Hide Forgot
Description of problem: OpenSSL will allow DTLSv1.0 connections when system is configured with DEFAULT policy. This is in contrast to TLS, where in DEFAULT policy TLS 1.2 is the oldest version supported Version-Release number of selected component (if applicable): openssl-1.1.1g-12.el8_3.x86_64 How reproducible: always Steps to Reproduce: 1. openssl req -x509 -newkey rsa:2048 -keyout /tmp/key.pem -out /tmp/cert.pem -days 365 -nodes -subj "/CN=localhost" 2. openssl s_server -dtls -key /tmp/key.pem -cert /tmp/cert.pem 3. (separate terminal) openssl s_client -dtls1 -cipher DEFAULT@SECLEVEL=0 -CAfile /tmp/cert.pem Actual results: --- No client certificate CA names sent Peer signing digest: MD5-SHA1 Peer signature type: RSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 1730 bytes and written 451 bytes Verification: OK --- New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : DTLSv1 Cipher : ECDHE-RSA-AES256-SHA Session-ID: 481A64028477AD9DD40EA9FA483E4B10F0398AFCE30260CE8C34C222F842D68C Session-ID-ctx: Master-Key: 29BC1F446B16AEB23BF447AB9879919E47353C7B11F0CDF760F906325A45877D9F79BEF5F10B809C86FC8833695E17E8 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 98 8d 66 52 25 91 71 2f-2a 96 a6 2e ec 3f 36 cf ..fR%.q/*....?6. 0010 - fe bd f2 7d 0c 98 9d 14-b1 f0 e1 20 c8 ee 06 ea ...}....... .... 0020 - 60 95 5b c1 b0 f1 d4 b3-7a 9f d2 a5 53 30 a7 b1 `.[.....z...S0.. 0030 - b1 e5 87 a7 b4 cb 94 13-d3 64 7d d2 cc 8a 17 56 .........d}....V 0040 - 84 f9 13 b1 e3 ec 16 01-f8 40 95 8d fa 39 13 69 .........@...9.i 0050 - ab fd 4d bb 87 b7 8e 3e-2b 1e d2 c5 8f 6d 63 15 ..M....>+....mc. 0060 - d3 ca 65 25 f4 b6 9d ac-b8 d2 2c 9f 6e f3 b0 51 ..e%......,.n..Q 0070 - f7 ad c5 66 dc 67 26 1d-ff de 29 4a 76 67 5f a3 ...f.g&...)Jvg_. 0080 - ec b0 68 0a 60 fc 1c c8-7c a8 ff aa 3d 09 5e 8b ..h.`...|...=.^. 0090 - 93 d3 7c b1 30 12 55 7e-fe 44 95 46 fe 97 43 89 ..|.0.U~.D.F..C. Start Time: 1614782654 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: yes --- Expected results: connection failure Additional info:
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: openssl security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:4424