Page MenuHomePhabricator
Create Task
Maniphest T283165

OpenSSL < 1.1.0 compatibility issues with new LE issuance chain
Closed, ResolvedPublic
Actions

Description

As detailed in https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143816, the new Let's Encrypt default issuance chain ISRG Root X1 <-- DST Root CA X3 triggers a certificate chain verification corner case that affects the following libraries:

  • OpenSSL < 1.1.0
  • LibreSSL < 3.2.0
  • GnuTLS < 3.6.14

This issue as mentioned on the GnuTLS ticket affected AddTrust CA almost one year ago and the patch for the main libraries has been probably backported on the major linux distributions.

Related Objects
Search...

Event Timeline

Vgutierrez created this task.May 19 2021, 2:30 PM
Vgutierrez mentioned this in T283164: Let's Encrypt issuance chains update.May 19 2021, 2:42 PM
RhinosF1 subscribed.May 19 2021, 2:50 PM
BBlack subscribed.May 20 2021, 12:42 PM

bump for testing purposes

Vgutierrez added a comment.May 21 2021, 2:47 PM

As mentioned on the issue description, debian backported the fix for OpenSSL as it can be seen on a current debian jessie container:

root@69310d82543d:~# cat /etc/debian_version 
8.11
root@69310d82543d:~# openssl version
OpenSSL 1.0.1t  3 May 2016
root@69310d82543d:~# openssl verify -CAfile rsa-2048.chain.crt rsa-2048.crt 
rsa-2048.crt: OK
root@69310d82543d:~# openssl x509 -dates -noout -in rsa-2048.crt 
notBefore=May 10 13:15:07 2021 GMT
notAfter=Aug  8 13:15:07 2021 GMT
Marostegui removed a project: SRE.May 24 2021, 11:39 AM
Maintenance_bot added a project: SRE.May 24 2021, 11:45 AM
Marostegui removed a project: SRE.May 25 2021, 4:51 AM
Vgutierrez moved this task from Backlog to TLS on the Traffic board.May 25 2021, 8:30 AM
MoritzMuehlenhoff subscribed.Sep 9 2021, 8:47 PM
MoritzMuehlenhoff added projects: SRE, Infrastructure-Foundations.Sep 10 2021, 11:33 AM
MoritzMuehlenhoff added a comment.Sep 10 2021, 11:36 AM
In T283165#7103576, @Vgutierrez wrote:

As mentioned on the issue description, debian backported the fix for OpenSSL as it can be seen on a current debian jessie container:

root@69310d82543d:~# cat /etc/debian_version 
8.11
root@69310d82543d:~# openssl version
OpenSSL 1.0.1t  3 May 2016
root@69310d82543d:~# openssl verify -CAfile rsa-2048.chain.crt rsa-2048.crt 
rsa-2048.crt: OK
root@69310d82543d:~# openssl x509 -dates -noout -in rsa-2048.crt 
notBefore=May 10 13:15:07 2021 GMT
notAfter=Aug  8 13:15:07 2021 GMT

Stretch has two copies of OpenSSL; src:openssl ships 1.1.0l (recent enough), but also src:openssl1.0 for packages which weren't ported to the new OpenSSL 1.1 API back then. This package is affected, but we need a closer look at which applications use it. Some are self-contained (e.g. OpenSSH), but e.g. Ruby and Node.js on Stretch still use OpenSSL 1.0.2.

Likewise for GNU TLS on Stretch. It's less used compared to OpenSSL, but e.g. still affects the GNUTLS-based flavours of libcurl.

akosiaris triaged this task as Medium priority.Sep 10 2021, 2:38 PM
Izno subscribed.Sep 15 2021, 4:14 PM
Stashbot added a comment.Sep 20 2021, 9:10 AM

Mentioned in SAL (#wikimedia-operations) [2021-09-20T09:10:15Z] <moritzm> installing openssl1.0 updates for stretch with backport for forthcoming Let's encrypt issuance chain update (T283165)

Stashbot added a comment.Sep 20 2021, 12:54 PM

Mentioned in SAL (#wikimedia-operations) [2021-09-20T12:54:10Z] <moritzm> installing gnutls28 updates for stretch with backport for forthcoming Let's encrypt issuance chain update (T283165)

Stashbot added a comment.Sep 20 2021, 1:45 PM

Mentioned in SAL (#wikimedia-operations) [2021-09-20T13:45:04Z] <moritzm> restarting apache on Logstash ELK5 cluster to pick up GNUTLS update T283165

MoritzMuehlenhoff added a comment.Sep 20 2021, 2:28 PM

For production:

  • OpenSSL in Buster and Bullseye is not affected (only ship OpenSSL 1.1)
  • OpenSSL updates for openssl 1.0.2 in Stretch have been rolled out
  • GNUTLS in Bullseye is not affected
  • GNUTLS in Buster was already fixed in Buster 10.10 (rolled out via T285206)
  • GNUTLS updates for Stretch have been rolled out

A few container images might need to be rebuilt for production and CI (not sure which of these are still in use):
https://debmonitor.wikimedia.org/packages/libssl1.0.2

hashar mentioned this in T291425: Rebuild CI images affected by OpenSSL compat issue with new Let's Encrypt issuance chain.Sep 20 2021, 7:04 PM
MoritzMuehlenhoff mentioned this in T291458: Rebuild production Stretch images with GNUTLS/OpenSSL updates for LE issue chain update.Sep 21 2021, 8:12 AM
Joe changed the status of subtask T291458: Rebuild production Stretch images with GNUTLS/OpenSSL updates for LE issue chain update from Open to In Progress.Sep 21 2021, 9:01 AM
gerritbot added a comment.Sep 24 2021, 12:53 PM

