SSL Version Mismatch

[frakier]

Using...

Mumble (1.3.2) on Windows 10 and Mumble (1.3.2-1~ppa1~focal1) on Linux Mint 20 Ulyana 64-bit Mate 1.24.0 Kernal 5.4.0-42-generic x86_64

attempt connecting to a server at my brothers house and a server at east1.mmo-mumble.com.

Windows 10: works on bother servers. Linux: complains SSL Version Mismatch on both servers.

[Krzmbrzl]

What version of Mumble is the server running?

And what is the exact error message you get on Linux?

[frakier]

on east1.mmo-mumble.com Protocol 1.2.3 Linux 4.6.5-x86-linode89 Connection uses TSL 1.0

for my brothers server [this would be easier if you could copy the mumble server information that you get when you use the menu server->information] Protocol 1.2.19 1.2.19-1ubuntu1 (x11) Connection uses TSL 1.0

Like I said on windows it works and linux does not work, guessing it is linux since I updated to Linux Mint 20 over the weekend but figured to start here because I have no idea how to proceed through linux channels.

[frakier]

The full error that pops up is... SSL Version mismatch "This server is using an older encryption standard, and is no longer supported by modern versions of Mumble."

I have no problems with trying to just update my brothers mumble server to a newer mumble if that is the problem and possible. But I do not see why this would work on a windows client and not linux clients when the server is on linux. I can't update the east1.mmo-mumble.com at all though as it is not mine.

[davidebeatrici]

Updating the server is indeed the real solution.

If that's not feasible, you can lower the minimum protocol version in /etc/ssl/openssl.cnf:

[system_default_sect]
MinProtocol = TLSv1.0

[frakier]

[system_default_sect] MinProtocol = TLSv1.0

is not in the openssl.cnf, are you saying just to add it.

[davidebeatrici]

At the bottom of the file. On Debian Testing it's set to TLSv1.2.

[frakier]

Not in the config, tried just adding it to see but no luck. Guess I will downgrade to a older version of LinuxMint where it was still working.

[TredwellGit]

[system_default_sect] MinProtocol = TLSv1.0

is not in the openssl.cnf,

Good.

are you saying just to add it.

No, he is saying to update the server. Mumble 1.2.3 is well over nine years behind what you should be using and TLS 1.0 is almost twenty-two years old. Both using TLS 1.0 and Mumble 1.2.3 are security vulnerabilities that should not be done. The version of Linux Mint you are using now is correct in rejecting TLS 1.0; your server is broken.

That being said, I have been meaning to send in a pull request to up the TLS requirements for Mumble.

[frakier]

I got it working for now by lowering the TLS using a how to I found. Until east1.mmo-mumble.com updates I have little choice. Guessing windows 10 is still allowing the v1.0 is the reason it still worked on win10. I'm behind a firewall and the only people that use the two mumble servers I use are family. Never connected to any other server. It will do for now, going to rebuild the computer again in another case soon anyhow.

[TredwellGit]

Just be advised that being behind a firewall will not protect you at all in this situation (only using modern TLS will) and that lowering the minimum TLS setting in OpenSSL will create security issues with other programs. Consider a different server host.

[Krzmbrzl]

@frakier I think you should try to contact the host of east1.mmo-mumble.com nonetheless and ask them to update. Their version of Mumble is indeed ancient and as TredwellGit already pointed out: Using versions that old does come with a (significant) security risk for both: The server-hosters and their clients.

[frakier]

@Krzmbrzl the one at east1.mmo-mumble.com is not mine. My Brothers server is the one we use 99.9 % of the time anyway, I'm going to update my brothers version next chance I get [probably this Friday evening]. For now it works if it is needed. east1.mmo-mumble.com is more a backup it is hardly ever used. Knowing all I have to do is un-commment some config to get on east1.mmo-mumble.com if I really need to is good enough.

[Krzmbrzl]

Yeah I got that - but if you have a way of contacting the admin/owner of that server, it'd probably be a good idea to do so. That's what I meant :)

[frakier]

Right now I'm looking into why my win10 machine allows the 1.0 because from what I understand that should not be happening either. May be time for a rebuild on that machine as well, only reason I stumbled onto this for linux was a rebuild upgrade last weekend

[TredwellGit]

Right now I'm looking into why my win10 machine allows the 1.0 because from what I understand that should not be happening either.

My guess is that because Mumble uses an ancient version of OpenSSL on Windows in order to support Windows XP. I really dislike this because it means supporting end of life platforms at the expense of security. This is also why Mumble on Windows 10 does not use TLS 1.3. See https://github.com/mumble-voip/mumble/issues/4001.

Updating Mumble on Windows to OpenSSL 1.1.1.g should be reconsidered.

[davidebeatrici]

Mumble 1.4.x is built with the new environment, the first snapshot is coming this week.

[TredwellGit]

While that is appreciated, I am talking about OpenSSL on 1.3.x.

[Krzmbrzl]

I am talking about OpenSSL on 1.3.x.

For that there will be no update of the dependencies as this would mean recompiling the entire environment (which is a real PITA). Given that 1.4.x is coming, this effort doesn't really make sense.

[WBTMagnum]

JFTR: I just posted a workaround to connect with Mumble 1.3.x on Focal to a legacy server here: https://github.com/mumble-voip/mumble/issues/4639#issuecomment-819307806

HTH