connecting tinc 1.0.36/libssl3 to older nodes?
Nathan Stratton Treadway
nathanst at ontko.com
Tue Sep 20 07:06:09 CEST 2022
On Wed, May 18, 2022 at 08:16:53 +0200, Guus Sliepen wrote:
> On Wed, May 18, 2022 at 01:28:31AM -0400, Nathan Stratton Treadway wrote:
>
> > Thus, I believe Xenial's tinc 1.0.26 is attempting to use
> > EVP_bf_ofb()/EVP_sha1() when setting up the metadata connection -- and
> > that nothing else related to the metadata connection setup changed
> > between 1.0.26 and 1.0.33....
>
> That's correct.
It turns out that upstream OpenSSL had a bug affecting the
Blowfish algorithm in early releases of libssl3:
"OpenSSL 3 cannot decrypt data encrypted with OpenSSL 1.1 with blowfish
in OFB or CFB modes #18359:
https://github.com/openssl/openssl/issues/18359
This bug was fixed in libssl3 3.0.4, and thus tincd (v1.0.36-2build1)
running on Ubuntu Kinetic system with up-to-date libssl3 packages
installed can now establish a metadata connection with tinc nodes
running Xenial's tinc (v1.0.26/libssl1.1).
I've opened a request for the upstream fix to be backported to libssl3
in Jammy; presumably once that happens tinc (also v1.0.36-2build) will
start working in Jammy as well....
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1990216
> > I am not sure how many bits of security the EVP_bf_ofb() algorithm is
> > considered to have, but it seems I need to have "CipherString =
> > DEFAULT:@SECLEVEL=1" in my override file in order to get past the
> > "digital envelope routines::unsupported" error during metadata
> > negotiation.
>
> That's weird, why would you need to set that yourself... But very nice
> work in finding this out!
(With the fix for the Blowfish implementation in place, the SECLEVEL=1
adjustment is no longer necessary -- the only special configuration
needed on the Jammy node is the activation of the legacy provider.)
Nathan
----------------------------------------------------------------------------
Nathan Stratton Treadway - nathanst at ontko.com - Mid-Atlantic region
Ray Ontko & Co. - Software consulting services - http://www.ontko.com/
GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239
Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239
More information about the tinc
mailing list