Bug#880571: sylpheed: cannon connect to servers using TLSv1 and TLSv1.1

2017-11-03 Thread Ricardo Mones
On Thu, Nov 02, 2017 at 02:01:50PM +0100, Antonio Ospite wrote:
> Package: sylpheed
> Version: 3.6.0-1
> Severity: normal
> Tags: patch
> 
> Dear Maintainer,
> 
> the Debian openssl package deprecated TLSv1 and TLSv1.1 in August 2017,
> see:
> https://lists.debian.org/debian-devel-announce/2017/08/msg4.html
> https://anonscm.debian.org/viewvc/pkg-openssl/openssl/branches/1.1.0/debian/patches/tls1_2_default.patch?revision=912&view=markup
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875423
> 
> It's not clear if this decision is final and will affect the next Debian
> stable release, however in the meantime, sylpheed in Debian unstable
> cannot connect to servers using older TLS protocol versions.
> 
> Sylpheed gives this message when connecting to a server using TLSv1:
> 
>   (sylpheed:20968): LibSylph-WARNING **: SSL_connect() failed with error 1, 
> ret = -1 (error:1417118C:SSL routines:tls_process_server_hello:version too 
> low)
> 
> The OpenSSL error is:
> 
>   SSL routines:tls_process_server_hello:version too low
> 
> I am attaching a patch to fix this behavior.
> 
> I am not sure if this change should be in the official package, let me
> know what your opinion is on this matter.

It seems there's still no final word on #875423, so adding your patch
as-is, would be conditioned to the decission taken there. If the library
recovers its ability of talking to older TLS servers by default then
this patch wouldn't be necessary.

Alternatively, if you want to take a more future-proof approach, a
better patch can be done, one which allows users to explicitly select if
they want to connect to servers with old protocol support only (a
checkbox may be enough for this). By default such option should be
disabled, or maybe enabled now and disabled when those versions are
effectively deprecated. A label near to checkbox explaining the dangers
of enabling it may also be a good idea.

Anyway, whatever the form the patch takes, I think it should be accepted
by upstream, since it's a problem affecting Debian now, but it's going
to affect other distributions and also upstream itself sooner or later.

regards,
-- 
 Ricardo Mones
 http://people.debian.org/~mones
 «Ships are safe in harbor, but they were never meant to stay there.»


signature.asc
Description: PGP signature


Bug#880571: sylpheed: cannon connect to servers using TLSv1 and TLSv1.1

2017-11-02 Thread Antonio Ospite
Package: sylpheed
Version: 3.6.0-1
Severity: normal
Tags: patch

Dear Maintainer,

the Debian openssl package deprecated TLSv1 and TLSv1.1 in August 2017,
see:
https://lists.debian.org/debian-devel-announce/2017/08/msg4.html
https://anonscm.debian.org/viewvc/pkg-openssl/openssl/branches/1.1.0/debian/patches/tls1_2_default.patch?revision=912&view=markup
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875423

It's not clear if this decision is final and will affect the next Debian
stable release, however in the meantime, sylpheed in Debian unstable
cannot connect to servers using older TLS protocol versions.

Sylpheed gives this message when connecting to a server using TLSv1:

  (sylpheed:20968): LibSylph-WARNING **: SSL_connect() failed with error 1, ret 
= -1 (error:1417118C:SSL routines:tls_process_server_hello:version too low)

The OpenSSL error is:

  SSL routines:tls_process_server_hello:version too low

I am attaching a patch to fix this behavior.

I am not sure if this change should be in the official package, let me
know what your opinion is on this matter.

