search

mumble-voip / mumble

Mumble is an open-source, low-latency, high quality voice chat software.
https://www.mumble.info
Other
6.41k stars 1.12k forks source link

Unable to connect to server #4639

Closed Namerian closed 3 years ago

Namerian commented 3 years ago

Describe the bug [using Ubuntu 20.04] I have installed mumble from the ppa (v1.3.3) and when I try to connect to a server I get the error: "This server is using an older encryption standard, and is no longer supported by modern versions of Mumble."

Steps to Reproduce see above

Desktop (please complete the following information):

Additional context (I was told that it works with v1.3.2 but I was unable to find that version for linux.)

Krzmbrzl commented 3 years ago

What version is the server running that you are trying to connect to? And on what OS & version?

This is most likely a problem of the server being too old and thus you get this error...

Namerian commented 3 years ago

The admin of the server did not answer so I gave up.

What is strange is that people with windows could connect with version 1.3.2 but I could not connect with v1.3.0.

Krzmbrzl commented 3 years ago

@Namerian the issue is most likely the used version of OpenSSL. The packaged version used in the windows client is most likely different (most likely older) from the version shipped with Ubuntu 20.04

Did you try to connect to a different server to see if that works?

Namerian commented 3 years ago

I was able to connect to another serves, yes.

Krzmbrzl commented 3 years ago

Yep then this is definitely a server-side issue.

Unfortunately there is nothing that we can do about it. The only real solution is for the server to be upgraded.

Therefore I'll close this issue. Feel free to ask further questions though if you have any :)

rzr commented 3 years ago

The fallback option is to run older client from container or elsewhere , any suggestion ?

Relate-to: https://github.com/mumble-voip/mumble/issues/4434

Krzmbrzl commented 3 years ago

@rzr you could also configure your Linux distribution's (or Docker image's) OpenSSL to allow older protocols as well (especially older TLS). I can never remember how that works though since I never needed it. Note however that this will pose a potential security risk.

WBTMagnum commented 3 years ago

I just had the same problem with a client running Mumble 1.3.4 on Ubuntu 20.04 and the server stuck with Murmur 1.2.17.

The problem is, that Ubuntu (and possible other distros) raised the security requirements for SSL. Therefore insecure and older protocols and ciphers are prohibited by default. As pointed out above, one could lower this requirements system-wide but this is not recommended for security reasons.

I found a compromise that uses a custom OpenSSL configuration with lower requirements only used to invoke mumble. Here's the config with basic documentation: 

#
# OpenSSL config wrapper to enable lower cipher security level
# for legacy Mumble Servers (1.2.x) on Ubuntu 20.04 TLS
# and other systems with more restrictive SSL settings.
# 
# Usage:
#  - Command line:
#    `OPENSSL_CONF=~/openssl-mumble-wrapper.cnf; mumble %u`
#  - Menu entry wrapper:
#    `bash -c "export OPENSSL_CONF=~/openssl-mumble-wrapper.cnf; mumble %u"`
# Note: This assumes that this configuration file is located
# in the user's home directory.
#

# Set configuration default
openssl_conf = default_conf

# Include systems main configuration file
# Note: location of cnf file might differ on other distributions.
.include /etc/ssl/openssl.cnf

# Define configuration with reduced security level
[default_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=1

Drop this into your home directory and invoke the following command to start mumble with lower ciphers enabled: OPENSSL_CONF=~/openssl-mumble-wrapper.cnf; mumble %u That way I was able to connect Mumble 1.3.4 on Ubuntu 20.04 LTS with the legacy Murmur server. No downgrade required.

Hope that helps others.

Krzmbrzl commented 3 years ago

@WBTMagnum thanks for sharing this :+1:

From my understanding of shell scripts I think that export actually makes the change persist outside of the current session as well. Thus in order to really restrict this to that particular Mumble invocation, I think you should leave out the export like so:

OPENSSL_CONF=~/openssl-mumble-wrapper.cnf; mumble %u

Have you tested that?

WBTMagnum commented 3 years ago

@Krzmbrzl Thanks for the input. I just tested this.

In fact the export is not necessary for the command line invocation. I therefore updated my comment above. IMHO the export would not do much harm, since the value is only changed for the current shell's environment.

For the menu entry, the export is required. But since it's spawned within a separate bash process, that should be ok.

epilimic commented 1 year ago

@WBTMagnum Hey so in trying your solution I'm getting hung up on launching it specifically for mumble. If I edit my /etc/ssl/openssl.cnf and change the last line from DEFAULT:@SECLEVEL=2 to 1 it works but when launching mumble with the command you posted doesn't. I've got the openssl-mumble-wrapper.cnf file in my home folder where it should be and everything appears to be set correctly but I still get the error trying to connect to a server.

Any ideas? Running linux mint 21.1

WBTMagnum commented 1 year ago

Any ideas? Running linux mint 21.1

  1. Could be the custom configuration is not applied. You could try adding the "export" again or use the absolute path instead of ~.
  2. Maybe MinProtocol is set to high in the custom configuration. You try commenting that out. If that helps, reduce gradually.

Nothing else comes to mind at the moment.