Ubuntu FIPS libssl1.1 update breaks diffie-hellman-group-exchange-sha256 key exchange
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cloud-images |
Fix Released
|
Undecided
|
Adam Bell |
Bug Description
To reproduce: start a FIPS VM (eg in azure):
az group create --location 'francecentral' --resource-group test-fips
az vm create --name bionic-fips --resource-group test-fips --image 'Canonical:
Try to SSH into the VM using this key exchange algo:
ssh -o KexAlgorithms=
(it should work at this point)
Install the updates (apt update && apt upgrade -y). Logout and try to SSH in again:
ssh -o KexAlgorithms=
This will fail. SSH logs with DEBUG3 show (full logs attached):
Nov 17 09:57:03 bionic-
Nov 17 09:57:03 bionic-
Nov 17 09:57:03 bionic-
The issue appears when upgrading libssl1.1 from 1.1.1-1ubuntu2.
Changed in cloud-images: | |
assignee: | nobody → Adam Bell (arbell) |
Changed in cloud-images: | |
status: | Confirmed → Fix Committed |
assignee: | Adam Bell (arbell) → nobody |
assignee: | nobody → Adam Bell (arbell) |
Cannot reproduce this on any environment I have. Both multipass and QEMU/KVM installed from the Ubuntu ISO works with no problem.
I'm attaching my own log from the multipass machine here.