ooni/sysadmin

c.collector non usable with Debian because of TLS < 1.2

bassosimone opened this issue · 4 comments

bassosimone commented

FYI, I just noticed that c.collector does not work properly when used inside Debian testing because it's using a pre TLSv1.2 protocol (the minimum required by Debian). I fixed this for our CI by forcing our Debian build image for MK to accept TLSv1.0+. Do we want to redeploy c.collector in a way that allows us to use it from Debian with default settings?

See:

$ docker run -it debian:testing
root@9f38ab822498:/# apt update -y && apt install -y curl
Get:1 http://cdn-fastly.deb.debian.org/debian testing InRelease [159 kB]
Get:2 http://cdn-fastly.deb.debian.org/debian testing/main amd64 Packages [7961 kB]
Fetched 8120 kB in 3s (2637 kB/s)   
Reading package lists... Done
Building dependency tree       
Reading state information... Done
48 packages can be upgraded. Run 'apt list --upgradable' to see them.
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  ca-certificates krb5-locales libcurl4 libgnutls30 libgssapi-krb5-2 libk5crypto3 libkeyutils1 libkrb5-3
  libkrb5support0 libldap-2.4-2 libldap-common libnghttp2-14 libpsl5 librtmp1 libsasl2-2 libsasl2-modules
  libsasl2-modules-db libssh2-1 libssl1.1 openssl publicsuffix
Suggested packages:
  gnutls-bin krb5-doc krb5-user libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi-heimdal libsasl2-modules-ldap
  libsasl2-modules-otp libsasl2-modules-sql
The following NEW packages will be installed:
  ca-certificates curl krb5-locales libcurl4 libgssapi-krb5-2 libk5crypto3 libkeyutils1 libkrb5-3 libkrb5support0
  libldap-2.4-2 libldap-common libnghttp2-14 libpsl5 librtmp1 libsasl2-2 libsasl2-modules libsasl2-modules-db
  libssh2-1 libssl1.1 openssl publicsuffix
The following packages will be upgraded:
  libgnutls30
1 upgraded, 21 newly installed, 0 to remove and 47 not upgraded.
Need to get 6086 kB of archives.
After this operation, 12.2 MB of additional disk space will be used.
Get:1 http://cdn-fastly.deb.debian.org/debian testing/main amd64 libgnutls30 amd64 3.6.6-2 [1112 kB]
Get:2 http://cdn-fastly.deb.debian.org/debian testing/main amd64 krb5-locales all 1.17-1 [95.3 kB]
Get:3 http://cdn-fastly.deb.debian.org/debian testing/main amd64 libssl1.1 amd64 1.1.1a-1 [1527 kB]
Get:4 http://cdn-fastly.deb.debian.org/debian testing/main amd64 openssl amd64 1.1.1a-1 [836 kB]
Get:5 http://cdn-fastly.deb.debian.org/debian testing/main amd64 ca-certificates all 20190110 [157 kB]
Get:6 http://cdn-fastly.deb.debian.org/debian testing/main amd64 libkeyutils1 amd64 1.5.9-9.3 [13.0 kB]
Get:7 http://cdn-fastly.deb.debian.org/debian testing/main amd64 libkrb5support0 amd64 1.17-1 [65.5 kB]
Get:8 http://cdn-fastly.deb.debian.org/debian testing/main amd64 libk5crypto3 amd64 1.17-1 [121 kB]
Get:9 http://cdn-fastly.deb.debian.org/debian testing/main amd64 libkrb5-3 amd64 1.17-1 [368 kB]
Get:10 http://cdn-fastly.deb.debian.org/debian testing/main amd64 libgssapi-krb5-2 amd64 1.17-1 [159 kB]
Get:11 http://cdn-fastly.deb.debian.org/debian testing/main amd64 libsasl2-modules-db amd64 2.1.27+dfsg-1 [69.0 kB]
Get:12 http://cdn-fastly.deb.debian.org/debian testing/main amd64 libsasl2-2 amd64 2.1.27+dfsg-1 [106 kB]
Get:13 http://cdn-fastly.deb.debian.org/debian testing/main amd64 libldap-common all 2.4.47+dfsg-3 [89.4 kB]
Get:14 http://cdn-fastly.deb.debian.org/debian testing/main amd64 libldap-2.4-2 amd64 2.4.47+dfsg-3 [224 kB]
Get:15 http://cdn-fastly.deb.debian.org/debian testing/main amd64 libnghttp2-14 amd64 1.36.0-2 [84.9 kB]
Get:16 http://cdn-fastly.deb.debian.org/debian testing/main amd64 libpsl5 amd64 0.20.2-2 [53.7 kB]
