Package: sylpheed
Version: 3.6.0-1
Severity: normal
Tags: patch
Dear Maintainer,
the Debian openssl package deprecated TLSv1 and TLSv1.1 in August 2017,
see:
https://lists.debian.org/debian-devel-announce/2017/08/msg4.html
https://anonscm.debian.org/viewvc/pkg-openssl/openssl/branches/1.1.0/debian/patches/tls1_2_default.patch?revision=912&view=markup
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875423
It's not clear if this decision is final and will affect the next Debian
stable release, however in the meantime, sylpheed in Debian unstable
cannot connect to servers using older TLS protocol versions.
Sylpheed gives this message when connecting to a server using TLSv1:
(sylpheed:20968): LibSylph-WARNING **: SSL_connect() failed with error 1, ret
= -1 (error:1417118C:SSL routines:tls_process_server_hello:version too low)
The OpenSSL error is:
SSL routines:tls_process_server_hello:version too low
I am attaching a patch to fix this behavior.
I am not sure if this change should be in the official package, let me
know what your opinion is on this matter.
Thanks,
Antonio
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (900, 'unstable'), (500, 'unstable-debug')
Architecture: amd64 (x86_64)
Kernel: Linux 4.13.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=it_IT.utf8, LC_CTYPE=it_IT.utf8 (charmap=UTF-8),
LANGUAGE=it_IT.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages sylpheed depends on:
ii libassuan0 2.4.3-3
ii libatk1.0-0 2.26.1-1
ii libc62.24-17
ii libcairo21.15.8-2
ii libcompfaceg11:1.5.2-5+b2
ii libdbus-1-3 1.12.0-1
ii libdbus-glib-1-2 0.108-2
ii libenchant1c2a 1.6.0-11.1
ii libfontconfig1 2.12.3-0.2
ii libfreetype6 2.8.1-0.1
ii libgdk-pixbuf2.0-0 2.36.11-1
ii libglib2.0-0 2.54.2-1
ii libgpg-error01.27-4
ii libgpgme11 1.9.0-6
ii libgtk2.0-0 2.24.31-2
ii libgtkspell0 2.0.16-1.1
ii libldap-2.4-22.4.45+dfsg-1
ii libpango-1.0-0 1.40.13-1
ii libpangocairo-1.0-0 1.40.13-1
ii libpangoft2-1.0-01.40.13-1
ii libssl1.11.1.0f-5
ii pinentry-gtk21.0.0-3
Versions of packages sylpheed recommends:
ii aspell-it [aspell-dictionary] 2.4-20070901-0-2.1
ii ca-certificates20170717
ii sylpheed-i18n 3.6.0-1
ii xfonts-100dpi 1:1.0.4+nmu1
ii xfonts-75dpi 1:1.0.4+nmu1
Versions of packages sylpheed suggests:
ii bogofilter1.2.4+dfsg1-10
pn bsfilter
pn claws-mail-tools
ii curl 7.56.1-1
pn jpilot
pn sylpheed-doc
-- no debconf information
--
Antonio Ospite
https://ao2.it
https://twitter.com/ao2it
A: Because it messes up the order in which people normally read text.
See http://en.wikipedia.org/wiki/Posting_style
Q: Why is top-posting such a bad thing?
>From 97235129beab0b3a23ec95db3e922321cdf43cf3 Mon Sep 17 00:00:00 2001
From: Antonio Ospite
Date: Thu, 2 Nov 2017 13:37:53 +0100
Subject: [PATCH] libsylph/ssl.c: explicitly enable the supported protocol
versions
X-Face: z*RaLf`X<@C75u6Ig9}{oW$H;1_\2t5)({*|jhM/Vb;]yA5\I~93>J<_`<4)A{':UrE
The Debian openssl package deprecated TLSv1 and TLSv1.1 in August 2017,
see:
https://lists.debian.org/debian-devel-announce/2017/08/msg4.html
https://anonscm.debian.org/viewvc/pkg-openssl/openssl/branches/1.1.0/debian/patches/tls1_2_default.patch?revision=912&view=markup
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875423
It's not clear if this decision is final and will affect the next Debian
stable release, however in the meantime, sylpheed in Debian unstable
cannot connect to servers using older TLS protocol versions.
Work around that by explicitly setting the minimum protocol versions.
---
libsylph/ssl.c | 4
1 file changed, 4 insertions(+)
diff --git a/libsylph/ssl.c b/libsylph/ssl.c
index 84139250..61e770f8 100644
--- a/libsylph/ssl.c
+++ b/libsylph/ssl.c
@@ -132,6 +132,8 @@ void ssl_init(void)
debug_print(_("SSLv23 not available\n"));
} else {
debug_print(_("SSLv23 available\n"));
+ /* XXX workaround for Debian systems, see Debian bug #875423 */
+ SSL_CTX_set_min_proto_version(ssl_ctx_SSLv23, SSL3_VERSION);
if ((certs_file || certs_dir) &&
!SSL_CTX_load_verify_locations(ssl_ctx_SSLv23, certs_file,
certs_dir))
@@ -144,6 +146,8 @@ void ssl_init(void)
debug_print(_("TLSv1 not available\n"));
} else {
debug_print(_("TLSv1 available\n"));
+ /* XXX workaround for Debian systems, see Debian bug #875423 */
+ SSL_CTX_set_min_proto_version(ssl_ctx_TLSv1, TLS1_VERSION);
/* disable SSLv2/SSLv3 */