Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
Upgrading openssl, libssl3 to 3.0.3-7 from 3.0.3-6 on host system prevented
ckermit 305~alpha07-1+b1 on client system with libssl3 3.0.3-6 from
connecting to telnetd-ssl 0.17.41+0.2-3.3 on host system.
* What exactly did you do (or not do) that was effective (or
ineffective)?
I first downgraded libssl3 from 3.0.3-7 on host system to 3.0.3-6 but that
didn't resolve the issue. After I downgraded openssl from 3.0.3-7 to 3.0.3-6
on the host system, I was able to connect from the client system which still
runs openssl 3.0.3-6 and libssl3 3.0.3-6.
Note, I am NOT running telnetd-ssl 0.17.41+0.2-3.3+b1 due to bug #1010968
* What was the outcome of this action?
* What outcome did you expect instead?
*** End of the template - remove these template lines ***
On 2022-06-09 23:18:07 [+0930], Arthur Marsh wrote: … How do I setup a telnet-ssl server to begin with? I installed telnetd-ssl from testing just to be sure and telnet -z ssl localhost does nothing. Any idea? Sebastian
Hi, I was using ckermit as the telnet client, with a symbolic link from /usr/local/bin/telnet to /usr/bin/kermit Alternatively, simply run kermit and at the C-Kermit prompt enter: telnet localhost If using telnet from package telnet-ssl, one can connect using: telnet 127.0.0.1 (provided you are not doing so as root). Hope this helps, Arthur.
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
I also found that telnet-ssl and ckermit could not connect to telnetd-ssl
if openssl 3.0.3-8 was installed.
* What exactly did you do (or not do) that was effective (or
ineffective)?
If I kept openssl at version 3.0.3-6, both ckermit and telnet-ssl could
connect to telnetd-ssl.
* What was the outcome of this action?
* What outcome did you expect instead?
*** End of the template - remove these template lines ***
I have here telnet-ssl 0.17.41+0.2-3.3+b1 telnetd-ssl 0.17.41+0.2-3.3+b1 libssl3 3.0.3-8 openssl 3.0.3-8 and then this happens: | ~$ telnet-ssl debsidi386 | Trying 172.123.10.178... | Connected to debsidi386.breakpoint.cc. | Escape character is '^]'. | [SSL - attempting to switch on SSL] | [SSL - handshake starting] | SSL: Server has a self-signed certificate | SSL: unknown Issuer: /O=breakpoint.cc/OU=debsidi386 telnetd/CN=debsidi386.breakpoint.cc/emailAddress=root@debsidi386.breakpoint.cc | [SSL - OK] | Debian GNU/Linux bookworm/sid | debsidi386 login: root | Password: | Linux debsidi386 5.18.0-2-686-pae #1 SMP PREEMPT_DYNAMIC Debian 5.18.5-1 (2022-06-16) i686 | | The programs included with the Debian GNU/Linux system are free software; | the exact distribution terms for each program are described in the | individual files in /usr/share/doc/*/copyright. | | Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent | permitted by applicable law. | Last login: Sun Feb 9 19:59:50 CET 2020 on tty1 | root@debsidi386:~# so at least telnet-ssl + telnetd-ssl works. Can you confirm? Sebastian
adding ckermit 305~alpha07-1+b1 and then: | ~$ kermit | C-Kermit 9.0.305 OPEN SOURCE: Alpha.07, 24 Jan 2022, for Linux+SSL (64-bit) | Copyright (C) 1985, 2022, | Trustees of Columbia University in the City of New York. | Type ? or HELP for help. | (~/) C-Kermit>help | | C-Kermit 9.0.305 OPEN SOURCE: Alpha.07, 24 Jan 2022, Copyright (C) 1985, 2022, | Trustees of Columbia University in the City of New York. | | Type EXIT to exit. | Type INTRO for a brief introduction to C-Kermit. | Type LICENSE to see the C-Kermit license. | Type HELP followed by a command name for help about a specific command. | Type MANUAL to access the C-Kermit manual page. | Type NEWS for news about new features. | Type SUPPORT to learn how to get technical support. | Press ? (question mark) at the prompt, or anywhere within a command, | for a menu (context-sensitive help, menu on demand). | | Type HELP OPTIONS for help with command-line options. | | DOCUMENTATION: "Using C-Kermit" by Frank da Cruz and