Ubuntu 20.04 - OpenSSL security level 1 not working

Question

System info:

> hostnamectl
  Operating System: Ubuntu 20.04.1 LTS
            Kernel: Linux 5.4.0-42-generic
      Architecture: x86-64

Issue: I access a self hosed nuget repostory behind a VPN for nuget packages .Net Core. When I first updated to Ubuntu 20.04, I had to lower the SSL Security level to level 1, otherwise I would receive a dh key too small error when calling dotnet restore.

I learned that 20.04 updated the minimum security level to 2, hence why it stopped working when I updated from 18.04 to 20.04. I had previously updated my /etc/ssl/openssl.cnf to include the recommended changes here: Ubuntu 20.04 - how to set lower SSL security level?.

And all seemed good, recently however, I'm getting the same dh key too small issue I previously got, even though I haven't changed my openssl.cnf.

> dotnet restore
Determining projects to restore...
  Retrying 'FindPackagesByIdAsyncCore' for source 'https://example.com/repository/nuget-group/FindPackagesById()?id='example_package'&semVerLevel=1.0.0'.
  The SSL connection could not be established, see inner exception.
    Authentication failed, see inner exception.
    SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
    error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

This is the output of my openssl configs:

> cat /etc/ssl/openssl.cnf
openssl_conf = default_conf

#default config....

[ default_conf ]
ssl_conf = ssl_sect

[ ssl_sect ]
system_default = ssl_default_sect

[ ssl_default_sect ]
MinProtocol = TLSv1.2
CipherString = DEFAULT:@SECLEVEL=1

and of the currently running openssl:

> openssl version -a
OpenSSL 1.1.1f  31 Mar 2020
built on: Mon Apr 20 11:53:50 2020 UTC
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(int) blowfish(ptr) 
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-P_ODHM/openssl-1.1.1f=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"
Seeding source: os-specific

and from openssl version -a I can see -DOPENSSL_TLS_SECURITY_LEVEL=2 which indicates it's running at security level 2.

I'm unable to change anything on the Nuget package repository side so I need to fix this locally. Any advice?

score 0 · Answer 1 · answered Aug 24 '20 at 10:14

0

I think you have a typo in your CipherString line, try removing the colon after DEFAULT?

answered Aug 24 '20 at 10:14

Brian Turek

1,786
6
12

Although I'm here on a different issue, OP's OpenSSL config (with the colon) actually fixed my problem. – Kevin Traas Nov 09 '20 at 20:16

Ubuntu 20.04 - OpenSSL security level 1 not working

1 Answers1