Bug#907118: error:141a318a:ssl routines:tls_process_ske_dhe:dh key too small

2018-11-20 Thread duck 

Control: -1 severity important


Quack,

This problem is solved in unstable and should not prevent this package 
from entering testing.


\_o<

--
Marc Dequènes

Bug#907118: error:141a318a:ssl routines:tls_process_ske_dhe:dh key too small

2018-10-04 Thread peter green 

I literally poked that patch into debian/patches{/series}, quilt
applied it and rebuilt, and it started working for me. Maybe there's
something different about our configs?

Strange, that patch seems to slightly change how the hardcoded dh params are 
loaded, but it doesn't seem to change the size of them or anything.

It seems that more recently commit 6b3844987509517dad6e41391d9142b867266b8b 
ripped out the hardcoded dh parameters and replaced them with a system for 
loading them from files, but that seems too intrusive for a stable update.

I am just taking a flyby look at rc bugs, but if this was my package I would 
propose a patch replacing the hardcoded 1024 bit parameters with hardcoded 4096 
bit parameters as a minimally intrusive fix for stable.

Bug#907118: error:141a318a:ssl routines:tls_process_ske_dhe:dh key too small

2018-10-04 Thread Antonio Terceiro 
Control: unblock 907015 by -1

On Sat, Sep 29, 2018 at 06:53:27PM +0200, Sebastian Andrzej Siewior wrote:
> On 2018-08-29 11:38:54 [-0600], dann frazier wrote:
> > > > error:141a318a:ssl routines:tls_process_ske_dhe:dh key too small
> > > > 
> > > > I found that backporting bip 0.9.0~rc3-1 to jessie worked. I further 
> > > > found
> > > > that just cherry-picking the following commit back to bip 0.8.9 seems 
> > > > to be
> > > > sufficient:
> > > > 
> > > >   39414f8 Handle OpenSSL version 1.1
> > > 
> > > I just tried backporting commit 39414f8 to the bip version in stretch,
> > > and it doesn't really fix the issue. There is probably some other commit
> > > that is needed.
> > 
> > I literally poked that patch into debian/patches{/series}, quilt
> > applied it and rebuilt, and it started working for me. Maybe there's
> > something different about our configs?

I'm not sure. I just tried it again with the same results. My config
file is attached, with just the sensitive parts obscured. It doesn't
seem to have anything related to this.

In the end, I solved my personal problem by building a backport of the
version in testing, and that just works.

> May I ask what is the problem here is? It looks like DH key is less than
> 1024bits in size. This is not per-se an openssl problem but "policy"
> (which could be changed but I suggest to update the key instead).

The problem is between clients with libssl 1.1.1 and bip from stable.
bip uses keys that are too small, which are rejected by default by those
clients due to the new default policy.

> If there is anything that needs to be fixed in bip in order to work
> (like missing SNI) then I would add a versioned BREAK to #907015 (after
> an upload so please let me know).

Since this is a problem between openssl on the client and bip on the
server, adding a Breaks: does not really help with anything.

> Otherwise I would unbreak this bug with #907015.

Yes, I don't think it makes sense to clock openssl on this; the version
of bip in testing/unstable is OK.

ip = "0.0.0.0";
port = 1;

client_side_ssl = true;
client_side_ssl_pem = "/var/lib/bip/bip.pem";

log_level = 3;

pid_file="/var/run/bip/bip.pid";
log_root = "/var/log/bip/";

backlog_lines = 0;# number of lines in backlog, 0 means no limit
backlog_msg_only = true;  # only include useful content in backlog

network {
name = "oftc";
ssl = true;
server { host = "irc.oftc.net"; port = 6697; };
};

network {
name = "freenode";
ssl = true;
server { host = "irc.freenode.net"; port = 6697; };
};

network {
name = "gimpnet";
ssl = true;
server { host = "irc.gimp.org"; port = 6697; };
};

user {
name = "terceiro";
password = "";

ssl_check_mode = "ca";
ssl_check_store = "/etc/ssl/certs";

default_nick = "terceiro";
default_user = "terceiro";
default_realname = "Antonio Terceiro";
connection {
name = "oftc";# used by bip only
network = "oftc"; # which ircnet to connect to

follow_nick = true;
ignore_first_nick = true;
no_client_away_msg = "currently disconnected";
on_connect_send = "PRIVMSG NickServ :IDENTIFY ";
};
connection {
name = "freenode";# used by bip only
network = "freenode"; # which ircnet to connect to

follow_nick = true;
ignore_first_nick = true;
no_client_away_msg = "currently disconnected";
on_connect_send = "PRIVMSG NickServ :IDENTIFY ";
};
connection {
name = "gimpnet"; # used by bip only
network = "gimpnet";  # which ircnet to connect to

follow_nick = true;
ignore_first_nick = true;
no_client_away_msg = "currently disconnected";
on_connect_send = "PRIVMSG NickServ :IDENTIFY ";
};
};

