update:

  By default the minimum supported TLS version is 1.2. If you still need to
  talk to applications that only support TLS 1.0 you should configure the
  application to set the minimum supported version.

This is highly misleading that it is easy to do this!

Reply to: