On Thu, Nov 02, 2017 at 02:01:50PM +0100, Antonio Ospite wrote: > Package: sylpheed > Version: 3.6.0-1 > Severity: normal > Tags: patch > > Dear Maintainer, > > the Debian openssl package deprecated TLSv1 and TLSv1.1 in August 2017, > see: > https://lists.debian.org/debian-devel-announce/2017/08/msg00004.html > https://anonscm.debian.org/viewvc/pkg-openssl/openssl/branches/1.1.0/debian/patches/tls1_2_default.patch?revision=912&view=markup > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875423 > > It's not clear if this decision is final and will affect the next Debian > stable release, however in the meantime, sylpheed in Debian unstable > cannot connect to servers using older TLS protocol versions. > > Sylpheed gives this message when connecting to a server using TLSv1: > > (sylpheed:20968): LibSylph-WARNING **: SSL_connect() failed with error 1, > ret = -1 (error:1417118C:SSL routines:tls_process_server_hello:version too > low) > > The OpenSSL error is: > > SSL routines:tls_process_server_hello:version too low > > I am attaching a patch to fix this behavior. > > I am not sure if this change should be in the official package, let me > know what your opinion is on this matter.
It seems there's still no final word on #875423, so adding your patch as-is, would be conditioned to the decission taken there. If the library recovers its ability of talking to older TLS servers by default then this patch wouldn't be necessary. Alternatively, if you want to take a more future-proof approach, a better patch can be done, one which allows users to explicitly select if they want to connect to servers with old protocol support only (a checkbox may be enough for this). By default such option should be disabled, or maybe enabled now and disabled when those versions are effectively deprecated. A label near to checkbox explaining the dangers of enabling it may also be a good idea. Anyway, whatever the form the patch takes, I think it should be accepted by upstream, since it's a problem affecting Debian now, but it's going to affect other distributions and also upstream itself sooner or later. regards, -- Ricardo Mones http://people.debian.org/~mones «Ships are safe in harbor, but they were never meant to stay there.»
signature.asc
Description: PGP signature
