connecting tinc 1.0.36/libssl3 to older nodes?

Nathan Stratton Treadway nathanst at ontko.com
Tue Sep 20 07:06:09 CEST 2022 

On Wed, May 18, 2022 at 08:16:53 +0200, Guus Sliepen wrote:
> On Wed, May 18, 2022 at 01:28:31AM -0400, Nathan Stratton Treadway wrote:
> 
> > Thus, I believe Xenial's tinc 1.0.26 is attempting to use
> > EVP_bf_ofb()/EVP_sha1() when setting up the metadata connection -- and
> > that nothing else related to the metadata connection setup changed
> > between 1.0.26 and 1.0.33....
> 
> That's correct.

It turns out that upstream OpenSSL had a bug affecting the
Blowfish algorithm in early releases of libssl3:

  "OpenSSL 3 cannot decrypt data encrypted with OpenSSL 1.1 with blowfish
  in OFB or CFB modes #18359:
     https://github.com/openssl/openssl/issues/18359

This bug was fixed in libssl3 3.0.4, and thus tincd (v1.0.36-2build1)
running on Ubuntu Kinetic system with up-to-date libssl3 packages
installed can now establish a metadata connection with tinc nodes
running Xenial's tinc (v1.0.26/libssl1.1).

I've opened a request for the upstream fix to be backported to libssl3
in Jammy; presumably once that happens tinc (also v1.0.36-2build) will
start working in Jammy as well....
    https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1990216


> > I am not sure how many bits of security the EVP_bf_ofb() algorithm is
> > considered to have, but it seems I need to have "CipherString =
> > DEFAULT:@SECLEVEL=1" in my override file in order to get past the
> > "digital envelope routines::unsupported" error during metadata
> > negotiation.
> 
> That's weird, why would you need to set that yourself... But very nice
> work in finding this out!

(With the fix for the Blowfish implementation in place, the SECLEVEL=1
adjustment is no longer necessary -- the only special configuration
needed on the Jammy node is the activation of the legacy provider.)


								Nathan



----------------------------------------------------------------------------
Nathan Stratton Treadway  -  nathanst at ontko.com  -  Mid-Atlantic region
Ray Ontko & Co.  -  Software consulting services  -   http://www.ontko.com/
 GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt   ID: 1023D/ECFB6239
 Key fingerprint = 6AD8 485E 20B9 5C71 231C  0C32 15F3 ADCD ECFB 6239

More information about the tinc mailing list