Your message dated Thu, 31 Mar 2016 10:17:39 +0000 with message-id <e1alzfx-0003mc...@franck.debian.org> and subject line Bug#819231: Removed package(s) from unstable has caused the Debian Bug report #804334, regarding cone: FTBFS: Uses SSLv3 method to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 804334: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804334 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: cone Version: 0.89-1 Severity: serious Control: block 797926 by -1 Hi, ./tcpd/libcouriertls.c has this piece of code: ctx=SSL_CTX_new(protocol && strcmp(protocol, "SSL3") == 0 ? SSLv3_method(): protocol && strcmp(protocol, "SSL23") == 0 ? SSLv23_method(): TLSv1_method()); In unstable the SSLv3_method has just been removed. The SSLv23_* method can talk multiple version while SSLv3_* and TLSv_* only talk one. You have this in the documentation: ##NAME: TLS_PROTOCOL:0 # # TLS_PROTOCOL sets the protocol version. The possible versions # are: # # OpenSSL: # # SSL3 - SSLv3 # SSL23 - either SSLv2 or SSLv3 (also TLS1, it seems) # TLS1 - TLS1 SSL23 also talks TLS 1.1 and TLS 1.2. It's the only method that supports multiple protocol versions. It's name might be confusing which is why it's been renamed in the master branch to TLS_*. Please stop using the version specific methods and just use the SSLv23_method(). If you want to use limit the versions that are supported please use SSL_(CTX_)set_options with something like SSL_OP_NO_SSLv3. I also noticed that you used: ssl_cipher_list="SSLv3:TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH"; Please note that that at least this causes it to prefer SSLv3 ciphers while there are TLS1.2 ciphers available that you might prefer instead. I suggest you remove the "SSLv3:TLSv1" part. And you might want to rename "!NULL" to "!eNULL". Kurt
--- End Message ---
--- Begin Message ---Version: 0.89-1+rm Dear submitter, as the package cone has just been removed from the Debian archive unstable we hereby close the associated bug reports. We are sorry that we couldn't deal with your issue properly. For details on the removal, please see https://bugs.debian.org/819231 The version of this package that was in Debian prior to this removal can still be found using http://snapshot.debian.org/. This message was generated automatically; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org. Debian distribution maintenance software pp. Ansgar Burchardt (the ftpmaster behind the curtain)
--- End Message ---
