Bug#1011249:
I created this PR: https://salsa.debian.org/debian/cyrus-sasl2/-/merge_requests/11
Bug#1011249: cyrus-sasl2: broken DIGEST-MD5 with openssl3
Hi, On Wed, May 18, 2022 at 6:34 PM Bastian Germann wrote: > Should I take the upstream sasl patches which enable DIGEST-MD5 again or is s/enable/fix/ :) > it time to drop that mechanism, which is obsoleted by RFC6331 for 11 years? It looks like upstream wants to obsolete DIGEST-MD5 and default it to "no" in 2.2.0: https://github.com/cyrusimap/cyrus-sasl/issues/726 There is also this comment from Howard (https://github.com/cyrusimap/cyrus-sasl/issues/665#issuecomment-931753459) """ As usual for deprecating/removing something like digestmd5, the replacement (SCRAM) should be in wide use before the actual deletion/removal. """ > What would I need to do on dropping it? An entry in NEWS, notifying the > release team, something else? Personally I think removing an authentication mechanism is a big deal, as its removal will break sites that use it during an upgrade. Definitely big flashy warnings are warranted. In the meantime, I'll put up a PR with the minimal fix plus a new DEP8 test to catch the problem.
Bug#1011249: cyrus-sasl2: broken DIGEST-MD5 with openssl3
X-Debbugs-Cc: debian-de...@lists.debian.org Am 18.05.22 um 22:00 schrieb Andreas Hasenack: cyrus-sasl2 2.1.28 has commit ... which makes it use openssl for RC4. debian/sid now has openssl3, which deprecated RC4 and made it part of the legacy provider. Which means that by default it won't be available, unless the application enables the legacy provider, or if said provider is enabled via a system-wide openssl configuration. Those two facts combined mean digest-md5, which uses RC4 if the SSF layer is set to use encryption, is currently unavaliable to applications using the cyrus-sasl2 library, such as openldap: ... cyrus-sasl2 upstream landed[4] a few commits to address this and other things, among which: ... 4. https://github.com/cyrusimap/cyrus-sasl/pull/653/commits Should I take the upstream sasl patches which enable DIGEST-MD5 again or is it time to drop that mechanism, which is obsoleted by RFC6331 for 11 years? What would I need to do on dropping it? An entry in NEWS, notifying the release team, something else? I would love to get some insight if anybody still uses DIGEST-MD5 or has an opinion about this.
Bug#1011249: cyrus-sasl2: broken DIGEST-MD5 with openssl3
Package: cyrus-sasl2 Version: 2.1.28+dfsg-5 Severity: normal Dear maintainer, cyrus-sasl2 2.1.28 has commit 8aa9ae816ddf66921b4a8a0f422517e6f2e55ac6[1] which makes it use openssl for RC4. debian/sid now has openssl3, which deprecated RC4 and made it part of the legacy provider. Which means that by default it won't be available, unless the application enables the legacy provider, or if said provider is enabled via a system-wide openssl configuration. Those two facts combined mean digest-md5, which uses RC4 if the SSF layer is set to use encryption, is currently unavaliable to applications using the cyrus-sasl2 library, such as openldap: $ ldapwhoami -U ubuntu@lxd -w ubuntusecret -O maxssf=128 SASL/DIGEST-MD5 authentication started SASL username: ubuntu@lxd SASL SSF: 128 SASL data security layer installed. Segmentation fault (core dumped) With maxssf=0 it works, because it then does not use RC4: $ ldapwhoami -U ubuntu@lxd -w ubuntusecret -O maxssf=0 SASL/DIGEST-MD5 authentication started SASL username: ubuntu@lxd SASL SSF: 0 dn:uid=ubuntu@lxd,cn=vms,cn=digest-md5,cn=auth This failure can also be seen in the, currently failing, python-bonsai DEP8 tests[2][3]: tests/test_ldapconnection.py::test_bind_digest Fatal Python error: Segmentation fault cyrus-sasl2 upstream landed[4] a few commits to address this and other things, among which: - gracefully handle failed initializations. This removes the segfault, but the digest-md5 auth with ssf=128 still fails: https://github.com/cyrusimap/cyrus-sasl/pull/653/commits/455417ad5d7da87d22590942a433939bdff986ca - catch errors from EVP_Digest* functions (also related to openssl3): https://github.com/cyrusimap/cyrus-sasl/pull/653/commits/a7db9c89738ea7b42d6cb6eac98d8afc2653de70 >From https://github.com/cyrusimap/cyrus-sasl/pull/668/commits (still in PR state, not merged yet): - Add support for loading the legacy provider. This restores digest-md5 auth with ssf set to encryption https://github.com/cyrusimap/cyrus-sasl/pull/668/commits/4146861caed69ceebd16531fa12f89b5cb1edfa2 1. https://github.com/cyrusimap/cyrus-sasl/commit/8aa9ae816ddf66921b4a8a0f422517e6f2e55ac6 2. https://ci.debian.net/packages/p/python-bonsai/unstable/amd64/ 3. https://ci.debian.net/data/autopkgtest/unstable/amd64/p/python-bonsai/21862951/log.gz 4. https://github.com/cyrusimap/cyrus-sasl/pull/653/commits