Your message dated Thu, 03 Sep 2009 12:47:18 +0000
with message-id <[email protected]>
and subject line Bug#380390: fixed in perdition 1.18~rc1-1
has caused the Debian Bug report #380390,
regarding perdition: Usage of ssl_ca_path does not work on incoming SSL
connections
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
380390: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=380390
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: perdition
Version: 1.17-7
Severity: normal
Tags: patch
Perdition contains a programming error (or oversight) in the setup
routine for an incoming SSL connection:
[perdition/ssl.h, defintion]
78 SSL_CTX *perdition_ssl_ctx(const char *ca_file, const char *ca_path,
79 const char *cert, const char *privkey,
80 const char *ca_chain_file, const char *ciphers);
81
[perdition/perdition.c]:
407 if(opt.ssl_mode & SSL_LISTEN_MASK) {
408 ssl_ctx = perdition_ssl_ctx(NULL, NULL, opt.ssl_cert_file,
409 opt.ssl_key_file, opt.ssl_ca_chain_file,
410 opt.ssl_listen_ciphers);
As you can see, the parameters for the ca_file and the ca_path are unused
and thus incoming encrypted connections cannot be verified with either
a configured ssl_ca_file or a configured ssl_ca_path (normalls
/etc/ssl/certs).
This is inconsistent with the documentation and also very confusing,
because on outgoing connections, ssl_ca_path is used.
My patch alters the function in the following way:
[perdition/perdition.c after patching]:
407 if(opt.ssl_mode & SSL_LISTEN_MASK) {
408 ssl_ctx = perdition_ssl_ctx(opt.ssl_ca_file, opt.ssl_ca_path,
opt.ssl_cert_file,
409 opt.ssl_key_file, opt.ssl_ca_chain_file,
410 opt.ssl_listen_ciphers);
After this modification, one only needs to set the ssl_ca_path option to
e.g. /etc/ssl/certs and perdition will work as intended
This patch is tested on the mail system of Fachhochschule Gießen (Germany)
and works perfectly. Without this patch, _any_ user with a personal
X.509 certificate inside his MUA (Thunderbird for example) is unable to
connect to our perdition servers, because perdition is unable to find
the needed CA certs, because the SSL context is setup without the
correct path (/etc/ssl/certs/).
Example error message in that case:
Jul 28 18:32:10 mailserv perdition[1762]: Connect:
192.168.192.85->192.168.186.80
Jul 28 18:32:10 mailserv perdition[1762]: depth:1 cert:"/C=DE/O=Fachhochschule
Giessen-Friedberg/CN=Fachhochschule Giessen-Friedberg
CA-G01/[email protected]"
Jul 28 18:32:10 mailserv perdition[1762]: error: unable to get local issuer
certificate
Jul 28 18:32:10 mailserv perdition[1762]: __perdition_ssl_connection:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Jul 28 18:32:10 mailserv perdition[1762]: __perdition_ssl_connection:
SSL_accept
Jul 28 18:32:10 mailserv perdition[1762]: __perdition_ssl_connection: no shared
ciphers?
Jul 28 18:32:10 mailserv perdition[1762]: perdition_ssl_server_connection:
perdition_ssl_connection
Jul 28 18:32:10 mailserv perdition[1762]: main: perdition_ssl_server_connection
SSL
Jul 28 18:32:10 mailserv perdition[1762]: Fatal error establishing SSL
connection to client
This is because perdition is unable to find the CA certs inside
/etc/ssl/certs, because the option ssl_ca_path is not passed to
perdition_ssl_ctx.
Please apply my patch and also send this upstream, as the original
author might be interested as well.
Grüße,
Sven Hartge
--- perdition-1.17.orig/perdition/perdition.c
+++ perdition-1.17/perdition/perdition.c
@@ -405,7 +405,7 @@
&(opt.mangled_capability), opt.ssl_mode, tls_state);
if(opt.ssl_mode & SSL_LISTEN_MASK) {
- ssl_ctx = perdition_ssl_ctx(NULL, NULL, opt.ssl_cert_file,
+ ssl_ctx = perdition_ssl_ctx(opt.ssl_ca_file, opt.ssl_ca_path,
opt.ssl_cert_file,
opt.ssl_key_file, opt.ssl_ca_chain_file,
opt.ssl_listen_ciphers);
if(!ssl_ctx) {
--- End Message ---
--- Begin Message ---
Source: perdition
Source-Version: 1.18~rc1-1
We believe that the bug you reported is fixed in the latest version of
perdition, which is due to be installed in the Debian FTP archive:
perdition-ldap_1.18~rc1-1_i386.deb
to pool/main/p/perdition/perdition-ldap_1.18~rc1-1_i386.deb
perdition-mysql_1.18~rc1-1_i386.deb
to pool/main/p/perdition/perdition-mysql_1.18~rc1-1_i386.deb
perdition-odbc_1.18~rc1-1_i386.deb
to pool/main/p/perdition/perdition-odbc_1.18~rc1-1_i386.deb
perdition-postgresql_1.18~rc1-1_i386.deb
to pool/main/p/perdition/perdition-postgresql_1.18~rc1-1_i386.deb
perdition_1.18~rc1-1.diff.gz
to pool/main/p/perdition/perdition_1.18~rc1-1.diff.gz
perdition_1.18~rc1-1.dsc
to pool/main/p/perdition/perdition_1.18~rc1-1.dsc
perdition_1.18~rc1-1_i386.deb
to pool/main/p/perdition/perdition_1.18~rc1-1_i386.deb
perdition_1.18~rc1.orig.tar.gz
to pool/main/p/perdition/perdition_1.18~rc1.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Horman <[email protected]> (supplier of updated perdition package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 03 Sep 2009 22:39:24 +1000
Source: perdition
Binary: perdition perdition-ldap perdition-mysql perdition-odbc
perdition-postgresql
Architecture: source i386
Version: 1.18~rc1-1
Distribution: unstable
Urgency: low
Maintainer: Simon Horman <[email protected]>
Changed-By: Simon Horman <[email protected]>
Description:
perdition - POP3 and IMAP4 Proxy server
perdition-ldap - Library to allow perdition to access LDAP based popmaps
perdition-mysql - Library to allow perdition to access MySQL based popmaps
perdition-odbc - Library to allow perdition to access ODBC based popmaps
perdition-postgresql - Library to allow perdition to access PostgreSQL based
popmaps
Closes: 380390 395408 412151 473570 477159 500554 507414 513461
Changes:
perdition (1.18~rc1-1) unstable; urgency=low
.