Get:17 http://cdn-fastly.deb.debian.org/debian testing/main amd64 librtmp1 amd64 2.4+20151223.gitfa8646d.1-2 [60.5 kB]
Get:18 http://cdn-fastly.deb.debian.org/debian testing/main amd64 libssh2-1 amd64 1.8.0-2 [138 kB]
Get:19 http://cdn-fastly.deb.debian.org/debian testing/main amd64 libcurl4 amd64 7.63.0-1 [327 kB]
Get:20 http://cdn-fastly.deb.debian.org/debian testing/main amd64 curl amd64 7.63.0-1 [261 kB]
Get:21 http://cdn-fastly.deb.debian.org/debian testing/main amd64 libsasl2-modules amd64 2.1.27+dfsg-1 [104 kB]
Get:22 http://cdn-fastly.deb.debian.org/debian testing/main amd64 publicsuffix all 20190128.1516-1 [114 kB]
Fetched 6086 kB in 1s (5206 kB/s)       
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 6568 files and directories currently installed.)
Preparing to unpack .../libgnutls30_3.6.6-2_amd64.deb ...
Unpacking libgnutls30:amd64 (3.6.6-2) over (3.5.19-1+b1) ...
Setting up libgnutls30:amd64 (3.6.6-2) ...
Selecting previously unselected package krb5-locales.
(Reading database ... 6568 files and directories currently installed.)
Preparing to unpack .../00-krb5-locales_1.17-1_all.deb ...
Unpacking krb5-locales (1.17-1) ...
Selecting previously unselected package libssl1.1:amd64.
Preparing to unpack .../01-libssl1.1_1.1.1a-1_amd64.deb ...
Unpacking libssl1.1:amd64 (1.1.1a-1) ...
Selecting previously unselected package openssl.
Preparing to unpack .../02-openssl_1.1.1a-1_amd64.deb ...
Unpacking openssl (1.1.1a-1) ...
Selecting previously unselected package ca-certificates.
Preparing to unpack .../03-ca-certificates_20190110_all.deb ...
Unpacking ca-certificates (20190110) ...
Selecting previously unselected package libkeyutils1:amd64.
Preparing to unpack .../04-libkeyutils1_1.5.9-9.3_amd64.deb ...
Unpacking libkeyutils1:amd64 (1.5.9-9.3) ...
Selecting previously unselected package libkrb5support0:amd64.
Preparing to unpack .../05-libkrb5support0_1.17-1_amd64.deb ...
Unpacking libkrb5support0:amd64 (1.17-1) ...
Selecting previously unselected package libk5crypto3:amd64.
Preparing to unpack .../06-libk5crypto3_1.17-1_amd64.deb ...
Unpacking libk5crypto3:amd64 (1.17-1) ...
Selecting previously unselected package libkrb5-3:amd64.
Preparing to unpack .../07-libkrb5-3_1.17-1_amd64.deb ...
Unpacking libkrb5-3:amd64 (1.17-1) ...
Selecting previously unselected package libgssapi-krb5-2:amd64.
Preparing to unpack .../08-libgssapi-krb5-2_1.17-1_amd64.deb ...
Unpacking libgssapi-krb5-2:amd64 (1.17-1) ...
Selecting previously unselected package libsasl2-modules-db:amd64.
Preparing to unpack .../09-libsasl2-modules-db_2.1.27+dfsg-1_amd64.deb ...
Unpacking libsasl2-modules-db:amd64 (2.1.27+dfsg-1) ...
Selecting previously unselected package libsasl2-2:amd64.
Preparing to unpack .../10-libsasl2-2_2.1.27+dfsg-1_amd64.deb ...
Unpacking libsasl2-2:amd64 (2.1.27+dfsg-1) ...
Selecting previously unselected package libldap-common.
Preparing to unpack .../11-libldap-common_2.4.47+dfsg-3_all.deb ...
Unpacking libldap-common (2.4.47+dfsg-3) ...
Selecting previously unselected package libldap-2.4-2:amd64.
Preparing to unpack .../12-libldap-2.4-2_2.4.47+dfsg-3_amd64.deb ...
Unpacking libldap-2.4-2:amd64 (2.4.47+dfsg-3) ...
Selecting previously unselected package libnghttp2-14:amd64.
Preparing to unpack .../13-libnghttp2-14_1.36.0-2_amd64.deb ...
Unpacking libnghttp2-14:amd64 (1.36.0-2) ...
Selecting previously unselected package libpsl5:amd64.
Preparing to unpack .../14-libpsl5_0.20.2-2_amd64.deb ...
Unpacking libpsl5:amd64 (0.20.2-2) ...
Selecting previously unselected package librtmp1:amd64.
Preparing to unpack .../15-librtmp1_2.4+20151223.gitfa8646d.1-2_amd64.deb ...
Unpacking librtmp1:amd64 (2.4+20151223.gitfa8646d.1-2) ...
