Bug#774299: wheezy-pu: openssl: disable SSLv3 by default

2015-08-29 Thread Julien Cristau 
On Wed, Dec 31, 2014 at 13:52:54 +0100, Kurt Roeckx wrote:

 I would like to disable SSLv3 by default in wheezy.  Attached is a
 debdiff.
 
 
 Kurt
 

 diff -Nru openssl-1.0.1e/debian/changelog openssl-1.0.1e/debian/changelog
 --- openssl-1.0.1e/debian/changelog   2014-10-15 19:45:48.0 +0200
 +++ openssl-1.0.1e/debian/changelog   2014-12-31 13:46:02.0 +0100
 @@ -1,3 +1,15 @@
 +openssl (1.0.1e-2+deb7u14) wheezy-security; urgency=medium
 +
 +  * Disable SSLv3 by default.  It can be enabled again by calling
 +SSL_CTX_clear_options() or SSL_clear_options() with SSL_OP_NO_SSLv3.
 +It can also be enabled again by setting OPENSSL_ALLOW_SSLv3 in the
 +environment to anything.
 +This fixes the POODLE issue (CVE-2014-3566).
 +  * Fix CVE-2014-3569.  We're not affected by it since we don't build with
 +the no-ssl3 option (yet).
 +
 + -- Kurt Roeckx k...@roeckx.be  Wed, 31 Dec 2014 13:45:07 +0100
 +
  openssl (1.0.1e-2+deb7u13) wheezy-security; urgency=medium
  
* Fixes CVE-2014-3513

I'm ok with this in principle; the OPENSSL_ALLOW_SSLv3 environment
variable really ought to be documented though, at least in a
NEWS.Debian for libssl1.0.0.

Cheers,
Julien


signature.asc
Description: Digital signature

Bug#774299: wheezy-pu: openssl: disable SSLv3 by default

2015-02-19 Thread Moritz Muehlenhoff 
On Sun, Jan 18, 2015 at 11:59:05AM +0100, Moritz Mühlenhoff wrote:
 On Wed, Dec 31, 2014 at 04:41:29PM +0100, Kurt Roeckx wrote:
  On Wed, Dec 31, 2014 at 02:00:23PM +, Adam D. Barratt wrote:
   Control: tags -1 + moreinfo
   
   On Wed, 2014-12-31 at 13:52 +0100, Kurt Roeckx wrote:
I would like to disable SSLv3 by default in wheezy.
 
   Do we know how well other packages in wheezy cope with that? (I'm going
   to guess not as well as in jessie.)

We could make updated binaries available for testing and ask people
to run them for a while?

  One package that might be affected by this change is that python
  has a test suite that tries all possible combinations of settings
  and the test suite is probably going to fail because it's going to
  expect to be able to set up an SSLv3 connection.
 
 I will rebuild python in wheezy to check that.

A rebuild of python2.7 with a patched openssl went fine.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150219152907.gb32...@inutil.org

Bug#774299: wheezy-pu: openssl: disable SSLv3 by default

2015-01-18 Thread Moritz Mühlenhoff 
On Wed, Dec 31, 2014 at 04:41:29PM +0100, Kurt Roeckx wrote:
 On Wed, Dec 31, 2014 at 02:00:23PM +, Adam D. Barratt wrote:
  Control: tags -1 + moreinfo
  
  On Wed, 2014-12-31 at 13:52 +0100, Kurt Roeckx wrote:
   I would like to disable SSLv3 by default in wheezy.

  Do we know how well other packages in wheezy cope with that? (I'm going
  to guess not as well as in jessie.)
 
 I have no reason to believe there is a difference between jessie
 and wheezy in how packages cope with SSLv3 being disabled.  Please
 note that this only affects the SSLv23_* methods and that it just
 sets SSL_OP_NO_SSLv3 by default now.  In jessie SSLv3 is just
 disabled, for wheezy I would change it to disabled by default
 with a way to turn it back on.

 What could break is that apache for instance will now disable
 SSLv3 by default even though the config file doesn't seem to
 indicate that it's disabled.  That could then result in it not
 working with some clients that do not support TLSv1 or newer.  But
 that is also already the case in jessie.
 
