Bug#871987: openssl breaks dovecot

2017-08-25 Thread James Cloos 
> "CC" == Carlos Carvalho  writes:

CC> Reverting the upgrade is messy (I run unstable). I tried to compile the
CC> packages removing the disable-tls1 disable-tls1_1 in CONFARGS but the build
CC> failed in the tests with

You can grab the deb files for version 1.1.0f-3 of openssl, libssl1.1,
libssl-dev and libssl-doc from any debian mirror.  Eg, files like:

http://ftp-nyc.osuosl.org/debian/pool/main/o/openssl/libssl-dev_1.1.0f-3_amd64.deb

and use dpkg to install them.

Then run:

  :; apt-mark hold openssl libssl1.1 libssl-dev libssl-doc

to prevent them from upgrading past 1.1.0f-3.

I had to do that on my MXs, main web site and outgoing smtp machines.

-JimC
-- 
James Cloos  OpenPGP: 0x997A9F17ED7DAEA6

Bug#871987: openssl breaks dovecot

2017-08-23 Thread Carlos Carvalho 
After this upgrade our mail server no longer accept emails from the American
Physical Society, which publishes some of the more important physics
journals... This has been a significant problem for my colleagues in the past 2
weeks, both for submitting articles for publication and for refereeing
submissions.

In this particular case I think accepting the old/broken versions is still
necessary.

Reverting the upgrade is messy (I run unstable). I tried to compile the
packages removing the disable-tls1 disable-tls1_1 in CONFARGS but the build
failed in the tests with

Test Summary Report
---
../../test/recipes/40-test_rehash.t (Wstat: 256 Tests: 5 Failed: 1)
  Failed test:  4
  Non-zero exit status: 1
Files=95, Tests=481, 34 wallclock secs ( 0.52 usr  0.12 sys + 30.14 cusr  2.84 
csys = 33.62 CPU)
Result: FAIL
Makefile:153: recipe for target '_tests' failed
make[3]: *** [_tests] Error 1
make[3]: Leaving directory '/tmp/openssl-1.1.0f/build_static'
Makefile:151: recipe for target 'tests' failed
make[2]: *** [tests] Error 2
make[2]: Leaving directory '/tmp/openssl-1.1.0f/build_static'
debian/rules:80: recipe for target 'override_dh_auto_test-arch' failed
make[1]: *** [override_dh_auto_test-arch] Error 2

Is there a simple way to fix this?

Bug#871987: openssl breaks dovecot

2017-08-16 Thread Sebastian Andrzej Siewior 
On 2017-08-16 07:46:14 [-0700], James Bottomley wrote:
> When you run a system for others, you don't get to dictate tools.
I do :)

>  However, from the complaints it seems to be android 2.3.7 and any
> embedded system still using openssl 0.9.8, which must be using TLS 1.0

so basically everything old without any (security)support but still
functional. Let me see how we deal with this…

> James

Sebastian

Bug#871987: openssl breaks dovecot

2017-08-16 Thread James Bottomley 
On Wed, 2017-08-16 at 08:34 +0200, Sebastian Andrzej Siewior wrote:
> On 2017-08-14 10:46:04 [-0700], James Bottomley wrote:
> > 
> > Just a me too on this: on upgrade, both dovecot and a stunnel based
> > web application got broken for an older android client.
> >  Downgrading to 1.1.0f-3 fixes the problem for both dovecot and
> > stunnel4
> 
> So what are we talking about? Android 4 and the internal mail and web
> client? What happens if you switch to firefox/chrome and k-9
> mail/blue mail?

When you run a system for others, you don't get to dictate tools.
 However, from the complaints it seems to be android 2.3.7 and any
embedded system still using openssl 0.9.8, which must be using TLS 1.0

James

Bug#871987: openssl breaks dovecot

2017-08-16 Thread Gedalya 
My perspective on this, from the client side, doing my routine sysadmin work:

When disabling TLSv1 on a server, I'm no longer able to verify that using
openssl s_client -tls1, I get "s_client: Option unknown option -tls1".

Also I am unable to connect to some old servers supporting only TLSv1.

I came across both types of issues just in the past 24 hours.

I can always downgrade, or just use a stretch (or older) system for this minor
task, but it seems this issue could be rethought.

I think hard-disabling at compile time is a little too soon.

Thanks,

Gedalya

Bug#871987: openssl breaks dovecot

2017-08-16 Thread Sebastian Andrzej Siewior 
On 2017-08-14 10:46:04 [-0700], James Bottomley wrote:
> Just a me too on this: on upgrade, both dovecot and a stunnel based web
> application got broken for an older android client.  Downgrading
> to 1.1.0f-3 fixes the problem for both dovecot and stunnel4

So what are we talking about? Android 4 and the internal mail and web
client? What happens if you switch to firefox/chrome and k-9 mail/blue
mail?

> James

Sebastian

Bug#871987: openssl breaks dovecot

2017-08-14 Thread James Bottomley 
Just a me too on this: on upgrade, both dovecot and a stunnel based web
application got broken for an older android client.  Downgrading
to 1.1.0f-3 fixes the problem for both dovecot and stunnel4

James

Bug#871987: openssl breaks dovecot

2017-08-13 Thread Sebastian Andrzej Siewior 
On 2017-08-13 11:13:25 [+0200], Harald Dunkel wrote:
> Since the upgrade to 1.1.0f-4 I cannot read EMails via imap from 
> my old ipad anymore (unless I disable encryption). Moving back to 
> 1.1.0f-3 fixes the problem.
is blue mail working?

Sebastian

Bug#871987: openssl breaks dovecot

2017-08-13 Thread Harald Dunkel 
Package: libssl1.1
Version: 1.1.0f-4

Since the upgrade to 1.1.0f-4 I cannot read EMails via imap from 
my old ipad anymore (unless I disable encryption). Moving back to 
1.1.0f-3 fixes the problem.

imap server is dovecot 1:2.2.31-1.

Of course I know that tls 1.0 and 1.1 have been dropped on purpose,
but that was a bad idea. I won't throw my old devices away, just
because tls 1.1 is not as strong as 1.2. Its sufficiently safe for
daily use. Surely it is better than having no encryption at all.

Please reconsider. Tls 1.1 and older should be disabled by the user 
in a config file.

Regards
Harri