Ubuntu 20.04 turns off TLSv1, TLSv1.1 by default

Question

Ubuntu 20.04 turns off TLSv1, TLSv1.1 by default

Closed this issue 4 years ago · 4 comments

The intent of the --enable-force-tls12 option (#458) was to disable TLSv1.3 by setting the maximum TLS version to 1.2, not to force both minimum and maximum TLS versions to 1.2.

Compiling with this option seems to have broken clients that only speak older TLS versions, such as Potato.

Answer 1 · 2020-04-30T20:50:41.000Z

I grossly misread something, here. Ignore me.

Answer 2 · 2020-04-30T21:05:43.000Z

Found the issue. There's a setting buried in a changelog for the latest Ubuntu LTS release. If the string :@SECLEVEL=1 isn't found at the end of the ssl_cipher_preference_list tuneable, TLSv1 and TLSv1.1 will be disabled even if every other config option allows it. Might be a good idea to add that to the default tuneable string.

Answer 3 · 2020-05-01T20:17:20.000Z

@cyveris Thanks for the report! @wyld-sw is this something you can look at? If not I'll try to look this weekend.

Answer 4 · 2020-05-01T20:39:48.000Z

@tanabi I probably can't get it to before next week, so I'd appreciate it if you could take a look. Thanks!