Debian Bug report logs - #675434
nmu: libnet-ssleay-perl_1.48-1

Package: release.debian.org; Maintainer for release.debian.org is Debian Release Team <debian-release@lists.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 1 Jun 2012 06:57:05 UTC

Severity: normal

Done: Cyril Brulebois <kibi@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#675434; Package release.debian.org. (Fri, 01 Jun 2012 06:57:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, Debian Release Team <debian-release@lists.debian.org>. (Fri, 01 Jun 2012 06:57:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: nmu: libnet-ssleay-perl_1.48-1
Date: Fri, 01 Jun 2012 08:53:22 +0200
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: binnmu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Release Team

It was reported [1], that libnet-ssleay-perl does not report the
correct constant value for SSL_OP_NO_TLSv1_1. There was the following
change in openssl 1.0.1b-1:

 openssl (1.0.1b-1) unstable; urgency=high
 .
   * New upstream version
     - Remaps SSL_OP_NO_TLSv1_1, so applications linked to 1.0.0
       can talk to servers supporting TLS 1.1 but not TLS 1.2
     - Drop rc4_hmac_md5.patch, applied upstream

 [1]: http://bugs.debian.org/675424

After rebuilding libnet-ssleay-perl the problem is fixed. Would it be
possible to schedule binnmu's for libnet-ssleay-perl?

nmu libnet-ssleay-perl_1.48-1 . ALL . -m "Rebuild for remap change for SSL_OP_NO_TLSv1_1 in openssl 1.0.1b-1"

Many thanks in advance,
Regards,
Salvatore

- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJPyGbdAAoJEHidbwV/2GP+E7AQAImjQRluw+gtTh1tnPCBejVA
v9nC959uKoXnRA+D7JlQnMCXQex8jJ/iNhqlJ14N4yMHFgOWa0H3BSHriPd2bDRO
xzp60RgWXwKjbrX4Yv+z5fB3PRVPR6R0CFizC1vh+VKxrwkoZ2e9gpXDVArAQGrf
ds2UylMBIuVIFhL51Y5kWhdBNePILgRpb1huyvG/+5x1qRvoFGbP+LKCZoSwVsGE
jcDf7twMhL2nyPx0QkTmOsKJGIsqd6DpiGfu2grrQBUdXXDUM/89LWS2rKKKESNt
HuYWazKeRXX1GIB3TojbHWkl63HXvVtbiFvA+my0T35Tez4Vgd1yckFCBxSOU8ov
cnP7MiUaO+kVy2FUYWs0gjeS7cQwisZeEQgUnEdbDh/pSev3cU4efnmQ7FCK3dtw
lbbEAhTUdY+r5aLtQNwNCh2QfW9U/Y+MRz1/looqeqMa6l+zgKLEHX4vvW2HZRBZ
tmF3D5F+S1JppUmjv8vW7qb/nty6h2/eEpbu69ULZC0oAd86n+nmQe8IrxAAUO1z
SF/hbJJIoztVwvn/3KnUlboyRvIugUeAuswADyK5HkfUmi/HPH5yy8JruQwzYS/Y
wNS5Wu6kimNfwr0Cn1AgsJLiRLxsjdgIehZUcHyNCjtWDN+/2H77sShxQzzWqLgW
C7SC2g9/fTTx8VP2D6Mn
=j4Dy
-----END PGP SIGNATURE-----




Added indication that bug 675434 blocks 675424 Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 01 Jun 2012 07:03:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#675434; Package release.debian.org. (Fri, 01 Jun 2012 09:09:27 GMT) Full text and rfc822 format available.

Acknowledgement sent to Cyril Brulebois <kibi@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Fri, 01 Jun 2012 09:09:28 GMT) Full text and rfc822 format available.