Christine M. Gianone, | 2nd Edition, Digital Press / Butterworth-Heinemann 1997, ISBN 1-55558-164-1, | plus supplements at http://www.kermitproject.org/ckermit.html#doc. | | (~/) C-Kermit>telnet /auth:ssl debsidi386 | DNS Lookup... Trying 172.123.10.178... Reverse DNS Lookup... (OK) | Authenticating with SSL | Warning: Server has a self-signed certificate | [0] Certificate Subject= | O=breakpoint.cc | OU=debsidi386 telnetd | CN=debsidi386.breakpoint.cc | emailAddress=root@debsidi386.breakpoint.cc | [0] Certificate Issuer= | O=breakpoint.cc | OU=debsidi386 telnetd | CN=debsidi386.breakpoint.cc | emailAddress=root@debsidi386.breakpoint.cc | Continue? (Y/N) y | [TLS - TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD | Compression: None | Connecting to host debsidi386.breakpoint.cc:23 | Escape character: Ctrl-\ (ASCII 28, FS): enabled | Type the escape character followed by C to get back, | or followed by ? to see other options. | ---------------------------------------------------- | Password: | Linux debsidi386 5.18.0-2-686-pae #1 SMP PREEMPT_DYNAMIC Debian 5.18.5-1 (2022-06-16) i686 | | The programs included with the Debian GNU/Linux system are free software; | the exact distribution terms for each program are described in the | individual files in /usr/share/doc/*/copyright. | | Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent | permitted by applicable law. | Last login: Mon Jun 20 18:50:36 CEST 2022 from 172.123.10.9 on pts/0 | You have mail. | bigeasy@debsidi386:~$ so I'm in the mood of closing this bug. Sebastian
On 2022-06-20 19:10:27 [+0200], To Arthur Marsh wrote: > I have here > telnet-ssl 0.17.41+0.2-3.3+b1 > telnetd-ssl 0.17.41+0.2-3.3+b1 > libssl3 3.0.3-8 > openssl 3.0.3-8 adding ckermit 305~alpha07-1+b1 When upgrading telnetd-ssl (017.41+0.2-3.3+b1) over (0.17.41+0.2-3.3)I received the line:You already have /etc/telnetd-ssl/telnetd.pem After upgrading both telnetd-ssl as above and openssl (3.0.3-8) over (3.0.3-6),I still had telnet-ssl localhost failing:$ telnet-ssl localhost Trying ::1... Connected to localhost. Escape character is '^]'. Error loading CRT /etc/telnetd-ssl/telnetd.pem: , ee key too small do_ssleay_init() failed 408788F4E87F0000:error:0A00018F:SSL routines:SSL_CTX_use_certificate:ee key too small:../ssl/ssl_rsa.c:221: Connection closed by foreign host.ckermit run as a symbolic link from telnet also was unsuccessful:$ telnet localhost DNS Lookup... Trying 127.0.0.1... Reverse DNS Lookup... (OK) localhost connected on port telnet ?Connection closed by peer. can't open host connection Closing localhost:23...OK I renamed /etc/telnetd-ssl/telnetd.pem to /etc/telnetd-ssl/oldtelnetd-ssl.pem and re-installed telnetd-ssl 0.17.41+0.2-3.3+b1telnetd-ssl still failed:$ telnet-ssl localhost xprop: unable to open display '127.0.0.1:0' Trying ::1.. Connected to localhost. Escape character is '^]'. telnetd: SSL required - connection rejected. Connection closed by foreign host. but ckermit run as a symbolic link from telnet now works:$ telnet localhost xprop: unable to open display '127.0.0.1:0' DNS Lookup... Trying 127.0.0.1... Reverse DNS Lookup... (OK) localhost connected on port telnet Authenticating with SSL Warning: Server has a self-signed certificate [0] Certificate Subject= O=Internet Widgits Pty Ltd OU=am64 telnetd CN=am64 emailAddress=root@am64 [0] Certificate Issuer= O=Internet Widgits Pty Ltd OU=am64 telnetd CN=am64 emailAddress=root@am64 Continue? (Y/N) y [TLS - TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(25 6) Mac=AEAD Compression: None Password: This solves the issue I was having and the /etc/telnetd-ssl/telnetd.pem "ee key too small" may be a clue to what was causing problems for me.Thanks for your time looking at this.Arthur Marsh.
Please check the key size of telnetd.pem and create a larger key. You need 2048k+ RSA. This was mandatory even in 1.1 but you could avoid it… … Okay. Closing this then. Sebastian