Ubuntu libssl update appears to break Piaware


#1

Hi,

I am running Ubuntu server (not a Pi) - it appears that a recent libssl update breaks Piaware and results in the ‘SSL dh key too small’ error below.


06/11/2015 20:42:51 piaware version 2.0-4 is running, process ID 2278
06/11/2015 20:42:51 your system info is: Linux ubuntu 3.13.0-54-generic #91-Ubuntu SMP Tue May 26 19:15:08 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
06/11/2015 20:42:51 connecting to FlightAware piaware.flightaware.com/1200
06/11/2015 20:42:51 error during tls handshake: handshake failed: dh key too small, will try again soon...
06/11/2015 20:42:51 ADS-B data program 'dump1090-mutabi' is listening on port 30005, so far so good
06/11/2015 20:42:51 i see dump1090-mutabi serving on port 10001
06/11/2015 20:42:51 connecting to dump1090-mutabi on port 10001...
06/11/2015 20:42:51 piaware is connected to dump1090-mutabi on port 10001
06/11/2015 20:42:51 dump1090-mutabi is listening for connections on FA-style port 10001
SSL channel "sock5": error: dh key too small
06/11/2015 20:42:54 piaware received a message from the ADS-B source!
06/11/2015 20:43:21 33 msgs recv'd from dump1090-mutabi; 0 msgs sent to FlightAware


Downgrading from libssl1.0.0 2.15 using the following (and a sudo piaware restart) resolved the issue on my specific system:


sudo apt-get install libssl1.0.0=1.0.1f-1ubuntu2

I thought I had broken something with my 2.0-4 piaware upgrade, but the libssl issue affects 1.20 and 2.0-4 in the same way.

Peter


#2

This will be to do with fixes for Logjam


#3

I take it that the worldwide FA receivers are currently susceptible?


#4

I updated my server today after the ssl update and haven’t noticed any issues.

edit: I take that back. It worked fine with piaware-mutability. I just manually installed the “official” piaware and now I have the same issue. Mayne it had to do with a restart or two in there.


06/13/2015 02:54:47 connecting to FlightAware 70.42.6.203/1200
06/13/2015 02:54:48 error during tls handshake: handshake failed: dh key too small, will try again soon...
SSL channel "sock5": error: dh key too small




#5

Geh, seriously? Another cipher suite problem? Cause I love patching servers! :unamused:


#6

Hi Guys,

I too have the same problem running piaware 2.04


06/13/2015 16:17:43 ****************************************************
06/13/2015 16:17:43 piaware version 2.0 is running, process ID 21920
06/13/2015 16:17:43 your system info is: Linux odroid 3.8.13.28 #1 SMP PREEMPT Wed Dec 3 18:40:50 BRST 2014 armv7l armv7l $
06/13/2015 16:17:43 connecting to FlightAware piaware.flightaware.com/1200
06/13/2015 16:17:43 error during tls handshake: handshake failed: dh key too small, will try again soon...
06/13/2015 16:17:43 ADS-B data program 'modesmixer2' is listening on port 30005, so far so good
06/13/2015 16:17:43 i see modesmixer2 serving on port 10001
06/13/2015 16:17:43 connecting to modesmixer2 on port 10001...
06/13/2015 16:17:43 piaware is connected to modesmixer2 on port 10001
06/13/2015 16:17:43 modesmixer2 is listening for connections on FA-style port 10001
SSL channel "sock5": error: dh key too small
06/13/2015 16:17:44 piaware received a message from the ADS-B source!
06/13/2015 16:18:13 81 msgs recv'd from modesmixer2; 0 msgs sent to FlightAware
06/13/2015 16:19:00 connecting to FlightAware 70.42.6.203/1200
06/13/2015 16:19:01 error during tls handshake: handshake failed: dh key too small, will try again soon...
SSL channel "sock5": error: dh key too small


Tried

sudo apt-get install libssl1.0.0=1.0.1f-1ubuntu2


The following packages have unmet dependencies:
 libssl-dev : Depends: libssl1.0.0 (= 1.0.1f-1ubuntu2.15) but 1.0.1f-1ubuntu2 is to be installed
              Recommends: libssl-doc but it is not going to be installed

Will regress to piaware 1.20 from a backup unless you can suggest a way of fixing it.

Edit…

Backup piaware 1.20 also suffers from this update


06/13/2015 17:26:33 ****************************************************
06/13/2015 17:26:33 piaware version 1.20 is running, process ID 22767
06/13/2015 17:26:33 your system info is: Linux odroid 3.8.13.28 #1 SMP PREEMPT Wed Dec 3 18:40:50 BRST 2014 armv7l armv7l $
06/13/2015 17:26:33 connecting to FlightAware eyes.flightaware.com/1200
06/13/2015 17:26:33 error during tls handshake: handshake failed: dh key too small, will try again soon...
06/13/2015 17:26:34 ADS-B data program 'modesmixer2' is listening on port 30005, so far so good
06/13/2015 17:26:34 i see modesmixer2 serving on port 10001
06/13/2015 17:26:34 connecting to modesmixer2 on port 10001...
06/13/2015 17:26:34 piaware is connected to modesmixer2 on port 10001
06/13/2015 17:26:35 modesmixer2 is listening for connections on FA-style port 10001
06/13/2015 17:26:35 piaware received a message from the ADS-B source!
SSL channel "sock5": error: dh key too small

Any help appreciated.

Andy.


#7

[quote=“Adraenyse”]

It gets better, you have to mess around with DH parameters that not everything actually lets you set. (I’m looking at you, tcl tls extension)


#8

As OBJ said earlier in this thread this is the new OpenSSL library rejecting the 512 bit DH key due to Logjam. Ideally FA would fix this on the server but piaware client can be patched to tell it not to use the ciphers that need DH keys: https://github.com/flightaware/piaware/pull/17


#9

Awesome, thanks. I might see if I can do the equivalent on the server side as an interim measure.


#10

OK, server side should be set to a list of ciphers that avoids the problem for now, if you were having trouble before try again now and see if it’s fixed?


#11

This update also broke Alpine mail client on Ubuntu. Downgrading to libssl 2 fixed it. The problem is with my mail server, I suspect.