# vim: ft=conf


signature.asc
Description: PGP signature

Bug#907118: error:141a318a:ssl routines:tls_process_ske_dhe:dh key too small

2018-09-29 Thread Sebastian Andrzej Siewior 
On 2018-08-29 11:38:54 [-0600], dann frazier wrote:
> > > error:141a318a:ssl routines:tls_process_ske_dhe:dh key too small
> > > 
> > > I found that backporting bip 0.9.0~rc3-1 to jessie worked. I further found
> > > that just cherry-picking the following commit back to bip 0.8.9 seems to 
> > > be
> > > sufficient:
> > > 
> > >   39414f8 Handle OpenSSL version 1.1
> > 
> > I just tried backporting commit 39414f8 to the bip version in stretch,
> > and it doesn't really fix the issue. There is probably some other commit
> > that is needed.
> 
> I literally poked that patch into debian/patches{/series}, quilt
> applied it and rebuilt, and it started working for me. Maybe there's
> something different about our configs?

May I ask what is the problem here is? It looks like DH key is less than
1024bits in size. This is not per-se an openssl problem but "policy"
(which could be changed but I suggest to update the key instead).
If there is anything that needs to be fixed in bip in order to work
(like missing SNI) then I would add a versioned BREAK to #907015 (after
an upload so please let me know).
Otherwise I would unbreak this bug with #907015.

Sebastian

Bug#907118: error:141a318a:ssl routines:tls_process_ske_dhe:dh key too small

2018-08-29 Thread dann frazier 
On Tue, Aug 28, 2018 at 09:53:58AM -0300, Antonio Terceiro wrote:
> On Thu, Aug 23, 2018 at 03:24:52PM -0600, dann frazier wrote:
> > Package: bip
> > Version: 0.8.9-1.1
> > Severity: normal
> > Tags: patch
> > 
> > I run bip on a stretch system, and connect to it from a hexchat client on
> > sid. After a recent upgrade of the client, which pulled in openssl 1.1,
> > hexchat began failing to connect to my server with the message:
> > 
> > error:141a318a:ssl routines:tls_process_ske_dhe:dh key too small
> > 
> > I found that backporting bip 0.9.0~rc3-1 to jessie worked. I further found
> > that just cherry-picking the following commit back to bip 0.8.9 seems to be
> > sufficient:
> > 
> >   39414f8 Handle OpenSSL version 1.1
> 
> I just tried backporting commit 39414f8 to the bip version in stretch,
> and it doesn't really fix the issue. There is probably some other commit
> that is needed.

I literally poked that patch into debian/patches{/series}, quilt
applied it and rebuilt, and it started working for me. Maybe there's
something different about our configs?

Bug#907118: error:141a318a:ssl routines:tls_process_ske_dhe:dh key too small

2018-08-28 Thread Antonio Terceiro 
On Thu, Aug 23, 2018 at 03:24:52PM -0600, dann frazier wrote:
> Package: bip
> Version: 0.8.9-1.1
> Severity: normal
> Tags: patch
> 
> I run bip on a stretch system, and connect to it from a hexchat client on
> sid. After a recent upgrade of the client, which pulled in openssl 1.1,
> hexchat began failing to connect to my server with the message:
> 
> error:141a318a:ssl routines:tls_process_ske_dhe:dh key too small
> 
> I found that backporting bip 0.9.0~rc3-1 to jessie worked. I further found
> that just cherry-picking the following commit back to bip 0.8.9 seems to be
> sufficient:
> 
>   39414f8 Handle OpenSSL version 1.1

I just tried backporting commit 39414f8 to the bip version in stretch,
and it doesn't really fix the issue. There is probably some other commit
that is needed.


signature.asc
Description: PGP signature

Bug#907118: error:141a318a:ssl routines:tls_process_ske_dhe:dh key too small

2018-08-24 Thread Antonio Terceiro 
Control: severity -1 important

Hi,

I would like to reinforce the request for a stable update:

- according to the openssl maintainer, this is a security issue and
  should be fixed in stable

- without such fix, bip on stable will soon be unusable to any client
  using a recent enough openssl


signature.asc
Description: PGP signature

Bug#907118: error:141a318a:ssl routines:tls_process_ske_dhe:dh key too small

2018-08-23 Thread dann frazier 
Package: bip
Version: 0.8.9-1.1
Severity: normal
Tags: patch

I run bip on a stretch system, and connect to it from a hexchat client on
sid. After a recent upgrade of the client, which pulled in openssl 1.1,
hexchat began failing to connect to my server with the message:

error:141a318a:ssl routines:tls_process_ske_dhe:dh key too small

I found that backporting bip 0.9.0~rc3-1 to jessie worked. I further found
that just cherry-picking the following commit back to bip 0.8.9 seems to be
sufficient:

  39414f8 Handle OpenSSL version 1.1

Assuming this is the correct fix, could we get that incorporated in a
jessie update?

  -dann

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.17.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages bip depends on:
ii  adduser3.117
ii  libc6  2.27-5
ii  libssl1.1  1.1.1~~pre9-1
ii  lsb-base   9.20170808

bip recommends no packages.

bip suggests no packages.