I have problem with new ubuntu 22.04 and openssl 3.0.2

Question

When upgrade my linux to 22.04 and openssl3.0.2 (php7.4-fpm) get this error in my site:

file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages: error:0A000126:SSL routines::unexpected eof while reading

Same issue here. (most probably not related, but it is in a Laravel project) I've seen links to https://bugs.php.net/bug.php?id=79589 — Fred, Apr 28 '22 at 18:36

score 7 · Answer 1 · edited Dec 17 '22 at 19:27

7

How about enabling the Legacy provider?

I saw a similar trouble with Nextcloud on Ubuntu 22.04 and finally I avoid it with this change.

--- /etc/ssl/openssl.cnf~original   2022-03-16 08:35:51.000000000 +0000
+++ /etc/ssl/openssl.cnf    2022-05-04 02:37:30.336530711 +0000
@@ -56,6 +56,7 @@
 # List of providers to load
 [provider_sect]
 default = default_sect
+legacy = legacy_sect
 # The fips section name should match the section name inside the
 # included fipsmodule.cnf.
 # fips = fips_sect
@@ -69,7 +70,9 @@
 # OpenSSL may not work correctly which could lead to significant system
 # problems including inability to remotely access the system.
 [default_sect]
-# activate = 1
+activate = 1
+[legacy_sect]
+activate = 1

https://gist.github.com/rdh27785/97210d439a280063bd768006450c435d

edited Dec 17 '22 at 19:27

Martin Monperrus

752

answered May 04 '22 at 02:50

Seori Konno

71

3

It would be nice if you could explain what to do a little bit more in the post rather than relying so heavily on a link – Zanna May 05 '22 at 08:38
3

It would be nice if you could explain what to do a little bit more in the post rather than relying so heavily on a link

Thank you for your suggestion.  My gist is a patch for /etc/ssl/openssl.cnf, to enable the compatible algorithms of OpenSSL. The algorithms are called "The legacy providers". These are weak but I think this setting is useful for surpassing the current situation.

See also: https://github.com/openssl/openssl/blob/master/README-PROVIDERS.md
– Seori Konno May 06 '22 at 13:34
this teaches something new, but it doesn't solve the issue. I added legacy_sect and activated both default and legacy and the error is still there: routines:ossl_store_handle_load_result:unsupported – pwned Dec 24 '22 at 08:35

score 6 · Answer 2 · answered Aug 15 '22 at 19:25

Ubuntu 22.04 upgraded OpenSSL to version 3.0.2, which is more strict in its security policies. I guess you are trying to download a file from a outdated server to which OpenSSL 3.0.2 does not permit connection by default.

OpenSSL manual describes the options flags that permits connection despite the vulnerability:

SSL_OP_IGNORE_UNEXPECTED_EOF

Some TLS implementations do not send the mandatory close_notify alert on shutdown. If the application tries to wait for the close_notify alert but the peer closes the connection without sending it, an error is generated. When this option is enabled the peer does not need to send the close_notify alert and a closed connection will be treated as if the close_notify alert was received.

In practice, the SSL_OP_IGNORE_UNEXPECTED_EOF option needs to be set via the OpenSSL API, but quite likely you are using some higher level function to operate the HTTPS connection (like curl). I think your best bet is to find out if that function allows setting OpenSSL options.

score 3 · Accepted Answer · answered Jan 17 '23 at 20:37

OK I can verify the following: If you have OpenSSL3.0.2 on Ubuntu 22.04 and are receiving this error, verify what version of PHP you are using. PHP8.0 and lower is not compatible with OpenSSL3.0.2. You will need to upgrade to PHP8.1 or higher. I run a zabbix server on Ubuntu22.04 and was receiving this error on a lot of my servers, but after updating to PHP8.1 all of them came online without error.

https://github.com/php/php-src/issues/8369#issuecomment-1126935451 PHP 8.0 does not support OpenSSL 3.0 so it's not applicable there.

score -1 · Answer 4 · edited Aug 24 '22 at 07:42

-1

I had a similar problem, and solved it installing an old libssl package version ( libssl1.1_1.1.1-1ubuntu2.1~18.04.20_amd64.deb ) and removing the default libssl version ( libssl.so.3 ) on ubuntu 22.04 I follow this steps:

wget http://us.archive.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1-1ubuntu2.1~18.04.20_amd64.deb
sudo dpkg -i libssl1.1_1.1.1-1ubuntu2.1~18.04.20_amd64.deb
sudo rm /usr/lib/x86_64-linux-gnu/libssl.so.3
sudo ldconfig

edited Aug 24 '22 at 07:42

Joepie Es

1,460

answered Aug 19 '22 at 16:54

DavidAN1984

1

David, welcome to AU.I edited your answer using the version numbers. Using them can be important. – Joepie Es Aug 23 '22 at 14:00
Hello, I tried these commands but it broke my laptop. I would not recommend to anyone to run these commands. – Pol Dellaiera Sep 28 '22 at 10:01
3

Eeek. No. Why downgrade such a sensitive security framework as OpenSSL? There are good reasons why OpenSSL made the jump to version 3. It was not to annoy sysadmins desperate to fix their (now) broken configurations... – Gwyneth Llewelyn Oct 21 '22 at 18:55
Have fun with your next OS update after you muck with the OS installation like this... – Andrew Henle Jan 23 '23 at 16:06

I have problem with new ubuntu 22.04 and openssl 3.0.2

4 Answers4