Debian Unstable: "OpenSSL disables TLS 1.0 and 1.1" ... some effects related to SABnzbd

[sanderjo]

Some remarks related to Debian Unstable. As it's Unstable, they are just a FYI / discussion.

Sources
https://www.cyberciti.biz/howto/debian-linux/openssl-drops-tls-1-01-1-support-for-debian-unstable/
https://lists.debian.org/debian-devel-announce/2017/08/msg00004.html
tell:

I've just uploaded a version of OpenSSL to unstable that disables the TLS 1.0 and 1.1 protocol. This currently leaves TLS 1.2 as the only supported SSL/TLS protocol version.

So I tried with sabnzbdplus-2.2.0RC1 on Debian Unstable to connect to ssl-eu.astraweb.com (which is TLS1, not TLS1.2), and SAB says:

[Errno 111] [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:661)
OK, good to know.

Then: SABnzbd stdout:

2017-08-08 19:36:09,413::INFO::[sabnzbdplus:1242] SSL version OpenSSL 1.1.0f  25 May 2017
2017-08-08 19:36:09,414::INFO::[sabnzbdplus:1243] SSL supported protocols ['TLS v1.2', 'TLS v1.1', 'TLS v1']

Hey, isn't that strange: 'TLS v1.1', 'TLS v1' ? Is that the difference between SSL and OpenSSL and/or libraries?

FWIW / I don't know if this is relevant:

2017-08-08 19:36:09,869::DEBUG::[downloader:409] SSL verification test: False

For Google:

2017-08-08 19:39:05,536::DEBUG::[downloader:113] ssl-eu.astraweb.com: Re-using address 193.202.122.129
2017-08-08 19:39:05,537::INFO::[newswrapper:283] Failed to connect: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:661) 1@193.202.122.129:563
2017-08-08 19:39:05,545::INFO::[downloader:483] 3@ssl-eu.astraweb.com: Initiating connection
2017-08-08 19:39:05,546::DEBUG::[downloader:113] ssl-eu.astraweb.com: Re-using address 193.202.122.129
2017-08-08 19:39:05,551::INFO::[downloader:483] 4@ssl-eu.astraweb.com: Initiating connection
2017-08-08 19:39:05,551::DEBUG::[downloader:113] ssl-eu.astraweb.com: Re-using address 193.202.122.129
2017-08-08 19:39:05,557::INFO::[newswrapper:283] Failed to connect: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:661) 2@193.202.122.129:563
2017-08-08 19:39:05,567::INFO::[newswrapper:283] Failed to connect: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:661) 3@193.202.122.129:563

[Safihre]

@sanderjo maybe you can investigate what is wrong with the supported protocol detection and why the connection test fails?

I wish I had a good way to fix OpenSSL on macOS.. It's still stuck at TLSv1 only..

[sanderjo]

sabnzbd/utils/sslinfo.py does something like this:

import ssl
for ssl_prop in dir(ssl): 
	if ssl_prop.startswith('PROTOCOL_'):
		print ssl_prop

So I tried:

print "ssl stuff:"
import ssl
for ssl_prop in dir(ssl): 
	if ssl_prop.startswith('PROTOCOL_'):
		print ssl_prop


print "\nOpenSSL stuff:"
import OpenSSL
for item in dir(OpenSSL.SSL):
	if item.find('METHOD') >= 0:
		print item

On my Ubuntu, that gives:

sander@Stream-13:~/git/sabnzbd$ python ssl_checker_SJ.py 
ssl stuff:
PROTOCOL_SSLv23
PROTOCOL_TLS
PROTOCOL_TLSv1
PROTOCOL_TLSv1_1
PROTOCOL_TLSv1_2

OpenSSL stuff:
SSLv23_METHOD
SSLv2_METHOD
SSLv3_METHOD
TLSv1_1_METHOD
TLSv1_2_METHOD
TLSv1_METHOD

On the Debian Unstable I get:

root@3149db96ebd4:/# python ssl_checker_SJ.py 
ssl stuff:
PROTOCOL_SSLv23
PROTOCOL_TLS
PROTOCOL_TLSv1
PROTOCOL_TLSv1_1
PROTOCOL_TLSv1_2

OpenSSL stuff:
SSLv23_METHOD
SSLv2_METHOD
SSLv3_METHOD
TLSv1_1_METHOD
TLSv1_2_METHOD
TLSv1_METHOD

So

• the same on both systems
• IMHO incorrect information. So: incorrect method?

[thezoggy]

@sanderjo what version of ssl is loaded in python? dynamic/static linked? you could have multiple openssl installed.. and python is using an older version that still supports tls v1

for example on my windows box:

C:\Program Files (x86)\sabnzbd_git>python -c "import ssl;print ssl.OPENSSL_VERSION;"
OpenSSL 1.0.2j  26 Sep 2016

C:\Program Files (x86)\sabnzbd_git>openssl version
OpenSSL 1.0.2k  26 Jan 2017

oh, and if you have pyOpenSSL:
python -c "import OpenSSL;print OpenSSL.__version__"

[sanderjo]

It's a Docker image, so all's clean.