* New Upstream
- Pass include '\0' in the length passed to yp_match() in the NIS module
Thanks to Robert Edmonds
(closes: #412151)
- Use ca_path and ca_file for incoming connections
Thanks to Sven Hartge
(closes: #380390)
- Fix buffer overflow in options logging code that caused
perdition to segfault on start-up if the ssl_mode string
supplied was greater than 26 characters long.
Thanks to Laurent Licour <[email protected]> for the fix.
(closes: #395408)
- Refer to libperditiondb_postgresql.so.0 in POSTGRESQL of perditiondb(5)
(closes: #507414)
- Don't accept STARTTLS command in imap4 mode if it hasn't been
enabled in the configuration.
(closes: #500554)
- Process subjectAltName fields
(closes: #513461)
- Support ldap v3
(closes: #473570)
- Support ldaps
(closes: #477159)
Checksums-Sha1:
525396463d5594e31edfc636807b49464c277e6c 1293 perdition_1.18~rc1-1.dsc
22ed02fd15fe22116bb175659e4a7bf0b5ecdd8f 635953 perdition_1.18~rc1.orig.tar.gz
78f2541ad79c1ccbc86e8d7d9098583a2a061595 323 perdition_1.18~rc1-1.diff.gz
b9b6e469ae337e6ebb4931d0bcc95879ee406e03 127608 perdition_1.18~rc1-1_i386.deb
bbe95690b00141cf8d24db429c831f4379849efa 29180
perdition-ldap_1.18~rc1-1_i386.deb
74610064bf71b98515e3bd224561dfb3cf181a4d 28366
perdition-mysql_1.18~rc1-1_i386.deb
b2e33b19f64bab6fd74186935318a0f631226d5d 27814
perdition-odbc_1.18~rc1-1_i386.deb
60330ee79beac3e20bec2adfb342afce069b5643 27866
perdition-postgresql_1.18~rc1-1_i386.deb
Checksums-Sha256:
ea2986d20f083e32be6390d4fe577f67c5ddabbed40aec7f4242e46cdc287bde 1293
perdition_1.18~rc1-1.dsc
d2faaab3d81957fcb3e0599d28d2768cca0ab40f29d503d38926d0ee9bc4c674 635953
perdition_1.18~rc1.orig.tar.gz
4208b7836465d39cd1071000c865db48d0f3e7fb750709b3b376d46f6aee2641 323
perdition_1.18~rc1-1.diff.gz
ab092a9efbc68032eb0887331847828a5c544670d42895c8cd876c364b2a778b 127608
perdition_1.18~rc1-1_i386.deb
4e7c88d931c79739e3dcc108b4569d34d12e07b124aa6f3556efe5bd7920dced 29180
perdition-ldap_1.18~rc1-1_i386.deb
b69e0aa7ca05abbcc3c3e06a536f63cc063a0dad44d9a04984e5e7145768f0df 28366
perdition-mysql_1.18~rc1-1_i386.deb
b7de2825f1822f7f11ffd82977ab2660a0cae8b5cb115722fc4e9fb80f4ec888 27814
perdition-odbc_1.18~rc1-1_i386.deb
debdb4b88226a9f80a8f7e8cd6af92f39c649120eaec6c33f0cbfdd8e1513cdc 27866
perdition-postgresql_1.18~rc1-1_i386.deb
Files:
9e4d7016ef5b396b915c80c0a3cd02dc 1293 mail optional perdition_1.18~rc1-1.dsc
37c5247cb6a2fdce84d8484a190e3f18 635953 mail optional
perdition_1.18~rc1.orig.tar.gz
37c90f82bcec8cfaea83de0e84283d11 323 mail optional perdition_1.18~rc1-1.diff.gz
a64a680a723016d9f26467ffc45569ba 127608 mail optional
perdition_1.18~rc1-1_i386.deb
763d16b33ae51d12169c3cdc9c44e783 29180 mail optional
perdition-ldap_1.18~rc1-1_i386.deb
d21d87cb0ff5c7a137452196b7f1afa6 28366 mail optional
perdition-mysql_1.18~rc1-1_i386.deb
57c7597caf8428ea61b4426876d3e69e 27814 mail optional
perdition-odbc_1.18~rc1-1_i386.deb
0464e8ec315850e7132174a69d246f2c 27866 mail optional
perdition-postgresql_1.18~rc1-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkqfukAACgkQA8ACPgVBDpeubQCfWIUEd9OFLzhwd05PH4vbc+mo
05AAoL3f1r82K8Ahl9nCEVnc2dcKDHT1
=6/+z
-----END PGP SIGNATURE-----
--- End Message ---
