Bug#857436: libgnutls-openssl27: OpenSSL wrapper not exposing TLS 1.1/1.2 ciphers
Package: libgnutls-openssl27 Version: 3.5.10-1 Severity: important Certain packages that rely on this OpenSSL wrapper library are unable to connect using TLS 1.1/1.2 cipher suites. Even though the server (and the client, when compiled against OpenSSL) supports the full array of TLS 1.1/1.2 ciphers, the package as provided seems to be limited to only TLS 1.0 ciphers. An example is bug #842120 in package tf5. tf5, when connecting using a version compiled manually against OpenSSL: % Connected to server using cipher ECDHE-RSA-AES128-GCM-SHA256. When connecting using the packaged version utilizing the OpenSSL wrapper: % Connected to server using cipher RSA_AES_128_CBC_SHA1. Given the progression toward the deprecation of TLS 1.0 (see NIST SP 800-52 Rev. 1), it would seem prudent to ensure that packages not written against GnuTLS are still capable of their full function. -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libgnutls-openssl27 depends on: ii libc62.24-9 ii libgnutls30 3.5.10-1 libgnutls-openssl27 recommends no packages. libgnutls-openssl27 suggests no packages. -- no debconf information
Bug#842120: tf5: TLSv1.1/1.2 cipher suites not functioning
>> Justin Coffman writes: >> >> Package: tf5 >> Version: 5.0beta8-5+b1 >> Severity: important >> >> TinyFugue, when compiled from upstream source against OpenSSL, is >> capable of the full set of expected ciphersuites (up to and including >> TLSv1.2), such as those utilizing AES-GCM and EC Diffie-Hellman. The >> version packaged in Debian, compiled against GnuTLS, is only capable >> of >> SSLv3/TLSv1 negotiation, and only then with servers that do not >> require (EC)DH negotiation. This could render the client unusable for >> servers that enforce more modern security policies. >> >> TinyFugue when compiled against OpenSSL: >> % Connected to (unnamed1) using cipher ECDHE-RSA-AES128-GCM-SHA256. >> >> TinyFugue when compiled against GnuTLS, same site: >> % Connected to (unnamed1) using cipher RSA_AES_128_CBC_SHA1. > Unfortunately, it can't be compiled against OpenSSL and included in Debian > since the licenses conflict. (Which is why it's built against > GnuTLS.) It's GPL without any license exception, so such a package would be > rejected by Debian ftpmaster. > > Sadly, upstream was contacted about this in the past and doesn't feel the > problem warrants the effort required to correct this, so there's basically no > chance that an OpenSSL build will be possible in Debian. > > Presumably there's some way to make GnuTLS negotiate the correct ciphers, but > unfortunately I don't know what it is off-hand, and probably won't have time > in the near future to do the necessary research. Patches welcome! > > -- > Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>> I tried my hand at generating a patch, but the patched version didn't exhibit behavior any different than current. I guess my GnuTLS-fu is not strong enough. The gotcha (I think) is in the way GnuTLS shims the SSLv23_client_method in its OpenSSL compatibility layer. The only other available shim is TLSv1_client_method, which seems to behave exactly the same way as it does currently.
Bug#842120: tf5: TLSv1.1/1.2 cipher suites not functioning
Package: tf5 Version: 5.0beta8-5+b1 Severity: important TinyFugue, when compiled from upstream source against OpenSSL, is capable of the full set of expected ciphersuites (up to and including TLSv1.2), such as those utilizing AES-GCM and EC Diffie-Hellman. The version packaged in Debian, compiled against GnuTLS, is only capable of SSLv3/TLSv1 negotiation, and only then with servers that do not require (EC)DH negotiation. This could render the client unusable for servers that enforce more modern security policies. TinyFugue when compiled against OpenSSL: % Connected to (unnamed1) using cipher ECDHE-RSA-AES128-GCM-SHA256. TinyFugue when compiled against GnuTLS, same site: % Connected to (unnamed1) using cipher RSA_AES_128_CBC_SHA1. -- System Information: Debian Release: 8.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages tf5 depends on: ii libc62.19-18+deb8u6 ii libgnutls-openssl27 3.3.8-6+deb8u3 ii libpcre3 2:8.35-3.3+deb8u4 ii libtinfo55.9+20140913-1+b1 ii zlib1g 1:1.2.8.dfsg-2+b1 tf5 recommends no packages. Versions of packages tf5 suggests: pn spell -- no debconf information
Bug#796752: IPv6 Nameservers
I've done a little bit more testing on this. Removing IPv6 nameservers from /etc/resolv.conf does seem to resolve this issue on my test system. I must have goofed the initial testing on that.
Bug#796752: libsres: could not bind to random port above [port]
Package: irssi Version: 0.8.17-1 Severity: normal Tags: ipv6 Dear Maintainer, Starting irssi causes approximately ten lines of 20150823::16:55:28 libsres: could not bind to random port above 44300 to be displayed per server on initial connection. Port number is randomized for each message. Connection to servers do succeed, after which no further issue has been noted. Seems to only occur on systems with a global IPv6 address. The following do not affect/resolve the issue: * Enabling/disabling IPv6 nameservers in /etc/resolv.conf * Enabling/disabling irssi's "resolve_prefer_ipv6" setting. * Enabling/disabling local firewall (iptables) -- System Information: Debian Release: 8.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages irssi depends on: ii libc6 2.19-18 ii libglib2.0-02.42.1-1 ii libncurses5 5.9+20140913-1+b1 ii libperl5.20 5.20.2-3+deb8u1 ii libssl1.0.0 1.0.1k-3+deb8u1 ii libtinfo5 5.9+20140913-1+b1 ii libval142.0-1.1 ii perl5.20.2-3+deb8u1 ii perl-base [perlapi-5.20.1] 5.20.2-3+deb8u1 irssi recommends no packages. Versions of packages irssi suggests: pn irssi-scripts -- no debconf information