Selecting previously unselected package libssh2-1:amd64.
Preparing to unpack .../16-libssh2-1_1.8.0-2_amd64.deb ...
Unpacking libssh2-1:amd64 (1.8.0-2) ...
Selecting previously unselected package libcurl4:amd64.
Preparing to unpack .../17-libcurl4_7.63.0-1_amd64.deb ...
Unpacking libcurl4:amd64 (7.63.0-1) ...
Selecting previously unselected package curl.
Preparing to unpack .../18-curl_7.63.0-1_amd64.deb ...
Unpacking curl (7.63.0-1) ...
Selecting previously unselected package libsasl2-modules:amd64.
Preparing to unpack .../19-libsasl2-modules_2.1.27+dfsg-1_amd64.deb ...
Unpacking libsasl2-modules:amd64 (2.1.27+dfsg-1) ...
Selecting previously unselected package publicsuffix.
Preparing to unpack .../20-publicsuffix_20190128.1516-1_all.deb ...
Unpacking publicsuffix (20190128.1516-1) ...
Setting up libnghttp2-14:amd64 (1.36.0-2) ...
Setting up libldap-common (2.4.47+dfsg-3) ...
Setting up libpsl5:amd64 (0.20.2-2) ...
Setting up libsasl2-modules-db:amd64 (2.1.27+dfsg-1) ...
Setting up libsasl2-2:amd64 (2.1.27+dfsg-1) ...
Setting up librtmp1:amd64 (2.4+20151223.gitfa8646d.1-2) ...
Setting up libssh2-1:amd64 (1.8.0-2) ...
Setting up krb5-locales (1.17-1) ...
Processing triggers for libc-bin (2.28-2) ...
Setting up publicsuffix (20190128.1516-1) ...
Setting up libldap-2.4-2:amd64 (2.4.47+dfsg-3) ...
Setting up libssl1.1:amd64 (1.1.1a-1) ...
debconf: unable to initialize frontend: Dialog
debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 76.)
debconf: falling back to frontend: Readline
debconf: unable to initialize frontend: Readline
debconf: (Can't locate Term/ReadLine.pm in @INC (you may need to install the Term::ReadLine module) (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.28.1 /usr/local/share/perl/5.28.1 /usr/lib/x86_64-linux-gnu/perl5/5.28 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.28 /usr/share/perl/5.28 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at /usr/share/perl5/Debconf/FrontEnd/Readline.pm line 7.)
debconf: falling back to frontend: Teletype
Setting up openssl (1.1.1a-1) ...
Setting up libkeyutils1:amd64 (1.5.9-9.3) ...
Setting up libsasl2-modules:amd64 (2.1.27+dfsg-1) ...
Setting up ca-certificates (20190110) ...
debconf: unable to initialize frontend: Dialog
debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 76.)
debconf: falling back to frontend: Readline
debconf: unable to initialize frontend: Readline
debconf: (Can't locate Term/ReadLine.pm in @INC (you may need to install the Term::ReadLine module) (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.28.1 /usr/local/share/perl/5.28.1 /usr/lib/x86_64-linux-gnu/perl5/5.28 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.28 /usr/share/perl/5.28 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at /usr/share/perl5/Debconf/FrontEnd/Readline.pm line 7.)
debconf: falling back to frontend: Teletype
Updating certificates in /etc/ssl/certs...
128 added, 0 removed; done.
Setting up libkrb5support0:amd64 (1.17-1) ...
Setting up libk5crypto3:amd64 (1.17-1) ...
Setting up libkrb5-3:amd64 (1.17-1) ...
Setting up libgssapi-krb5-2:amd64 (1.17-1) ...
Setting up libcurl4:amd64 (7.63.0-1) ...
Setting up curl (7.63.0-1) ...
Processing triggers for libc-bin (2.28-2) ...
Processing triggers for ca-certificates (20190110) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
root@9f38ab822498:/# curl -v https://c.collector.ooni.io
*   Trying 37.218.242.210...
* TCP_NODELAY set
* Connected to c.collector.ooni.io (37.218.242.210) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS alert, protocol version (582):
* error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
* Closing connection 0
curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