Message #12 received at 675434@bugs.debian.org (full text, mbox):

From: Cyril Brulebois <kibi@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>, 675434@bugs.debian.org
Subject: Re: Bug#675434: nmu: libnet-ssleay-perl_1.48-1
Date: Fri, 1 Jun 2012 11:07:44 +0200
[Message part 1 (text/plain, inline)]
Salvatore Bonaccorso <carnil@debian.org> (01/06/2012):
> It was reported [1], that libnet-ssleay-perl does not report the
> correct constant value for SSL_OP_NO_TLSv1_1. There was the following
> change in openssl 1.0.1b-1:
> 
>  openssl (1.0.1b-1) unstable; urgency=high
>  .
>    * New upstream version
>      - Remaps SSL_OP_NO_TLSv1_1, so applications linked to 1.0.0
>        can talk to servers supporting TLS 1.1 but not TLS 1.2
>      - Drop rc4_hmac_md5.patch, applied upstream

Does it mean we're going to hit the same kind of issues next time
there's a similar change in openssl?

Mraw,
KiBi.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#675434; Package release.debian.org. (Sat, 02 Jun 2012 07:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 02 Jun 2012 07:03:03 GMT) Full text and rfc822 format available.

Message #17 received at 675434@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Cyril Brulebois <kibi@debian.org>
Cc: 675434@bugs.debian.org, debian-perl@lists.debian.org
Subject: Re: Bug#675434: nmu: libnet-ssleay-perl_1.48-1
Date: Sat, 2 Jun 2012 08:59:22 +0200
[Message part 1 (text/plain, inline)]
Hi Cyril

Thanks for your reply!

(adding debian-perl list to the recipients, to have more comments if
needed)

On Fri, Jun 01, 2012 at 11:07:44AM +0200, Cyril Brulebois wrote:
> Salvatore Bonaccorso <carnil@debian.org> (01/06/2012):
> > It was reported [1], that libnet-ssleay-perl does not report the
> > correct constant value for SSL_OP_NO_TLSv1_1. There was the following
> > change in openssl 1.0.1b-1:
> > 
> >  openssl (1.0.1b-1) unstable; urgency=high
> >  .
> >    * New upstream version
> >      - Remaps SSL_OP_NO_TLSv1_1, so applications linked to 1.0.0
> >        can talk to servers supporting TLS 1.1 but not TLS 1.2
> >      - Drop rc4_hmac_md5.patch, applied upstream
> 
> Does it mean we're going to hit the same kind of issues next time
> there's a similar change in openssl?

Yes I think so if openssl would have again such a change, we will have
similar issue again. If openssl changes constant values as for 1.0.1b,
then libnet-ssleay-perl would need a rebuild against this updated
openssl version.

However ...

In changes of openssl I read this:


----cut---------cut---------cut---------cut---------cut---------cut-----

  *) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and
     1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately
     mean any application compiled against OpenSSL 1.0.0 headers setting
     SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disablng
     TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to
     0x10000000L Any application which was previously compiled against
     OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1
     will need to be recompiled as a result. Letting be results in
     inability to disable specifically TLS 1.1 and in client context,
     in unlike event, limit maximum offered version to TLS 1.0 [see below].
     [Steve Henson]

  *) In order to ensure interoperabilty SSL_OP_NO_protocolX does not
     disable just protocol X, but all protocols above X *if* there are
     protocols *below* X still enabled. In more practical terms it means
     that if application wants to disable TLS1.0 in favor of TLS1.1 and
     above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass
     SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. This applies to
     client side.
     [Andy Polyakov]

----cut---------cut---------cut---------cut---------cut---------cut-----

So this might not affect only libnet-ssleay-perl? At least if one uses
SSL_OP_NO_TLSv1_1.

Regards,
Salvatore
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#675434; Package release.debian.org. (Sat, 02 Jun 2012 12:34:25 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 02 Jun 2012 12:34:31 GMT) Full text and rfc822 format available.

