Bug#871435: marked as done (sofia-sip: please switch to SSLv23_… or TLS_…_method)

Thu, 12 May 2022 04:21:19 -0700 

Your message dated Thu, 12 May 2022 11:20:14 +0000
with message-id <[email protected]>
and subject line Bug#871435: fixed in sofia-sip 
1.12.11+20110422.1+1e14eea~dfsg-2
has caused the Debian Bug report #871435,
regarding sofia-sip: please switch to SSLv23_… or TLS_…_method
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
871435: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871435
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: sofia-sip
Version: 1.12.11+20110422.1-2.1
Severity: important
User: [email protected]
Usertags: TLS1.0_1.1_removal

Your packages uses a function which requests a TLS1.0 and/or TLS1.1 only
connection. Since openssl 1.1.0f-4 (currently in unstable) this means
won't work because it provides TLS1.2. See also [0].
Please switch to
        SSLv23_method() | SSLv23_server_method() | SSLv23_client_method()

or the recommended openssl 1.1+ functions:
        TLS_method() | TLS_server_method() | TLS_client_method()

as per man-page [1].
The code I identified and probably needs to be replaced:
sofia-sip-1.12.11+20110422.1/libsofia-sip-ua/stun/stun.c
| static
| int stun_tls_callback(su_root_magic_t *m, su_wait_t *w, su_wakeup_arg_t *arg)
| {
|…
|   state = sd->sd_state;
|   switch (state) {
|   case stun_tls_connecting:
| 
|…
|     /* openssl initiation */
|     SSLeay_add_ssl_algorithms();
|     SSL_load_error_strings();
|     ctx = SSL_CTX_new(TLSv1_client_method());
|     self->sh_ctx = ctx;
| 
|     if (ctx == NULL) {
|       STUN_ERROR(errno, SSL_CTX_new);
|       stun_free_buffer(&msg_req->enc_buf);
|       return -1;
|     }
 
An example for replacing a TLSv1 only connection with any possible
version would look like this:

-  ctx = SSL_CTX_new(TLSv1_client_method());
+  ctx = SSL_CTX_new(SSLv23_client_method());

If you want to use the openssl 1.1 function you need extra version
checks:

-  ctx = SSL_CTX_new(TLSv1_client_method());
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
+    !defined(LIBRESSL_VERSION_NUMBER)  && !defined(OPENSSL_IS_BORINGSSL)
+    ctx = SSL_CTX_new (TLS_client_method ());
+#else
+    ctx = SSL_CTX_new (SSLv23_client_method ());
+#endif

Note that that openssl is usually configured (at build time) to not
allow SSLv2 and SSLv3 connections. However if upstream wants to be sure
to have it disable you can add this:

+#ifdef OPENSSL_NO_SSL3
+    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
+#endif
+
+#ifdef OPENSSL_NO_SSL2
+    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+#endif

to make sure it is not used for a connection even if the currently
install libssl library is supporting it.

[0] 
https://lists.debian.org/msgid-search/[email protected]
[1] https://manpages.debian.org/stretch/libssl-doc/SSLv23_method.3ssl.en.html

Sebastian

--- End Message ---
--- Begin Message --- 
Source: sofia-sip
Source-Version: 1.12.11+20110422.1+1e14eea~dfsg-2
Done: Jonas Smedegaard <[email protected]>