FWIW, the bouncer is fine:

root@9f38ab822498:/# curl -v https://bouncer.ooni.io
*   Trying 103.104.244.87...
* TCP_NODELAY set
* Connected to bouncer.ooni.io (103.104.244.87) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* NPN, negotiated HTTP1.1
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Next protocol (67):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=bouncer.ooni.io
*  start date: Jan  1 11:21:06 2019 GMT
*  expire date: Apr  1 11:21:06 2019 GMT
*  subjectAltName: host "bouncer.ooni.io" matched cert's "bouncer.ooni.io"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: bouncer.ooni.io
> User-Agent: curl/7.63.0
> Accept: */*
> 
< HTTP/1.1 404 Not Found
< Server: nginx
< Date: Fri, 08 Feb 2019 10:45:40 GMT
< Content-Type: text/html; charset=UTF-8
< Content-Length: 69
< Connection: keep-alive
< Keep-Alive: timeout=120
< 
* Connection #0 to host bouncer.ooni.io left intact
<html><title>404: Not Found</title><body>404: Not Found</body></html>
darkk commented

@bassosimone do you know if it affects any other platform besides quite bleeding-edge debian:testing?
(asking to understand severity)

Seems, big vendors say "early 2020":

So, seems, it's kinda important, but not P0 right now.

bassosimone commented

@darkk yeah, I guess we're good for now. A related question is how come that the bouncer is okay and the collector is not okay. Do you perhaps have an idea? (I would have expected all services to be more or less in the same general situation vis a vis TLS)

darkk commented

I would have expected all services to be more or less in the same general situation

They're not. "Clean de-reploy, TLS and httpd logging unification" was never put into calendar plan, so these stories were falling through cracks. There were some actions of that sort done in spare time, but they were by no means complete.

hellais commented

This is no longer an issue as it has been deployed to ams-ps.ooni.nu.