connecting tinc 1.0.36/libssl3 to older nodes?

Nathan Stratton Treadway nathanst at ontko.com
Fri May 6 15:00:53 CEST 2022


On Fri, May 06, 2022 at 07:22:45 +0200, Guus Sliepen wrote:
> Hi, as far as tinc itself is concerned it should be fine if nodes are
> linked against different versions of OpenSSL. However, OpenSSL might
> have deprecated some cryptographic algorithms, and distributions might
> sometimes change which algorithms to enable/disable when packaging
> OpenSSL. Are you using the defaults from tinc, or did you specify which
> encryption and/or authentication algorithm to use by adding "Cipher = ..."
> or "Digest = ..." statements to any of tinc's configuration files?

I do not (currently) have either Cipher= or Digest= in any config files.

However, from my research so far I understand that those are only used
for the data channel, and as far as I can tell the failure I'm hitting
happens during the negotiation of the metadata connection...  

I'm using the stock tinc package provided in the Jammy repository on
that server.

OpenSSL libssl3 definitely deprecates a lot of algorithms, but as I
mentioned in my original post I (believe I successfully) turned on the
libssl "legacy" provider, which seems to have helped but not been
sufficient... and I am not sure what additional steps I can take to
determine what algorithm is now failing.  

(Am I correct that tinc does not have any way to log the various
algorithms-to-be-used negotiated by the libssl library during connection
setup, etc.?)

 
> Can you tell me which distribution and its version you have on the
> server that runs tinc 1.0.26? I can then try to reproduce the situation.

That server is running Ubuntu Precise, so it has libssl1.0.1 .  However,
when installing that server I built a tinc binary package from source
using the ubuntu/pool/universe/t/tinc/tinc_1.0.26-1.dsc source package
(i.e. from the Wily repo). 

ldd on that system reports:
  $ ldd /usr/sbin/tincd
        linux-gate.so.1 =>  (0x00bb7000)
        libcrypto.so.1.0.0 => /lib/i386-linux-gnu/libcrypto.so.1.0.0 (0x00110000)
        libz.so.1 => /lib/i386-linux-gnu/libz.so.1 (0x0056a000)
        liblzo2.so.2 => /usr/lib/i386-linux-gnu/liblzo2.so.2 (0x002bc000)
        libdl.so.2 => /lib/i386-linux-gnu/libdl.so.2 (0x00356000)
        libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0x0035b000)
        /lib/ld-linux.so.2 (0x00d03000)

  $ /usr/sbin/tincd --version
  tinc version 1.0.26 (built Sep 15 2015 20:24:45, protocol 17
  [...]


Let me know if I can provide any additional information, or if you have
any suggestions for additional debugging I can do on my side.

Thanks.


							Nathan


----------------------------------------------------------------------------
Nathan Stratton Treadway  -  nathanst at ontko.com  -  Mid-Atlantic region
Ray Ontko & Co.  -  Software consulting services  -   http://www.ontko.com/
 GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt   ID: 1023D/ECFB6239
 Key fingerprint = 6AD8 485E 20B9 5C71 231C  0C32 15F3 ADCD ECFB 6239


More information about the tinc mailing list