I tried this, hoping for an error (and thus discovering which protocols are not there), which did not happen. :-(

root@3149db96ebd4:/# python
Python 2.7.13+ (default, Jul 19 2017, 18:15:03) 
[GCC 6.4.0 20170704] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
>>> context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
>>> context.options |= ssl.OP_NO_SSLv2
>>> context.options |= ssl.OP_NO_SSLv3

[sanderjo]

@thezoggy

Docker container creation:

sudo docker run -it -p 8080:8080 -p 9090:9090   debian:unstable /bin/bash

Then inside the container:

sed -i -e 's/main$/main contrib non-free/g' /etc/apt/sources.list
apt-get update 
apt-get -y upgrade
apt-get -y install python

Info you requested:

root@833f31f4038f:/# python -c "import ssl;print ssl.OPENSSL_VERSION;"
OpenSSL 1.1.0f  25 May 2017

root@833f31f4038f:/# openssl version
bash: openssl: command not found

So:

root@833f31f4038f:/# apt-get -y install openssl

root@833f31f4038f:/# openssl version
OpenSSL 1.1.0f  25 May 2017

[sanderjo]

IMHO this is the situation:

• nothing wrong with Debian Unstable
• nothing wrong with python on this Debian
• the method / trick in SABnzbd to find supported protocols is not correct, and gives false information.

[thezoggy]

that 'version' of openssl without the support.. doesnt appear to be what you have installed? as your openssl is from may..

also nothing about the version or disabling of tls1.0/1.1 here..
https://github.com/openssl/openssl/blob/OpenSSL_1_1_0-stable/CHANGES

[sanderjo]

So ... how can SABnzbd see which TLS versions are supported by the OS? Just a few notes:

$ lynx --dump 'https://www.ssllabs.com/ssltest/viewMyClient.html' | grep -A8  Protocols | grep -e TLS -e SSL
   TLS 1.3 No
   TLS 1.2 Yes*
   TLS 1.1 Yes*
   TLS 1.0 Yes*
   SSL 3   Yes*
   SSL 2   No

Conclusion: my lynx/OS supports TLS 1.2, 1.1, 1, and SSL 3 (ouch).

Another, self-contained method:

Start a minimal TLS1.2-webserver (with SAB-keys):

sander@Stream-13:~/.sabnzbd/admin$ openssl s_server -accept 4444 -www -cert server.cert -key server.key -tls1_2

... and connect:

$ curl -k -s https://127.0.0.1:4444/ | grep -i protocol
    Protocol  : TLSv1.2

So my curl/OS does support TLS1.2

Within a Debian:Unstable, I cannot connect to a TLS1-only openssl-server:

root@3729a0d150c3:/# python -c "import urllib2; response = urllib2.urlopen('https://192.168.1.39:8888/') "
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/lib/python2.7/urllib2.py", line 429, in open
    response = self._open(req, data)
  File "/usr/lib/python2.7/urllib2.py", line 447, in _open
    '_open', req)
  File "/usr/lib/python2.7/urllib2.py", line 407, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.7/urllib2.py", line 1241, in https_open
    context=self._context)
  File "/usr/lib/python2.7/urllib2.py", line 1198, in do_open
    raise URLError(err)
urllib2.URLError: <urlopen error [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:661)>

So python/OS on Debian:Unstable cannot do TLS1.

[thezoggy]

there is a bit of work that is needed in python dev to be able to support openssl 1.1.x (tls v1.3). so this probably is why in python 2.x you wont see much from the new openssl changes (1.1.x)

I wonder if sander's issue is: python/cpython#2305

[Safihre]

The changes are now merged for the 2.7 branch to, so probably there will be support in the next Python release.
The versions reported by Python is indeed how Python was compiled and not on runtime, so probably Python on Debian was not recompiled yet to reflect these changes.

In general there is a discrepancy between what we report on the first Config page and what is actually used. For example it will list SSLv3, but because we use create_default_context SSLv3 is actually always disabled.
Not sure how we could improve that or if it really matters.

[sanderjo]

Not sure how we could improve that or if it really matters.

I agree.

Maybe just change

SSL supported protocols ['TLS v1.2', 'TLS v1.1', 'TLS v1']

to

SSL known protocols ['TLS v1.2', 'TLS v1.1', 'TLS v1']

[Safihre]

Agreed!

[Safihre]

Let Python fix this! All we can do is report what we get from the ssl module.

[Safihre]

@Cpuroast Seems TLSv1.3 support is coming to Python 2.7.14 after all:
python/cpython@b9a860f

Not for the binaries I guess, but at least it should work on the systems that have compatible OpenSSL versions.

[Cpuroast]

From the changes to ssl.rst, it looks like TLS 1.3 is going to be in 2.7.15 as 2.7.14 is already in RC.

[thezoggy]

per the cpython commit, yes its coming in 2.7.15:

+   Whether the OpenSSL library has built-in support for the TLS 1.3 protocol.
+
+   .. versionadded:: 2.7.15