 One package that might be affected by this change is that python
 has a test suite that tries all possible combinations of settings
 and the test suite is probably going to fail because it's going to
 expect to be able to set up an SSLv3 connection.

I will rebuild python in wheezy to check that.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150118105905.GA8835@pisco.westfalen.local

Bug#774299: wheezy-pu: openssl: disable SSLv3 by default

2014-12-31 Thread Kurt Roeckx 
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I would like to disable SSLv3 by default in wheezy.  Attached is a
debdiff.


Kurt

diff -Nru openssl-1.0.1e/debian/changelog openssl-1.0.1e/debian/changelog
--- openssl-1.0.1e/debian/changelog	2014-10-15 19:45:48.0 +0200
+++ openssl-1.0.1e/debian/changelog	2014-12-31 13:46:02.0 +0100
@@ -1,3 +1,15 @@
+openssl (1.0.1e-2+deb7u14) wheezy-security; urgency=medium
+
+  * Disable SSLv3 by default.  It can be enabled again by calling
+SSL_CTX_clear_options() or SSL_clear_options() with SSL_OP_NO_SSLv3.
+It can also be enabled again by setting OPENSSL_ALLOW_SSLv3 in the
+environment to anything.
+This fixes the POODLE issue (CVE-2014-3566).
+  * Fix CVE-2014-3569.  We're not affected by it since we don't build with
+the no-ssl3 option (yet).
+
+ -- Kurt Roeckx k...@roeckx.be  Wed, 31 Dec 2014 13:45:07 +0100
+
 openssl (1.0.1e-2+deb7u13) wheezy-security; urgency=medium
 
   * Fixes CVE-2014-3513
diff -Nru openssl-1.0.1e/debian/patches/disable_sslv3.patch openssl-1.0.1e/debian/patches/disable_sslv3.patch
--- openssl-1.0.1e/debian/patches/disable_sslv3.patch	1970-01-01 01:00:00.0 +0100
+++ openssl-1.0.1e/debian/patches/disable_sslv3.patch	2014-12-31 13:41:07.0 +0100
@@ -0,0 +1,14 @@
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index d09bb7d..bc3cbc7 100644
+--- a/ssl/ssl_lib.c
 b/ssl/ssl_lib.c
+@@ -2060,6 +2060,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
+ 	 */
+ 	ret-options |= SSL_OP_LEGACY_SERVER_CONNECT;
+ 
++	if (getenv(OPENSSL_ALLOW_SSLv3) == NULL)
++		ret-options |= SSL_OP_NO_SSLv3;
++
+ 	return(ret);
+ err:
+ 	SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
diff -Nru openssl-1.0.1e/debian/patches/Keep-old-method-in-case-of-an-unsupported-protocol.patch openssl-1.0.1e/debian/patches/Keep-old-method-in-case-of-an-unsupported-protocol.patch
--- openssl-1.0.1e/debian/patches/Keep-old-method-in-case-of-an-unsupported-protocol.patch	1970-01-01 01:00:00.0 +0100
+++ openssl-1.0.1e/debian/patches/Keep-old-method-in-case-of-an-unsupported-protocol.patch	2014-12-31 13:44:16.0 +0100
@@ -0,0 +1,44 @@
+From 392fa7a952e97d82eac6958c81ed1e256e6b8ca5 Mon Sep 17 00:00:00 2001
+From: Kurt Roeckx k...@roeckx.be
+Date: Tue, 21 Oct 2014 20:45:15 +0200
+Subject: [PATCH] Keep old method in case of an unsupported protocol
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When we're configured with no-ssl3 and we receive an SSL v3 Client Hello, we set
+the method to NULL.  We didn't used to do that, and it breaks things.  This is a
+regression introduced in 62f45cc27d07187b59551e4fad3db4e52ea73f2c.  Keep the old
+method since the code is not able to deal with a NULL method at this time.
+
+CVE-2014-3569, PR#3571
+
+Reviewed-by: Emilia Käsper emi...@openssl.org
+---
+ ssl/s23_srvr.c | 6 --
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
+index 38960ba..858420d 100644
+--- a/ssl/s23_srvr.c
 b/ssl/s23_srvr.c
+@@ -615,12 +615,14 @@ int ssl23_get_client_hello(SSL *s)
+ 	if ((type == 2) || (type == 3))
+ 		{
+ 		/* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */
+-s-method = ssl23_get_server_method(s-version);
+-		if (s-method == NULL)
++		const SSL_METHOD *new_method;
++		new_method = ssl23_get_server_method(s-version);
++		if (new_method == NULL)
+ 			{
+ 			SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
+ 			goto err;
+ 			}
++		s-method = new_method;
+ 
+ 		if (!ssl_init_wbio_buffer(s,1)) goto err;
+ 
+-- 
+2.1.4
+
diff -Nru openssl-1.0.1e/debian/patches/series openssl-1.0.1e/debian/patches/series
--- openssl-1.0.1e/debian/patches/series	2014-10-15 19:30:33.0 +0200
+++ openssl-1.0.1e/debian/patches/series	2014-12-31 13:45:00.0 +0100
@@ -72,4 +72,5 @@
 Fix-for-SRTP-Memory-Leak.patch
 Fix-for-session-tickets-memory-leak.patch
 Fix-no-ssl3-configuration-option.patch
-
+disable_sslv3.patch
+Keep-old-method-in-case-of-an-unsupported-protocol.patch

