Debian Bug report logs - #675424
libnet-ssleay-perl: Incorrect constant value for OP_NO_TLSv1_1

version graph

Package: libnet-ssleay-perl; Maintainer for libnet-ssleay-perl is Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>; Source for libnet-ssleay-perl is src:libnet-ssleay-perl.

Reported by: John Jetmore <jj33@pobox.com>

Date: Fri, 1 Jun 2012 04:33:02 UTC

Severity: normal

Found in version libnet-ssleay-perl/1.48-1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#675424; Package libnet-ssleay-perl. (Fri, 01 Jun 2012 04:33:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to John Jetmore <jj33@pobox.com>:
New Bug report received and forwarded. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Fri, 01 Jun 2012 04:33:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: John Jetmore <jj33@pobox.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libnet-ssleay-perl: Incorrect constant value for OP_NO_TLSv1_1
Date: Fri, 01 Jun 2012 00:19:45 -0400
Package: libnet-ssleay-perl
Version: 1.48-1
Severity: normal

While troubleshooting problems using the Net::SSLeay::OP_NO_TLSv1_1 constant
in a perl app, I came to realize that Net::SSLeay, as packaged in
libnet-ssleay-perl 1.48-1, does not return the proper constant value for
OP_NO_TLSv1_1.

I don't believe this is a bug in the openssl package, but it probably matters
that I have the debian openssl 1.0.1c-1 package installed.

Here are the relevant (correct) constants from /usr/include/openssl/ssl.h:
ssl.h:#define SSL_OP_NO_SSLv2                                   0x01000000L
ssl.h:#define SSL_OP_NO_SSLv3                                   0x02000000L
ssl.h:#define SSL_OP_NO_TLSv1                                   0x04000000L
ssl.h:#define SSL_OP_NO_TLSv1_2                                 0x08000000L
ssl.h:#define SSL_OP_NO_TLSv1_1                                 0x10000000L

Here is a quick-and-dirty perl script to dump Net::SSLeay's version of
these constants:
###########
jetmore@lappy-vm2:~$ cat t.pl
#!/usr/bin/perl

use Net::SSLeay;

foreach my $const (qw(OP_NO_SSLv2 OP_NO_SSLv3 OP_NO_TLSv1 OP_NO_TLSv1_1 OP_NO_TLSv1_2)) {
  printf("%13s %010x\n", $const, &{"Net::SSLeay::$const"}());
}
###########

Here is the output of the above program when run with the most recent debian
libnet-ssleay-perl (1.48-1):
###########
jetmore@lappy-vm2:~$ perl t.pl
  OP_NO_SSLv2 0001000000
  OP_NO_SSLv3 0002000000
  OP_NO_TLSv1 0004000000
OP_NO_TLSv1_1 0000000400
OP_NO_TLSv1_2 0008000000
###########

As you can see, the value for OP_NO_TLSv1_1 is wrong.  This is a real problem,
all of the other constants perform as expected in real TLS connections, TLSv1_1
does not.

I do not believe this is a problem in upstream.  I downloaded Net-SSLeay-1.48 from
CPAN and compiled locally and it prints the correct TLSv1_1 constant:
###########
jetmore@lappy-vm2:~$ PERL5LIB=/home/jetmore/dev/lib/perl perl t.pl
  OP_NO_SSLv2 0001000000
  OP_NO_SSLv3 0002000000
  OP_NO_TLSv1 0004000000
OP_NO_TLSv1_1 0010000000
OP_NO_TLSv1_2 0008000000
###########

These constants are pulled into SSLeay.so at build time I believe.  It feels like
libnet-ssleay-perl just needs to be rebuilt with the latest headers to correct the
problem.  Seems likely to be related to this change from openssl-1.0.1b-1
(http://packages.debian.org/changelogs/pool/main/o/openssl/openssl_1.0.1c-1/changelog#version1.0.1b-1):
     - Remaps SSL_OP_NO_TLSv1_1, so applications linked to 1.0.0
       can talk to servers supporting TLS 1.1 but not TLS 1.2

Thanks
--john

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-2-486
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libnet-ssleay-perl depends on:
ii  libc6                       2.13-32
ii  libssl1.0.0                 1.0.1c-1
ii  perl                        5.14.2-11
ii  perl-base [perlapi-5.14.2]  5.14.2-11

libnet-ssleay-perl recommends no packages.

Versions of packages libnet-ssleay-perl suggests:
ii  perl [libmime-base64-perl]  5.14.2-11

-- no debconf information




Added blocking bug(s) of 675424: 675434 Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 01 Jun 2012 07:03:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#675424; Package libnet-ssleay-perl. (Fri, 01 Jun 2012 07:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Fri, 01 Jun 2012 07:09:03 GMT) Full text and rfc822 format available.

Message #12 received at submit@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: John Jetmore <jj33@pobox.com>, 675424@bugs.debian.org
Cc: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Re: Bug#675424: libnet-ssleay-perl: Incorrect constant value for OP_NO_TLSv1_1
Date: Fri, 1 Jun 2012 09:07:07 +0200
[Message part 1 (text/plain, inline)]
Hi John

On Fri, Jun 01, 2012 at 12:19:45AM -0400, John Jetmore wrote:
> While troubleshooting problems using the Net::SSLeay::OP_NO_TLSv1_1 constant
> in a perl app, I came to realize that Net::SSLeay, as packaged in
> libnet-ssleay-perl 1.48-1, does not return the proper constant value for
> OP_NO_TLSv1_1.
[...]
> 
> These constants are pulled into SSLeay.so at build time I believe.  It feels like
> libnet-ssleay-perl just needs to be rebuilt with the latest headers to correct the
> problem.  Seems likely to be related to this change from openssl-1.0.1b-1
> (http://packages.debian.org/changelogs/pool/main/o/openssl/openssl_1.0.1c-1/changelog#version1.0.1b-1):
>      - Remaps SSL_OP_NO_TLSv1_1, so applications linked to 1.0.0
>        can talk to servers supporting TLS 1.1 but not TLS 1.2

I can confirm that rebuilding the package against newest libssl-dev
solves that. I have asked release team if they could schedule a
rebuild [1].

 [1]: http://bugs.debian.org/675434 

Regards,
Salvatore
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#675424; Package libnet-ssleay-perl. (Fri, 01 Jun 2012 07:09:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Fri, 01 Jun 2012 07:09:08 GMT) Full text and rfc822 format available.

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Sun, 03 Jun 2012 05:45:10 GMT) Full text and rfc822 format available.

Notification sent to John Jetmore <jj33@pobox.com>:
Bug acknowledged by developer. (Sun, 03 Jun 2012 05:45:10 GMT) Full text and rfc822 format available.

Message #22 received at 675424-done@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: John Jetmore <jj33@pobox.com>, 675424-done@bugs.debian.org
Subject: Re: Bug#675424: libnet-ssleay-perl: Incorrect constant value for OP_NO_TLSv1_1
Date: Sun, 3 Jun 2012 07:41:25 +0200
[Message part 1 (text/plain, inline)]
Hi John

The rebuild was now scheduled on all architectures [1].

 [1]: https://buildd.debian.org/status/package.php?p=libnet-ssleay-perl

Thanks for reporting.

Regards,
Salvatore
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 01 Jul 2012 07:38:26 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 00:32:26 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.