connecting tinc 1.0.36/libssl3 to older nodes?

Guus Sliepen guus at tinc-vpn.org
Wed May 18 08:16:53 CEST 2022


On Wed, May 18, 2022 at 01:28:31AM -0400, Nathan Stratton Treadway wrote:

> Thus, I believe Xenial's tinc 1.0.26 is attempting to use
> EVP_bf_ofb()/EVP_sha1() when setting up the metadata connection -- and
> that nothing else related to the metadata connection setup changed
> between 1.0.26 and 1.0.33....

That's correct.

> According to 
>   https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html  
> , Blowfish is part of the legacy provider in libssl3, so it makes sense
> that it's not available by default on the Jammy node.
> 
> However, as far as I can tell this does get successfully enabled when my
> openssl.cnf override-file is in place (on the Jammy node):
[...]
> I am not sure how many bits of security the EVP_bf_ofb() algorithm is
> considered to have, but it seems I need to have "CipherString =
> DEFAULT:@SECLEVEL=1" in my override file in order to get past the
> "digital envelope routines::unsupported" error during metadata
> negotiation.

That's weird, why would you need to set that yourself... But very nice
work in finding this out!

> Does anyone have any suggestions of additional changes to either the
> openssl.cnf override file on the Jammy node or the Tinc config files
> that would allow Xenial and Jammy nodes to interoperate on the network
> while we work to upgrade the all the old network nodes?

This is very annoying of course, but I don't see any option but to
either upgrade tinc on Xenial or to downgrade tinc's OpenSSL library on
Jammy. Upgrading tinc on Xenial might be the easiest option, it means
just compiling a newer version of tinc on Xenial that has AES and SHA256
as the default algorithms for meta-connections, and use that instead of
the binary from the tinc package that comes with Xenial. I think it
should still work with the OpenSSL library provided by Xenial.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20220518/2fbcffcc/attachment.sig>


More information about the tinc mailing list