Processed: Re: Bug#774299: wheezy-pu: openssl: disable SSLv3 by default

2014-12-31 Thread Debian Bug Tracking System 
Processing control commands:

 tags -1 + moreinfo
Bug #774299 [release.debian.org] wheezy-pu: openssl: disable SSLv3 by default
Added tag(s) moreinfo.

-- 
774299: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774299
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/handler.s.b774299.142003443220301.transcr...@bugs.debian.org

Bug#774299: wheezy-pu: openssl: disable SSLv3 by default

2014-12-31 Thread Adam D. Barratt 
Control: tags -1 + moreinfo

On Wed, 2014-12-31 at 13:52 +0100, Kurt Roeckx wrote:
 I would like to disable SSLv3 by default in wheezy.

Do we know how well other packages in wheezy cope with that? (I'm going
to guess not as well as in jessie.)

 Attached is a debdiff.

+openssl (1.0.1e-2+deb7u14) wheezy-security; urgency=medium

That's at least confusing.

Regards,

Adam


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/1420034423.7476.41.ca...@adam-barratt.org.uk

Bug#774299: wheezy-pu: openssl: disable SSLv3 by default

2014-12-31 Thread Kurt Roeckx 
On Wed, Dec 31, 2014 at 02:00:23PM +, Adam D. Barratt wrote:
 Control: tags -1 + moreinfo
 
 On Wed, 2014-12-31 at 13:52 +0100, Kurt Roeckx wrote:
  I would like to disable SSLv3 by default in wheezy.
 
 Do we know how well other packages in wheezy cope with that? (I'm going
 to guess not as well as in jessie.)

I have no reason to believe there is a difference between jessie
and wheezy in how packages cope with SSLv3 being disabled.  Please
note that this only affects the SSLv23_* methods and that it just
sets SSL_OP_NO_SSLv3 by default now.  In jessie SSLv3 is just
disabled, for wheezy I would change it to disabled by default
with a way to turn it back on.

What could break is that apache for instance will now disable
SSLv3 by default even though the config file doesn't seem to
indicate that it's disabled.  That could then result in it not
working with some clients that do not support TLSv1 or newer.  But
that is also already the case in jessie.

One package that might be affected by this change is that python
has a test suite that tries all possible combinations of settings
and the test suite is probably going to fail because it's going to
expect to be able to set up an SSLv3 connection.

  Attached is a debdiff.
 
 +openssl (1.0.1e-2+deb7u14) wheezy-security; urgency=medium
 
 That's at least confusing.

Right, I should probably change that to wheezy instead.


Kurt


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20141231154129.ga18...@roeckx.be