connecting tinc 1.0.36/libssl3 to older nodes?

Rowan Wookey admin at rwky.net
Sat May 7 00:19:45 CEST 2022


Just to chime in here. I noticed you said you're using Ubuntu Precise. That's a 10 year old distro and well past it's standard support life cycle. 
With that in mind have you tried connecting to a newer distro, any supported Ubuntu/Debian release except Jammy will have OpenSSL 1.x instead of 3.x.

If you can connect from Jammy to another supported 1.x distribution I'd blame it on one of the features which have been deprecated/removed since 2012. 

On Fri, 6 May 2022, at 14:00, Nathan Stratton Treadway wrote:
> On Fri, May 06, 2022 at 07:22:45 +0200, Guus Sliepen wrote:
>> Hi, as far as tinc itself is concerned it should be fine if nodes are
>> linked against different versions of OpenSSL. However, OpenSSL might
>> have deprecated some cryptographic algorithms, and distributions might
>> sometimes change which algorithms to enable/disable when packaging
>> OpenSSL. Are you using the defaults from tinc, or did you specify which
>> encryption and/or authentication algorithm to use by adding "Cipher = ..."
>> or "Digest = ..." statements to any of tinc's configuration files?
>
> I do not (currently) have either Cipher= or Digest= in any config files.
>
> However, from my research so far I understand that those are only used
> for the data channel, and as far as I can tell the failure I'm hitting
> happens during the negotiation of the metadata connection...  
>
> I'm using the stock tinc package provided in the Jammy repository on
> that server.
>
> OpenSSL libssl3 definitely deprecates a lot of algorithms, but as I
> mentioned in my original post I (believe I successfully) turned on the
> libssl "legacy" provider, which seems to have helped but not been
> sufficient... and I am not sure what additional steps I can take to
> determine what algorithm is now failing.  
>
> (Am I correct that tinc does not have any way to log the various
> algorithms-to-be-used negotiated by the libssl library during connection
> setup, etc.?)
>
> 
>> Can you tell me which distribution and its version you have on the
>> server that runs tinc 1.0.26? I can then try to reproduce the situation.
>
> That server is running Ubuntu Precise, so it has libssl1.0.1 .  However,
> when installing that server I built a tinc binary package from source
> using the ubuntu/pool/universe/t/tinc/tinc_1.0.26-1.dsc source package
> (i.e. from the Wily repo). 
>
> ldd on that system reports:
>   $ ldd /usr/sbin/tincd
>         linux-gate.so.1 =>  (0x00bb7000)
>         libcrypto.so.1.0.0 => /lib/i386-linux-gnu/libcrypto.so.1.0.0 
> (0x00110000)
>         libz.so.1 => /lib/i386-linux-gnu/libz.so.1 (0x0056a000)
>         liblzo2.so.2 => /usr/lib/i386-linux-gnu/liblzo2.so.2 
> (0x002bc000)
>         libdl.so.2 => /lib/i386-linux-gnu/libdl.so.2 (0x00356000)
>         libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0x0035b000)
>         /lib/ld-linux.so.2 (0x00d03000)
>
>   $ /usr/sbin/tincd --version
>   tinc version 1.0.26 (built Sep 15 2015 20:24:45, protocol 17
>   [...]
>
>
> Let me know if I can provide any additional information, or if you have
> any suggestions for additional debugging I can do on my side.
>
> Thanks.
>
>
> 							Nathan
>
>
> ----------------------------------------------------------------------------
> Nathan Stratton Treadway  -  nathanst at ontko.com  -  Mid-Atlantic region
> Ray Ontko & Co.  -  Software consulting services  -   http://www.ontko.com/
>  GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt   ID: 1023D/ECFB6239
>  Key fingerprint = 6AD8 485E 20B9 5C71 231C  0C32 15F3 ADCD ECFB 6239
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc

-- 
Regards

Rowan Wookey MSc Comp (Open), CISMP
Server Administrator & Programmer

Please add admin at rwky.net to your contacts/email whitelist.


More information about the tinc mailing list