6

This is a follow up to Override Distro Package with Custom Package?.

Does anyone know if Ubuntu 14.04's OpenSSL enables all TLS protocols (TLS1.0, TLS1.1 and TLS1.2)? Or does it have protocols disabled (TLS1.1 and TLS1.2) like past versions?

Related: how does one even check for this sort of thing?

Edit: This is not a bug report question; nor is it a developer question. You guys are taking the "Close as Bug Report" much too far.

Community
  • 1
  • IMO it depends on the specific client (browser, email, etc.), not the OS. – Braiam Mar 28 '14 at 03:37
  • Thanks Braiam. Ubuntu will disable them. The clients and server have no choice. See, for example, OpenSSL downlevel version is 1.0.0, and does not support TLS 1.2. –  Mar 28 '14 at 03:39
  • 1
    I think upstream fixed the problems, I wasn't able to reproduce the issue in Debian Testing, which uses OpenSSL 1.0.1f, so I think that Ubuntu will just import that. If you want to verify just download a copy of Ubuntu 14.04 and test it. – Braiam Mar 28 '14 at 03:51
  • Thanks Braiam. So I'm clear, what cipher is negotiated with this command: openssl s_client -connect mail.google.com:443 -servername mail.google.com -tls1_2 -no_comp? It should be one of the ECDHE-ECDSA ciphers like ECDHE-ECDSA-AES128-GCM-SHA256. –  Mar 28 '14 at 04:22
  • 1
    for me New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256 in Debian. – Braiam Mar 28 '14 at 04:32
  • Perfect, thank you very much. The ECDHE-ECDSA ciphers are only available in TLS 1.2 (and above, whenever that comes). –  Mar 28 '14 at 04:35
  • Just to clarify, the reason this is closed is because 14.04 hasn't been released yet, although I think since all the freezes have happened and you have an answer we can reopen it. @Braiam Please post an answer if you can. – Seth Mar 31 '14 at 20:37
  • @Seth no, the reason is because it's a bug. Trusty doesn't have imported the patch. OP needs to ask for a Feature Freeze exception as described in the wiki page https://wiki.ubuntu.com/FreezeExceptionProcess#FeatureFreeze_for_bugfix-only_updates if he wants the bug fixed for Trusty before final release. – Braiam Apr 01 '14 at 15:19
  • @Braiam No, the OP asked if it had the feature. Nothing to do with a bug. – Seth Apr 01 '14 at 15:21

4 Answers4

8
$ cat /etc/issue
Ubuntu 14.04 LTS \n \l

$ apt-cache policy openssl
openssl:
  Installed: 1.0.1f-1ubuntu2
  Candidate: 1.0.1f-1ubuntu2
  Version table:
 *** 1.0.1f-1ubuntu2 0
        500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
        100 /var/lib/dpkg/status

$ openssl ciphers -v 'TLSv1.2' | head -4
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
andrewsomething
  • 37,712
5

I would like to summarize the answer by @andrewsomething...

Short answer TLSv1.2.

Specifically on your system use the command:

$ openssl ciphers -v TLSv1

You can replace v1 with v1.[012] as needed to see details. Note you will want to use TLSv1 and TLSv1.2 (1.0 and 1.1 are disabled by default).

uDude
  • 191
4
openssl ciphers -v | awk '{print $2}' | sort | uniq

Should print what is enabled.

Sam
  • 141
0

According to the changelog, TLS 1.1 was last disabled by a bug fixed in version 1.0.1b (26 Apr 2012). Since then, TLS support was never disabled by default. However, they can be disabled.

To find out whether a server has any of the SSL protocols disabled, you can use:

nmap --script +ssl-enum-ciphers example.com

This will give you a return like this one:

Starting Nmap 6.47 ( http://nmap.org ) at 2015-11-06 12:00 UTC
...
| ssl-enum-ciphers: 
|   SSLv3: 
|     ciphers: 
...
|   TLSv1.0: 
|     ciphers: 
...
|   TLSv1.1: 
|     ciphers: 
...
|   TLSv1.2: 
|     ciphers: 
...
|_  least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 22.15 seconds

When a protocol is not supported it is, usually, not present in the list.

JP de la Torre
  • 261