Message #22 received at 675434@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Cyril Brulebois <kibi@debian.org>
Cc: Salvatore Bonaccorso <carnil@debian.org>, 675434@bugs.debian.org
Subject: Re: Bug#675434: nmu: libnet-ssleay-perl_1.48-1
Date: Sat, 2 Jun 2012 14:21:35 +0200
On Fri, Jun 01, 2012 at 11:07:44AM +0200, Cyril Brulebois wrote:
> Salvatore Bonaccorso <carnil@debian.org> (01/06/2012):
> > It was reported [1], that libnet-ssleay-perl does not report the
> > correct constant value for SSL_OP_NO_TLSv1_1. There was the following
> > change in openssl 1.0.1b-1:
> > 
> >  openssl (1.0.1b-1) unstable; urgency=high
> >  .
> >    * New upstream version
> >      - Remaps SSL_OP_NO_TLSv1_1, so applications linked to 1.0.0
> >        can talk to servers supporting TLS 1.1 but not TLS 1.2
> >      - Drop rc4_hmac_md5.patch, applied upstream
> 
> Does it mean we're going to hit the same kind of issues next time
> there's a similar change in openssl?

This change was made to make sure applications build against
1.0.0 can talk to a server that does TLS 1.1 but not TLS 1.2,
as the changelog says.  This is not something I like to change
again, since it will cause problems.

Everything build against 1.0.1 or 1.0.1a that cares about
SSL_OP_NO_TLSv1_1 should be rebuild against 1.0.1b or later.
If using the defines from the the 1.0.1 and 1.0.1a version,
but using 1.0.1b or laster the SSL_OP_NO_TLSv1_1 will not have
any effect.


Kurt





Reply sent to Cyril Brulebois <kibi@debian.org>:
You have taken responsibility. (Sat, 02 Jun 2012 23:39:13 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 02 Jun 2012 23:39:13 GMT) Full text and rfc822 format available.

Message #27 received at 675434-done@bugs.debian.org (full text, mbox):

From: Cyril Brulebois <kibi@debian.org>
To: Kurt Roeckx <kurt@roeckx.be>, 675434-done@bugs.debian.org
Cc: Salvatore Bonaccorso <carnil@debian.org>
Subject: Re: Bug#675434: nmu: libnet-ssleay-perl_1.48-1
Date: Sun, 3 Jun 2012 01:34:05 +0200
[Message part 1 (text/plain, inline)]
Hi,

Kurt Roeckx <kurt@roeckx.be> (02/06/2012):
> This change was made to make sure applications build against
> 1.0.0 can talk to a server that does TLS 1.1 but not TLS 1.2,
> as the changelog says.  This is not something I like to change
> again, since it will cause problems.
> 
> Everything build against 1.0.1 or 1.0.1a that cares about
> SSL_OP_NO_TLSv1_1 should be rebuild against 1.0.1b or later.
> If using the defines from the the 1.0.1 and 1.0.1a version,
> but using 1.0.1b or laster the SSL_OP_NO_TLSv1_1 will not have
> any effect.

do we have better ways to detect that than maintainers noticing and
pinging us? :/

Salvatore: done, thanks.

Mraw,
KiBi.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#675434; Package release.debian.org. (Sat, 02 Jun 2012 23:45:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 02 Jun 2012 23:45:09 GMT) Full text and rfc822 format available.

Message #32 received at 675434@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Cyril Brulebois <kibi@debian.org>
Cc: 675434@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>
Subject: Re: Bug#675434: nmu: libnet-ssleay-perl_1.48-1
Date: Sun, 3 Jun 2012 01:44:38 +0200
On Sun, Jun 03, 2012 at 01:34:05AM +0200, Cyril Brulebois wrote:
> Hi,
> 
> Kurt Roeckx <kurt@roeckx.be> (02/06/2012):
> > This change was made to make sure applications build against
> > 1.0.0 can talk to a server that does TLS 1.1 but not TLS 1.2,
> > as the changelog says.  This is not something I like to change
> > again, since it will cause problems.
> > 
> > Everything build against 1.0.1 or 1.0.1a that cares about
> > SSL_OP_NO_TLSv1_1 should be rebuild against 1.0.1b or later.
> > If using the defines from the the 1.0.1 and 1.0.1a version,
> > but using 1.0.1b or laster the SSL_OP_NO_TLSv1_1 will not have
> > any effect.
> 
> do we have better ways to detect that than maintainers noticing and
> pinging us? :/

Scanning all reverse dependencies for that string?


Kurt





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 01 Jul 2012 07:40:54 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 20:47:38 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.