[SERVER-51364] Ubuntu 18.04 Server with OCSP and TLS fails to work Created: 05/Oct/20 Updated: 29/Oct/23 Resolved: 07/Jan/21 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | 4.9.0, 4.4.6 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Shreyas Kalyan | Assignee: | Shreyas Kalyan |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||||||
| Operating System: | ALL | ||||||||||||||||||||
| Backport Requested: |
v4.4
|
||||||||||||||||||||
| Sprint: | Security 2020-12-14, Security 2021-01-11 | ||||||||||||||||||||
| Participants: | |||||||||||||||||||||
| Case: | (copied to CRM) | ||||||||||||||||||||
| Description |
|
It appears that OpenSSL on Ubuntu 18.04 has a bug in it. When servers running using this version of OpenSSL try to speak with a Go client, using TLS 1.3, and with OCSP Stapling, the connection establishment will fail. The only documented fixes in the ticket are: 1. Upgrade OpenSSL; or 2. Disable TLS 1.3; or 3: Disable OCSP stapling. The first option isn't super available to us, Canonical would have to do the upgrade, and there would still be older copies of their OS floating around without the fix. For us to unbreak the Go clients, we'd need to either disable TLS 1.3 or OCSP Stapling by default on that platform. |
| Comments |
| Comment by Githook User [ 07/Apr/21 ] |
|
Author: {'name': 'Shreyas Kalyan', 'email': 'shreyas.kalyan@10gen.com', 'username': 'shreyaskalyan'}Message: (cherry picked from commit c20e3c5001923d8e8385dab70786da97888b039e) |
| Comment by Ian Whalen (Inactive) [ 07/Jan/21 ] |
|
Author: {'username': u'evrg-bot-webhook', 'name': u'Shreyas Kalyan', 'email': u'shreyas.kalyan@10gen.com'}Message: |
| Comment by Shreyas Kalyan [ 07/Jan/21 ] |
|
Author: {'name': 'Shreyas Kalyan', 'email': 'shreyas.kalyan@10gen.com', 'username': 'shreyaskalyan'}Message: |
| Comment by Salman Baset [ 06/Nov/20 ] |
|
andrey.belik can we move to Ubuntu 20 instead of 18? Otherwise, my recommendation is that we disable OCSP stapling in the Server for Ubuntu 18.04 builds |
| Comment by Andrey Belik (Inactive) [ 13/Oct/20 ] |
|
We use Ubuntu 16 and UBI 8 |