[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#675434: nmu: libnet-ssleay-perl_1.48-1

Hi Cyril

Thanks for your reply!

(adding debian-perl list to the recipients, to have more comments if

On Fri, Jun 01, 2012 at 11:07:44AM +0200, Cyril Brulebois wrote:
> Salvatore Bonaccorso <carnil@debian.org> (01/06/2012):
> > It was reported [1], that libnet-ssleay-perl does not report the
> > correct constant value for SSL_OP_NO_TLSv1_1. There was the following
> > change in openssl 1.0.1b-1:
> > 
> >  openssl (1.0.1b-1) unstable; urgency=high
> >  .
> >    * New upstream version
> >      - Remaps SSL_OP_NO_TLSv1_1, so applications linked to 1.0.0
> >        can talk to servers supporting TLS 1.1 but not TLS 1.2
> >      - Drop rc4_hmac_md5.patch, applied upstream
> Does it mean we're going to hit the same kind of issues next time
> there's a similar change in openssl?

Yes I think so if openssl would have again such a change, we will have
similar issue again. If openssl changes constant values as for 1.0.1b,
then libnet-ssleay-perl would need a rebuild against this updated
openssl version.

However ...

In changes of openssl I read this:


  *) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and
     1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately
     mean any application compiled against OpenSSL 1.0.0 headers setting
     SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disablng
     TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to
     0x10000000L Any application which was previously compiled against
     OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1
     will need to be recompiled as a result. Letting be results in
     inability to disable specifically TLS 1.1 and in client context,
     in unlike event, limit maximum offered version to TLS 1.0 [see below].
     [Steve Henson]

  *) In order to ensure interoperabilty SSL_OP_NO_protocolX does not
     disable just protocol X, but all protocols above X *if* there are
     protocols *below* X still enabled. In more practical terms it means
     that if application wants to disable TLS1.0 in favor of TLS1.1 and
     above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass
     SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. This applies to
     client side.
     [Andy Polyakov]


So this might not affect only libnet-ssleay-perl? At least if one uses


Attachment: signature.asc
Description: Digital signature

Reply to: