Package: release.debian.org
Severity: important
Tags: patch
Being the maintainer of netkit-ftp-ssl, I request an unblocking
of netkit-ftp-ssl in version 0.17.34+0.2-4. This upload resolves
successfully the bug #854460 of severity 'important'.
The problem is interoperability with TLS-able FTP servers, like
Proftpd, which mandate that the data connection reuse the session
identity set by the control channel.
The presently available version in testing, 0.17.34+0.2-3, is
not able to fetch files or get listings with TLS protection due
to an accidental inactivation of function SSL_copy_session_id().
This is a legacy function, not documented in any manual page,
and only mentioned in one file 'ssleay.txt' of the openssl archive.
The debdiff reactivates this function call, which was commented
out by me due to a misunderstanding. In addition, it turns out
to be decisive to forbid the use of libssl in version 1.1 for
the binary package. The reason being that libssl (>= 1.1.0)
only succeeds to reuse the session identity a single time,
yes really a single time, with the present unintrusive and
long time used solution. Therefore I had to change the build
dependency to read
libssl1.0-dev | libssl-dev (<< 1.1.0~)
Both changes are necessary and they lead also to a package that
can be built directly in Wheezy without any changes, allowing
trivial backporting.
The packages netkit-ftp-ssl, linux-ftpd-ssl and netkit-telnet-ssl
have seen substantial improvement for certificate verification
and identification for this Debian release, but only the binary
ftp-ssl is affected by the present issue.
Best regards,
Mats Erik Andersson, DM
diff -Nru netkit-ftp-ssl-0.17.34+0.2/debian/changelog
netkit-ftp-ssl-0.17.34+0.2/debian/changelog
--- netkit-ftp-ssl-0.17.34+0.2/debian/changelog 2017-01-18 19:33:56.000000000
+0100
+++ netkit-ftp-ssl-0.17.34+0.2/debian/changelog 2017-02-08 18:39:46.000000000
+0100
@@ -1,3 +1,14 @@
+netkit-ftp-ssl (0.17.34+0.2-4) unstable; urgency=medium
+
+ * Correctly reuse SSL session identity in data connection.
+ This suffices for libssl1.0, not for libssl1.1. (Closes: #854460)
+ + debian/patches/700_prefer_tls.diff: Reactivate commented out
+ function call to SSL_copy_session_id().
+ + debian/control: Prefer libssl1.0-dev and condition libssl-dev
+ on "<< 1.1.0~" for trivial backporting.
+
+ -- Mats Erik Andersson <mats.anders...@gisladisker.se> Wed, 08 Feb 2017
18:39:46 +0100
+
netkit-ftp-ssl (0.17.34+0.2-3) unstable; urgency=low
* Allow verification mode to print additional details about the
diff -Nru netkit-ftp-ssl-0.17.34+0.2/debian/control
netkit-ftp-ssl-0.17.34+0.2/debian/control
--- netkit-ftp-ssl-0.17.34+0.2/debian/control 2017-01-10 15:37:21.000000000
+0100
+++ netkit-ftp-ssl-0.17.34+0.2/debian/control 2017-02-08 18:30:50.000000000
+0100
@@ -4,7 +4,7 @@
Maintainer: Mats Erik Andersson <mats.anders...@gisladisker.se>
Uploaders: Alberto Gonzalez Iniesta <a...@inittab.org>
Standards-Version: 3.9.8
-Build-Depends: debhelper (>= 9), libeditline-dev, libncurses5-dev, libssl-dev
| libssl1.0-dev
+Build-Depends: debhelper (>= 9), libeditline-dev, libncurses5-dev,
libssl1.0-dev | libssl-dev (<< 1.1.0~)
Package: ftp-ssl
Architecture: any
diff -Nru netkit-ftp-ssl-0.17.34+0.2/debian/patches/700_prefer_tls.diff
netkit-ftp-ssl-0.17.34+0.2/debian/patches/700_prefer_tls.diff
--- netkit-ftp-ssl-0.17.34+0.2/debian/patches/700_prefer_tls.diff
2017-01-18 19:33:41.000000000 +0100
+++ netkit-ftp-ssl-0.17.34+0.2/debian/patches/700_prefer_tls.diff
2017-02-08 15:39:49.000000000 +0100
@@ -23,7 +23,7 @@
.
Author: Mats Erik Andersson <deb...@gisladisker.se>
Forwarded: no
-Last-Update: 2017-01-18
+Last-Update: 2017-02-07
diff -Naurp netkit-ftp-0.17.debian/ftp/cmds.c netkit-ftp-0.17/ftp/cmds.c
--- netkit-ftp-0.17.debian/ftp/cmds.c 2016-12-23 00:05:51.820239257 +0100
@@ -190,20 +190,8 @@
.Xr ftpd 8 ,
diff -Naurp netkit-ftp-0.17.debian/ftp/ftp.c netkit-ftp-0.17/ftp/ftp.c
--- netkit-ftp-0.17.debian/ftp/ftp.c 2016-12-23 00:05:52.380213160 +0100
-+++ netkit-ftp-0.17/ftp/ftp.c 2017-01-18 19:19:27.145786765 +0100
-@@ -1672,7 +1672,10 @@ dataconn(const char *lmode)
- * this quick assuming Eric has this going
- * okay! ;-)
- */
-- SSL_copy_session_id(ssl_data_con,ssl_con);
-+ /* MEA: Do not use deterministic session identities
-+ * in a subordinate connection.
-+ */
-+ //SSL_copy_session_id(ssl_data_con,ssl_con);
-
- /* we are doing I/O and not using select so
- * it is "safe" to read ahead
-@@ -1686,12 +1689,17 @@ dataconn(const char *lmode)
++++ netkit-ftp-0.17/ftp/ftp.c 2017-02-07 23:35:32.871433587 +0100
+@@ -1686,12 +1686,17 @@ dataconn(const char *lmode)
if ((ret=SSL_connect(ssl_data_con))<=0) {
static char errbuf[1024];
@@ -224,7 +212,7 @@
fflush(stderr);
/* abort time methinks ... */
-@@ -2111,16 +2119,50 @@ printbytes(off_t bytes)
+@@ -2111,16 +2116,50 @@ printbytes(off_t bytes)
}
#ifdef USE_SSL
@@ -279,7 +267,7 @@
}
if (n == ERROR) { /* do normal USER/PASS */
printf("SSL not available\n");
-@@ -2133,6 +2175,31 @@ ssl_init(void)
+@@ -2133,6 +2172,31 @@ ssl_init(void)
}
} else if (n == CONTINUE || n == COMPLETE ) {
/* do SSL */
@@ -311,7 +299,7 @@
ssl_con=(SSL *)SSL_new(ssl_ctx);
if (!ssl_con) {
ERR_print_errors_fp(stderr);
-@@ -2142,37 +2209,60 @@ ssl_init(void)
+@@ -2142,37 +2206,60 @@ ssl_init(void)
SSL_set_fd(ssl_con,fileno(cout));
set_ssl_trace(ssl_con);
@@ -381,7 +369,7 @@
fflush(stderr);
ssl_active_flag=1;
}
-@@ -2187,6 +2277,8 @@ ssl_init(void)
+@@ -2187,6 +2274,8 @@ ssl_init(void)
fprintf(stderr, "Data connection security level
refused.\n");
return ERROR;
}
