-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensembl REST services do not work on Ubuntu 20.04 — SSLv3 alert handshake failure #427
Comments
Impact and possible mitigationIn theory, once (and if) OpenSSL developers fix this behaviour, the problem will disappear. However, you may notice that the bug report linked above is more than 2 months old, and on Launchpad it has been designated low priority. So the fix on the OpenSSL side may take very long to arrive. Ubuntu is a major Linux distribution. The 20.04 was released just a couple of weeks ago, hence not many people have updated yet, but once they gradually do that, I expect you will receive more reports of this problem. A possible solution is to refresh the server certificate chain so that it does not include a broken certificate. This would be nice to have anyway. If you'd like to know more details, here is a Launchpad issue opened by someone who faced the same issue with a different server: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1864689 |
Oh, by the way, if you'll want to reproduce this using Docker images for Ubuntu, I tried that and it won't work because it turns out that the Docker configuration is different from a standard desktop installation. The Docker images use |
Thank you @tskir for reporting the issue. I want to clarify two things:
you'll see they are the similar and from GoDaddy bundles. I guess many GoDaddy customers are affected, some are within EBI: ensembl.org, europepmc.org, parasite.wormbase.org, uniprot.org. So it will be a web-prod's call to re-generate cert chain for all affected domains, wait for new GoDaddy bundles, or wait for OpenSSL bug fix. |
Hi @tuanebi, thank you for your clarifications! What I meant was not the actual certificate being broken, but the RSA-SHA1 cipher being considered broken (which it is, via collision attack). I notice that this problem still persists. Did you have a chance to triage this with web-prod? Also, do you think this is something which can/should be escalated with GoDaddy? Sounds like they could solve it on their side for all their customers. |
Hi, Facing the same problem here on a fresh Ubuntu 20.04.1 LTS install:
This breaks some Bioconductor packages trying to access Ensembl REST service e.g.: https://bioconductor.org/checkResults/3.12/bioc-LATEST/MouseFM/nebbiolo1-checksrc.html Internally, the MouseFM package does something like:
Thanks! PS: Kudos to @tskir for providing such a detailed and insightful bug report! |
Any update on this? Thanks! |
Hi @hpages @tskir, we are aware of this issue on Ubuntu 20.04 and have liaised with a team who manages our SSL certs. Unfortunately the timeline for fixing it is not clear to me. I would suggest to apply this solution in the meantime https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level |
The temporary fix works for me. Thx @tuanebi! |
Hi @tuanebi , have you heard back from the team who manages the SSL certs? Thanks |
For anyone that stumbles here looking for a client-side solution, the following R code worked for me: library(httr)
url <- "https://rest.ensembl.org/"
## This fails
res <- GET(url)
#> Error in curl::curl_fetch_memory(url, handle = handle): error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
## lower the security level
httr_config <- config(ssl_cipher_list = "DEFAULT@SECLEVEL=1")
res <- with_config(config = httr_config, GET(url))
res
#> Response [https://rest.ensembl.org/]
#> Date: 2020-10-01 10:32
#> Status: 200
#> Content-Type: text/html; charset=utf-8
#> Size: 31.5 kB
#>
#>
#> <!DOCTYPE html>
#>
#>
#>
#> <html lang="en">
#> <head>
#> <script src="/static/js/20-prettify.js"></script>
#> <script src="/static/js/30-jquery-1.11.1.min.js"></script>
#> ... |
I also stumbled upon this problem today but thanks to your suggestions I could fix it. Kudos to you all! In case anybody is interested, the code that failed for me was a python script using
|
Briefly: Starting with Ubuntu 20.04, OpenSSL is compiled with security level 2, which breaks many sites. Explicitly setting the security level to 1, the default on earlier Ubuntu releases, fixes the problem. r-lib/httr#669 Ensembl/ensembl-rest#427 https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1864689 https://github.com/jdblischak/faviconPlease/runs/1622277499?check_suite_focus=true#step:9:305
For anyone trying to debug this, I was able to reproduce it using the latest Docker image for Ubuntu Focal.
I omitted output from
|
Just a heads up that this issue now affects Fedora 33 after that distro also increased the default cryptographic settings details. (Thanks @guidohooiveld for reporting this in grimbough/biomaRt#42) Unlike Ubuntu this policy seems to apply system wide and affects other applications like Firefox, rather than just those calling OpenSSL. (Slightly different error message, but I believe the missing cipher is the This also means individual application workarounds like in #427 (comment) don't work on Fedora. I've so far been unable to get cURL, R or Firefox to access any Ensembl sites without lowing the whole system's security settings. |
Just to add my voice to this list of people reporting this issues. |
I've got an update from www-prod that they are developing a solution for all affected EBI certs. The fix will be rolling out asap. I'll update here when I know more. |
Hey, this is working today on our Ubuntu 20.04.1 LTS system:
Yes! |
I can confirm everything works for me as well (Ubuntu 20.04.2 LTS), and |
Just to add that things are also working fine now on Fedora 33. 👍 |
On stock Ubuntu 20.04 installation, it is not possible to connect to https://rest.ensembl.org using cURL, Python's requests library, or anything else which relies on OpenSSL for encryption:
This happens because of a combination of three reasons: Ensembl server configuration, increased TLS security level in Ubuntu 20.04 by default, and a bug in OpenSSL 1.1.1.
Ensembl server configuration
Certificate chain of rest.ensembl.org includes a redundant certificate signed with RSA-SHA1, which is broken:
Increased security level in Ubuntu 20.04
Previous versions of Ubuntu used OpenSSL built with
-DOPENSSL_TLS_SECURITY_LEVEL=1
. Starting with Ubuntu 20.04, a decision was made to increase the default security level to 2:Because of this, the validation is more strict, and the broken certificate, even though it is redundant, trips OpenSSL. It can be seen with using different cURL options:
Bug in OpenSSL 1.1.1
The fact that a redundant broken certificate trips OpenSSL at TLS security level 2 appears to be a bug: openssl/openssl#11236.
The text was updated successfully, but these errors were encountered: