Bug#871987: openssl breaks dovecot
> "CC" == Carlos Carvalhowrites: CC> Reverting the upgrade is messy (I run unstable). I tried to compile the CC> packages removing the disable-tls1 disable-tls1_1 in CONFARGS but the build CC> failed in the tests with You can grab the deb files for version 1.1.0f-3 of openssl, libssl1.1, libssl-dev and libssl-doc from any debian mirror. Eg, files like: http://ftp-nyc.osuosl.org/debian/pool/main/o/openssl/libssl-dev_1.1.0f-3_amd64.deb and use dpkg to install them. Then run: :; apt-mark hold openssl libssl1.1 libssl-dev libssl-doc to prevent them from upgrading past 1.1.0f-3. I had to do that on my MXs, main web site and outgoing smtp machines. -JimC -- James Cloos OpenPGP: 0x997A9F17ED7DAEA6
Bug#871987: openssl breaks dovecot
After this upgrade our mail server no longer accept emails from the American Physical Society, which publishes some of the more important physics journals... This has been a significant problem for my colleagues in the past 2 weeks, both for submitting articles for publication and for refereeing submissions. In this particular case I think accepting the old/broken versions is still necessary. Reverting the upgrade is messy (I run unstable). I tried to compile the packages removing the disable-tls1 disable-tls1_1 in CONFARGS but the build failed in the tests with Test Summary Report --- ../../test/recipes/40-test_rehash.t (Wstat: 256 Tests: 5 Failed: 1) Failed test: 4 Non-zero exit status: 1 Files=95, Tests=481, 34 wallclock secs ( 0.52 usr 0.12 sys + 30.14 cusr 2.84 csys = 33.62 CPU) Result: FAIL Makefile:153: recipe for target '_tests' failed make[3]: *** [_tests] Error 1 make[3]: Leaving directory '/tmp/openssl-1.1.0f/build_static' Makefile:151: recipe for target 'tests' failed make[2]: *** [tests] Error 2 make[2]: Leaving directory '/tmp/openssl-1.1.0f/build_static' debian/rules:80: recipe for target 'override_dh_auto_test-arch' failed make[1]: *** [override_dh_auto_test-arch] Error 2 Is there a simple way to fix this?
Bug#871987: openssl breaks dovecot
On 2017-08-16 07:46:14 [-0700], James Bottomley wrote: > When you run a system for others, you don't get to dictate tools. I do :) > However, from the complaints it seems to be android 2.3.7 and any > embedded system still using openssl 0.9.8, which must be using TLS 1.0 so basically everything old without any (security)support but still functional. Let me see how we deal with this… > James Sebastian
Bug#871987: openssl breaks dovecot
On Wed, 2017-08-16 at 08:34 +0200, Sebastian Andrzej Siewior wrote: > On 2017-08-14 10:46:04 [-0700], James Bottomley wrote: > > > > Just a me too on this: on upgrade, both dovecot and a stunnel based > > web application got broken for an older android client. > > Downgrading to 1.1.0f-3 fixes the problem for both dovecot and > > stunnel4 > > So what are we talking about? Android 4 and the internal mail and web > client? What happens if you switch to firefox/chrome and k-9 > mail/blue mail? When you run a system for others, you don't get to dictate tools. However, from the complaints it seems to be android 2.3.7 and any embedded system still using openssl 0.9.8, which must be using TLS 1.0 James
Bug#871987: openssl breaks dovecot
My perspective on this, from the client side, doing my routine sysadmin work: When disabling TLSv1 on a server, I'm no longer able to verify that using openssl s_client -tls1, I get "s_client: Option unknown option -tls1". Also I am unable to connect to some old servers supporting only TLSv1. I came across both types of issues just in the past 24 hours. I can always downgrade, or just use a stretch (or older) system for this minor task, but it seems this issue could be rethought. I think hard-disabling at compile time is a little too soon. Thanks, Gedalya
Bug#871987: openssl breaks dovecot
On 2017-08-14 10:46:04 [-0700], James Bottomley wrote: > Just a me too on this: on upgrade, both dovecot and a stunnel based web > application got broken for an older android client. Downgrading > to 1.1.0f-3 fixes the problem for both dovecot and stunnel4 So what are we talking about? Android 4 and the internal mail and web client? What happens if you switch to firefox/chrome and k-9 mail/blue mail? > James Sebastian
Bug#871987: openssl breaks dovecot
Just a me too on this: on upgrade, both dovecot and a stunnel based web application got broken for an older android client. Downgrading to 1.1.0f-3 fixes the problem for both dovecot and stunnel4 James
Bug#871987: openssl breaks dovecot
On 2017-08-13 11:13:25 [+0200], Harald Dunkel wrote: > Since the upgrade to 1.1.0f-4 I cannot read EMails via imap from > my old ipad anymore (unless I disable encryption). Moving back to > 1.1.0f-3 fixes the problem. is blue mail working? Sebastian
Bug#871987: openssl breaks dovecot
Package: libssl1.1 Version: 1.1.0f-4 Since the upgrade to 1.1.0f-4 I cannot read EMails via imap from my old ipad anymore (unless I disable encryption). Moving back to 1.1.0f-3 fixes the problem. imap server is dovecot 1:2.2.31-1. Of course I know that tls 1.0 and 1.1 have been dropped on purpose, but that was a bad idea. I won't throw my old devices away, just because tls 1.1 is not as strong as 1.2. Its sufficiently safe for daily use. Surely it is better than having no encryption at all. Please reconsider. Tls 1.1 and older should be disabled by the user in a config file. Regards Harri