Thanks,
   Antonio

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (900, 'unstable'), (500, 'unstable-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.13.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=it_IT.utf8, LC_CTYPE=it_IT.utf8 (charmap=UTF-8), 
LANGUAGE=it_IT.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages sylpheed depends on:
ii  libassuan0   2.4.3-3
ii  libatk1.0-0  2.26.1-1
ii  libc62.24-17
ii  libcairo21.15.8-2
ii  libcompfaceg11:1.5.2-5+b2
ii  libdbus-1-3  1.12.0-1
ii  libdbus-glib-1-2 0.108-2
ii  libenchant1c2a   1.6.0-11.1
ii  libfontconfig1   2.12.3-0.2
ii  libfreetype6 2.8.1-0.1
ii  libgdk-pixbuf2.0-0   2.36.11-1
ii  libglib2.0-0 2.54.2-1
ii  libgpg-error01.27-4
ii  libgpgme11   1.9.0-6
ii  libgtk2.0-0  2.24.31-2
ii  libgtkspell0 2.0.16-1.1
ii  libldap-2.4-22.4.45+dfsg-1
ii  libpango-1.0-0   1.40.13-1
ii  libpangocairo-1.0-0  1.40.13-1
ii  libpangoft2-1.0-01.40.13-1
ii  libssl1.11.1.0f-5
ii  pinentry-gtk21.0.0-3

Versions of packages sylpheed recommends:
ii  aspell-it [aspell-dictionary]  2.4-20070901-0-2.1
ii  ca-certificates20170717
ii  sylpheed-i18n  3.6.0-1
ii  xfonts-100dpi  1:1.0.4+nmu1
ii  xfonts-75dpi   1:1.0.4+nmu1

Versions of packages sylpheed suggests:
ii  bogofilter1.2.4+dfsg1-10
pn  bsfilter  
pn  claws-mail-tools  
ii  curl  7.56.1-1
pn  jpilot
pn  sylpheed-doc  

-- no debconf information
-- 
Antonio Ospite
https://ao2.it
https://twitter.com/ao2it

A: Because it messes up the order in which people normally read text.
   See http://en.wikipedia.org/wiki/Posting_style
Q: Why is top-posting such a bad thing?
>From 97235129beab0b3a23ec95db3e922321cdf43cf3 Mon Sep 17 00:00:00 2001
From: Antonio Ospite 
Date: Thu, 2 Nov 2017 13:37:53 +0100
Subject: [PATCH] libsylph/ssl.c: explicitly enable the supported protocol
 versions
X-Face: z*RaLf`X<@C75u6Ig9}{oW$H;1_\2t5)({*|jhM/Vb;]yA5\I~93>J<_`<4)A{':UrE

The Debian openssl package deprecated TLSv1 and TLSv1.1 in August 2017,
see:
https://lists.debian.org/debian-devel-announce/2017/08/msg4.html
https://anonscm.debian.org/viewvc/pkg-openssl/openssl/branches/1.1.0/debian/patches/tls1_2_default.patch?revision=912&view=markup
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875423

It's not clear if this decision is final and will affect the next Debian
stable release, however in the meantime, sylpheed in Debian unstable
cannot connect to servers using older TLS protocol versions.

Work around that by explicitly setting the minimum protocol versions.
---
 libsylph/ssl.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/libsylph/ssl.c b/libsylph/ssl.c
index 84139250..61e770f8 100644
--- a/libsylph/ssl.c
+++ b/libsylph/ssl.c
@@ -132,6 +132,8 @@ void ssl_init(void)
debug_print(_("SSLv23 not available\n"));
} else {
debug_print(_("SSLv23 available\n"));
+   /* XXX workaround for Debian systems, see Debian bug #875423 */
+   SSL_CTX_set_min_proto_version(ssl_ctx_SSLv23, SSL3_VERSION);
if ((certs_file || certs_dir) &&
!SSL_CTX_load_verify_locations(ssl_ctx_SSLv23, certs_file,
   certs_dir))
@@ -144,6 +146,8 @@ void ssl_init(void)
debug_print(_("TLSv1 not available\n"));
} else {
debug_print(_("TLSv1 available\n"));
+   /* XXX workaround for Debian systems, see Debian bug #875423 */
+   SSL_CTX_set_min_proto_version(ssl_ctx_TLSv1, TLS1_VERSION);
/* disable SSLv2/SSLv3 */