We believe that the bug you reported is fixed in the latest version of
sofia-sip, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <[email protected]> (supplier of updated sofia-sip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 12 May 2022 13:00:05 +0200
Source: sofia-sip
Architecture: source
Version: 1.12.11+20110422.1+1e14eea~dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian VoIP Team <[email protected]>
Changed-By: Jonas Smedegaard <[email protected]>
Closes: 871435
Changes:
 sofia-sip (1.12.11+20110422.1+1e14eea~dfsg-2) unstable; urgency=medium
 .
   [ Evangelos Ribeiro Tzaras ]
   * Update watchfile:
     + Prefix upstream version with next expected official release
   * Tighten changelog
   * Add ${misc:Depends} for binary packages
   * Split old changelog entries into separate file
   * Use pkg-kde-tools to track symbols
   * Add patch 1002 to use modern TLS methods;
     closes: bug#871435, thanks to Sebastian Andrzej Siewior
 .
   [ Jonas Smedegaard ]
   * tighten DEP-3 patch headers,
     and refresh with shortening quilt options
   * declare compliance with Debian Policy 4.6.1
Checksums-Sha1:
 fe8218dc14f5551ea99535a45c034149c55e2d0a 2630 
sofia-sip_1.12.11+20110422.1+1e14eea~dfsg-2.dsc
 d28bef4b9c6694749ac87fd98e05633494522515 29548 
sofia-sip_1.12.11+20110422.1+1e14eea~dfsg-2.debian.tar.xz
 dc5c0950900c84403de74fa534c35f7e0721798e 11833 
sofia-sip_1.12.11+20110422.1+1e14eea~dfsg-2_amd64.buildinfo
Checksums-Sha256:
 0082172a5844ada58ed573741f9785d75abeaf3e4155bf17ac7bbc4f8cb60e35 2630 
sofia-sip_1.12.11+20110422.1+1e14eea~dfsg-2.dsc
 4a787589292be92b127fcfc07cee48674f89c04181c9a47c31d8550934b2986f 29548 
sofia-sip_1.12.11+20110422.1+1e14eea~dfsg-2.debian.tar.xz
 87baf80e22e3f13e68f6a1b74e2af7734250951a8f2260e2ae0d4cb300373162 11833 
sofia-sip_1.12.11+20110422.1+1e14eea~dfsg-2_amd64.buildinfo
Files:
 79542e220b644732eb8fef9db1b63cd8 2630 net optional 
sofia-sip_1.12.11+20110422.1+1e14eea~dfsg-2.dsc
 f5e81a81d42ee2773fd8146942fce4f9 29548 net optional 
sofia-sip_1.12.11+20110422.1+1e14eea~dfsg-2.debian.tar.xz
 c21c16cd7448a51affec6dc4bbed2e0c 11833 net optional 
sofia-sip_1.12.11+20110422.1+1e14eea~dfsg-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmJ861IACgkQLHwxRsGg
ASGEmRAApp9LL89rNGMpr98Xx+jWWrIQWd9J0/ApFhB88jXjSaI5ffNm/vA1P5ZD
g8CpmCpUUgzkmTrWxGSF7F9kCin4Lrm7GOeljWSJXSDAQ4EtAoKoHxyzhdnbZ77y
iG1SjOLCbu8QfOBXGbUfu6lDhw8mdkqi0F4wpW3ckd0OgE0MDk2nMWw1Gr4hpgbU
dlNBRV2AjNRAN4ACb3dlP6jdBp0sHv357h5Y4s/V8GJsLYFcIjIfpbErhXrQQBFL
FCickSuJYkiUOFBWxyeY6CKHdJOqgjl1PwJ3tMoWPisDqELKQpuShNAjNFdKOBGo
XoX8/mQvgugktIeydktcNoVojgXr6iwtd1CSywIP8qQ/biFaLWTYs3RHYaFkazU+
v06lGSzKxEdBZt7wczyPfcd5041YTEljTyIGN0/OntkM5KAqT6svjlaTihuGFS3B
zLoXSTIpEwK+F/v4wS+iTj+/4qTgfboSDc1zmvTpo4Ge1Xj1PUGP7chN+jLjGX6e
P/jmzjapoB51bLxG824rEKggv5UCKB/ya2CMpFkhyyTLmfEs5cmm2X9jobbp3Lbr
OpJnJ39X/OlvGZIT0P9L1Y4upfEAANXPOYdKhniZiMM1CzeS2xNAH7+1MHhUfBZi
JW6jVdiLm3QtEI2KEGt4F+fBXIXRtusJcMlyJ1B0TmDfP17UPJg=
=YFbb
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to