Ubuntu
curl package

tlsv1.0 was removed

Bug #1969859 reported by psl
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
curl (Ubuntu)
New
Undecided
Unassigned

Bug Description

Mint 20.3 (Ubuntu 20.04)

$ curl -V
curl 7.68.0 (x86_64-pc-linux-gnu) libcurl/7.68.0 OpenSSL/1.1.1f zlib/1.2.11 brotli/1.0.7 libidn2/2.2.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3
Release-Date: 2020-01-08
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets

It seems that support for TLSv1.0 was removed from curl or some SSL library. It is not possible to use curl to test if web site still supports tls v1.0. I have some old devices in my lab those support only TLS v1.0 and it is difficult to use those in 2022 because all major WWW browsers dropped support for TLS v1.0 & v1.1 and now I see that even CLI tools remove support for those obsolete protocols... :-( I noticed problems with haproxy an hour ago and just now I see that even curl cannot be used...

Following command was working in Ubuntu 18.04 but it doesn't work in 20.04 anymore (error is unsupported protocol), oldrouter supports only tlsv1.0:

$ curl -v -k --tlsv1.0 https://oldrouter.lan:445/
* Trying 192.168.17.1:445...
* TCP_NODELAY set
* Connected to ipcop.home (192.168.17.1) port 445 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS alert, protocol version (582):
* error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
* Closing connection 0
curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

Revision history for this message
psl (slansky) wrote :

I am not sure but it is possible that all the trouble I see in modern distributions are caused by switch OPENSSL_TLS_SECURITY_LEVEL=2 in OpenSSL lib. I cannot use certificate with weak key (1024 bits is weak now), I cannot connect to clients with TLSv1.0 and TLSv1.1, etc.

$ openssl version -a
OpenSSL 1.1.1f 31 Mar 2020
built on: Wed Mar 9 12:12:45 2022 UTC
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-2iuOVN/openssl-1.1.1f=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"
Seeding source: os-specific

This is Ubuntu 18.04, it has no switch OPENSSL_TLS_SECURITY_LEVEL and I had more freedom to experiment with security protocols:

$ openssl version -a
OpenSSL 1.1.1 11 Sep 2018
built on: Wed Mar 9 12:13:40 2022 UTC
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-vxXVMf/openssl-1.1.1=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"
Seeding source: os-specific
root@budgie:~# openssl version -a | grep blow
options: bn(64,64) rc4(16x,int) des(int) blowfish(ptr)
root@budgie:~# openssl version -a | grep LEVEL

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.