[Pkg-openssl-devel] Bug#914931: pagekite: Fail to connect to pagekite.me services with openssl installed

[Petter Reinholdtsen]

Package: pagekite
Version: 0.5.9.3-2
Severity: important
X-Debbugs-CC: Debian OpenSSL Team <pkg-openssl-devel at lists.alioth.debian.org>, FreedomBox packaging team <freedombox-pkg-team at lists.alioth.debian.org>

The upgrade from openssl version 1.1.0h-4 to 1.1.1-1 break pagekite on
the FreedomBox.  After a debug session with the pagekite author I
discovered the reason is changes in /etc/ssl/openssl.cfg, which now
block connection to the pagekite.net services.

The following change got the pagekite service working again.

The backdrop for this issue is that some of the pagekite.net servers are
running fairly old software that can not be quickly reconfigured to work
with newer versions of TLS.  This make fixing it on the server side
unlikely to happen any time soon.

CC to the openssl and freedombox teams to make them aware of the issue.

The following patch got pagekite working again:

diff --git a/ssl/openssl.cnf b/ssl/openssl.cnf
index d155d1e..309081a 100644
--- a/ssl/openssl.cnf
+++ b/ssl/openssl.cnf
@@ -351,12 +351,12 @@ ess_cert_id_chain = no    # Must the ESS cert id chain be included?
                                # (optional, default: no)
 ess_cert_id_alg                = sha1  # algorithm to compute certificate
                                # identifier (optional, default: sha1)
-[default_conf]
-ssl_conf = ssl_sect
-
-[ssl_sect]
-system_default = system_default_sect
-
-[system_default_sect]
-MinProtocol = TLSv1.2
-CipherString = DEFAULT at SECLEVEL=2
+#[default_conf]
+#ssl_conf = ssl_sect
+#
+#[ssl_sect]
+#system_default = system_default_sect
+#
+#[system_default_sect]
+#MinProtocol = TLSv1.2
+#CipherString = DEFAULT at SECLEVEL=2

-- 
Happy hacking
Petter Reinholdtsen