OPNsense business edition 23.10.2 Update breaks mimugmail repo

krbrs commented 8 months ago

I can not update pkg from the mimugmail mirror anymore after the recent 23.10.2 business edition Update.

Maybe it's because of this change?

https://forum.opnsense.org/index.php?topic=38534.0 "firmware: disallow TLS lower than 1.3 on business mirror"

https://github.com/opnsense/core/commit/daf467f69c03b227d705ba55a7ef9e351a838614

Full Check for Update log:

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 23.10.2 at Sun Feb  4 20:08:51 CET 2024
Fetching subscription information, please wait... done
Fetching changelog information, please wait... done
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 872 packages processed.
Updating mimugmail repository catalogue...
35105955840:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1621:SSL alert number 70
35105955840:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1621:SSL alert number 70
35105955840:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1621:SSL alert number 70
35105955840:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1621:SSL alert number 70
35105955840:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1621:SSL alert number 70
35105955840:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1621:SSL alert number 70
pkg: https://opn-repo.routerperformance.net/repo/FreeBSD:13:amd64/meta.txz: Authentication error
repository mimugmail has no meta file, using default settings
35105955840:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1621:SSL alert number 70
35105955840:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1621:SSL alert number 70
35105955840:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1621:SSL alert number 70
pkg: https://opn-repo.routerperformance.net/repo/FreeBSD:13:amd64/packagesite.pkg: Authentication error
35105955840:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1621:SSL alert number 70
35105955840:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1621:SSL alert number 70
35105955840:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1621:SSL alert number 70
pkg: https://opn-repo.routerperformance.net/repo/FreeBSD:13:amd64/packagesite.txz: Authentication error
Unable to update repository mimugmail
Error updating repositories!
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

running curl -vI https://opn-repo.routerperformance.net/repo/FreeBSD:13:amd64/packagesite.txz shows that the connection is established using TLS1.2 and not TLS1.3 which seems to be the reason why it fails.

* Host opn-repo.routerperformance.net:443 was resolved.
* IPv6: (none)
* IPv4: 46.16.78.247
*   Trying 46.16.78.247:443...
* Connected to opn-repo.routerperformance.net (46.16.78.247) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 / [blank] / UNDEF

Can you verify this from your side? Is there any way to force fetching your repo using TLS1.2? Or is it possible to update the repo server to support TLS1.3?

If you need more info, please let me know!

mimugmail commented 8 months ago

Also when using 1.3 it wont work as all packages are linked to openssl3 for 24.1 compatibility.

Adrian-Grimm commented 7 months ago

Same issue here. It helped by just disabling the repo with editing via ssh: vi /usr/local/etc/pkg/repos/mimugmail.conf: enabled: yes to enabled: no

mimugmail: {
  url: "https://opn-repo.routerperformance.net/repo/${ABI}",
  priority: 190,
  enabled: no
}

this could later get reverted when the issue is solved.

timolow commented 7 months ago

Same issue here

mimugmail commented 7 months ago

Yes, it only works with community edition until Business switches to openssl3 with 24.4

flaviuvlaicu commented 6 months ago

Is there any way to work it out rather than wait for the new 24.4. version?

mimugmail commented 6 months ago

No, sorry

timolow commented 5 months ago

Updated to 24.4, still seeing errors

34938167296:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1621:SSL alert number 70 34938167296:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1621:SSL alert number 70 34938167296:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1621:SSL alert number 70 pkg-static: https://opn-repo.routerperformance.net/repo/FreeBSD:13:amd64/packagesite.pkg: Authentication error 34938167296:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1621:SSL alert number 70

LOENS2 commented 4 months ago

I have the same error with version 24.4. This is unfortunate, because I use a lot of OPNrepo packages.

svendt commented 2 months ago

Same issue here with latest version of business edition.

mimugmail commented 4 weeks ago

fixed now ...

mimugmail / opn-repo

OPNsense business edition 23.10.2 Update breaks mimugmail repo #200