Change 720241 had a related patch set uploaded (by Alexandros Kosiaris; author: Hashar):

[operations/puppet@production] docker: add security updates to Bullseye base image

https://gerrit.wikimedia.org/r/720241

gerritbot added a project: Patch-For-Review.Sep 24 2021, 12:53 PM
akosiaris subscribed.Sep 24 2021, 12:54 PM
In T283165#7376396, @gerritbot wrote:

Change 720241 had a related patch set uploaded (by Alexandros Kosiaris; author: Hashar):

[operations/puppet@production] docker: add security updates to Bullseye base image

https://gerrit.wikimedia.org/r/720241

Wrong bug added, ignore please.

hashar closed subtask T291425: Rebuild CI images affected by OpenSSL compat issue with new Let's Encrypt issuance chain as Resolved.Sep 27 2021, 7:25 PM
Reedy mentioned this in T292342: Wikitech and wikitech-static out of sync.Oct 2 2021, 5:56 PM
Reedy added a subtask: T292342: Wikitech and wikitech-static out of sync.
Reedy added a subtask: T292324: mediawiki-vagrant fails provisioning (because of missing root cert).Oct 2 2021, 6:03 PM
hashar mentioned this in T292324: mediawiki-vagrant fails provisioning (because of missing root cert).Oct 2 2021, 8:31 PM
MoritzMuehlenhoff mentioned this in T291387: Ensure Cloud Services platforms will accept new LE issuance chain.Oct 4 2021, 7:20 AM
Joe closed subtask T291458: Rebuild production Stretch images with GNUTLS/OpenSSL updates for LE issue chain update as Resolved.Oct 5 2021, 6:45 AM
akosiaris added a comment.Oct 5 2021, 4:23 PM
In T283165#7365637, @MoritzMuehlenhoff wrote:

For production:

  • OpenSSL in Buster and Bullseye is not affected (only ship OpenSSL 1.1)
  • OpenSSL updates for openssl 1.0.2 in Stretch have been rolled out
  • GNUTLS in Bullseye is not affected
  • GNUTLS in Buster was already fixed in Buster 10.10 (rolled out via T285206)
  • GNUTLS updates for Stretch have been rolled out

A few container images might need to be rebuilt for production and CI (not sure which of these are still in use):
https://debmonitor.wikimedia.org/packages/libssl1.0.2

With T291458 done, I 've already rebuilt bullseye (which was not affected) and buster main images (with libgnutls30 3.6.7-4+deb10u7) so I think the base layers are done.

I 'll delete docker-registry.wikimedia.org/wikimedia/mediawiki-services-graphoid:2019-06-10-060747-production as graphoid is no longer around

I 'll also rebuild

  • docker-registry.wikimedia.org/nodejs-slim:0.0.2-20210912
  • docker-registry.wikimedia.org/ruby:0.0.2-20210912

For the releng images, I guess release engineering should be pinged.

akosiaris added a comment.Oct 5 2021, 4:29 PM
In T283165#7402880, @akosiaris wrote:
In T283165#7365637, @MoritzMuehlenhoff wrote:

For production:

  • OpenSSL in Buster and Bullseye is not affected (only ship OpenSSL 1.1)
  • OpenSSL updates for openssl 1.0.2 in Stretch have been rolled out
  • GNUTLS in Bullseye is not affected
  • GNUTLS in Buster was already fixed in Buster 10.10 (rolled out via T285206)
  • GNUTLS updates for Stretch have been rolled out

A few container images might need to be rebuilt for production and CI (not sure which of these are still in use):
https://debmonitor.wikimedia.org/packages/libssl1.0.2

With T291458 done, I 've already rebuilt bullseye (which was not affected) and buster main images (with libgnutls30 3.6.7-4+deb10u7) so I think the base layers are done.

I 'll delete docker-registry.wikimedia.org/wikimedia/mediawiki-services-graphoid:2019-06-10-060747-production as graphoid is no longer around

I 'll also rebuild

  • docker-registry.wikimedia.org/nodejs-slim:0.0.2-20210912
  • docker-registry.wikimedia.org/ruby:0.0.2-20210912

For the releng images, I guess release engineering should be pinged.

Heh, actually done already in https://phabricator.wikimedia.org/T291458#7368374

I missed that.

MoritzMuehlenhoff added a comment.Oct 5 2021, 4:30 PM

With T291458 done, I 've already rebuilt bullseye (which was not affected) and buster main images (with libgnutls30 3.6.7-4+deb10u7) so I think the base layers are done.

I 'll delete docker-registry.wikimedia.org/wikimedia/mediawiki-services-graphoid:2019-06-10-060747-production as graphoid is no longer around

I 'll also rebuild

  • docker-registry.wikimedia.org/nodejs-slim:0.0.2-20210912
  • docker-registry.wikimedia.org/ruby:0.0.2-20210912

Ack.

For the releng images, I guess release engineering should be pinged.

That was completed via https://phabricator.wikimedia.org/T291425

BBlack moved this task from TLS to Ready for work on the Traffic board.Oct 8 2021, 8:16 PM
Reedy closed subtask T292342: Wikitech and wikitech-static out of sync as Resolved.Nov 7 2021, 5:28 PM
taavi closed subtask T291387: Ensure Cloud Services platforms will accept new LE issuance chain as Resolved.Jan 22 2022, 12:49 PM
SLyngshede-WMF closed this task as Resolved.Jun 15 2022, 1:59 PM
SLyngshede-WMF claimed this task.
Tgr closed subtask T292324: mediawiki-vagrant fails provisioning (because of missing root cert) as Resolved.Oct 29 2022, 12:03 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL