Received: from out1.migadu.com (out1.migadu.com [91.121.223.63]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id E0826780DF4 for <~alpine/devel@lists.alpinelinux.org>; Tue, 9 Aug 2022 07:47:03 +0000 (UTC) MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ayaya.dev; s=key1; t=1660031223; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LivIzYTvEOz8xz5hpO/LT04/YydQaYZgb/U7lyMDH5I=; b=g+voOFM9bCkWGrxEn8Tyna7g7nQNBby9ZYKdNX0lTL5HBe4DV39vkyCQZmmi0t0Fopi2gl sjGQnWieVu7yflkiPmjiHsv+fPP74aZOzVFzfdrR9p4IIUNPlo2zXKtOhkfqMOaKBoN0pV 6cr5LVJYpGTUvolummnvMalL80dB5Vc= Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Tue, 09 Aug 2022 09:47:02 +0200 Message-Id: Cc: <~alpine/devel@lists.alpinelinux.org> Subject: Re: OpenSSL 3 pushed to git master X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: "alice" To: "Nico Schottelius" , "Natanael Copa" References: <20220803105631.77d1cc2c@ncopa-desktop.lan> <87iln2cxo3.fsf@ungleich.ch> In-Reply-To: <87iln2cxo3.fsf@ungleich.ch> X-Migadu-Flow: FLOW_OUT X-Migadu-Auth-User: ayaya.dev On Mon Aug 8, 2022 at 9:59 PM CEST, Nico Schottelius wrote: > > Hey Nate, > > is it possible that this upgrade broken openconnect? the actual issue is that openssl3 does not allow insecure renegotiation. see, for instance: https://www.ibm.com/mysupport/s/question/0D50z000062ktWGCAY/why-ssl-handsha= ke-fails-with-unsafe-legacy-renegotiation-disabled?language=3Den_US a quick look via sslscan at the domain indicates it is using tls1.1 and tls1.2, and:=20 TLS Fallback SCSV: Server does not support TLS Fallback SCSV TLS renegotiation: Session renegotiation not supported Supported Server Cipher(s): Preferred TLSv1.2 112 bits TLS_RSA_WITH_3DES_EDE_CBC_SHA Preferred TLSv1.1 112 bits TLS_RSA_WITH_3DES_EDE_CBC_SHA i assume based on that it just has a quite old (to me, ancient) tls stack, and openssl3 does not work with it. but this is (sadly) more of an issue in the website than in openssl3. nevertheless, openssl1.1 does allow this, so it works with 1.1.. (offtopic: is 3des even secure anymore?) > Since an apk upgrade -a on edge I am facing this one: > > -------------------------------------------------------------------------= ------- > POST https://portal.somewhere.com/global-protect/prelogin.esp?tmp=3Dtmp&c= lientVer=3D4100&clientos=3DLinux > Connected to [....]:443 > SSL negotiation with portal.techcorpapps.com fyi: you tried to hide the domain above but it's repeated here > SSL connection failure > 9069B3F2667F0000:error:0A000152:SSL routines:final_renegotiate:unsafe leg= acy renegotiation disabled:ssl/statem/extensions.c:879: > Failed to open HTTPS connection to portal.techcorpapps.com > Failed to complete authentication > -------------------------------------------------------------------------= ------- > > Best, > > Nico > > > Natanael Copa writes: > > > Hi! > > > > I have pushed openssl3 to git master. > > > > Majority of the main and community packages built fine in my x86_64 LXC= . > > > > I was able to build approx half of the testing packages as well, but > > not all. > > > > There might be some packages that needs fixes still and it might take > > another day before community repo is done. > > > > Sorry for the inconvenience. > > > > -nc > > > -- > Sustainable and modern Infrastructures by ungleich.ch