Re: Bug#675434: nmu: libnet-ssleay-perl_1.48-1

To: Cyril Brulebois <kibi@debian.org>
Cc: 675434@bugs.debian.org, debian-perl@lists.debian.org
Subject: Re: Bug#675434: nmu: libnet-ssleay-perl_1.48-1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 2 Jun 2012 08:59:22 +0200
Message-id: <[🔎] 20120602065922.GA18423@elende>
Mail-followup-to: Cyril Brulebois <kibi@debian.org>, 675434@bugs.debian.org, debian-perl@lists.debian.org
In-reply-to: <20120601090744.GB6375@mraw.org>
References: <20120601065322.15581.36884.reportbug@elende.valinor.li> <20120601090744.GB6375@mraw.org>

Hi Cyril

Thanks for your reply!

(adding debian-perl list to the recipients, to have more comments if
needed)

On Fri, Jun 01, 2012 at 11:07:44AM +0200, Cyril Brulebois wrote:
> Salvatore Bonaccorso <carnil@debian.org> (01/06/2012):
> > It was reported [1], that libnet-ssleay-perl does not report the
> > correct constant value for SSL_OP_NO_TLSv1_1. There was the following
> > change in openssl 1.0.1b-1:
> > 
> >  openssl (1.0.1b-1) unstable; urgency=high
> >  .
> >    * New upstream version
> >      - Remaps SSL_OP_NO_TLSv1_1, so applications linked to 1.0.0
> >        can talk to servers supporting TLS 1.1 but not TLS 1.2
> >      - Drop rc4_hmac_md5.patch, applied upstream
> 
> Does it mean we're going to hit the same kind of issues next time
> there's a similar change in openssl?

Yes I think so if openssl would have again such a change, we will have
similar issue again. If openssl changes constant values as for 1.0.1b,
then libnet-ssleay-perl would need a rebuild against this updated
openssl version.

However ...

In changes of openssl I read this:


----cut---------cut---------cut---------cut---------cut---------cut-----

  *) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and
     1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately
     mean any application compiled against OpenSSL 1.0.0 headers setting
     SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disablng
     TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to
     0x10000000L Any application which was previously compiled against
     OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1
     will need to be recompiled as a result. Letting be results in
     inability to disable specifically TLS 1.1 and in client context,
     in unlike event, limit maximum offered version to TLS 1.0 [see below].
     [Steve Henson]

  *) In order to ensure interoperabilty SSL_OP_NO_protocolX does not
     disable just protocol X, but all protocols above X *if* there are
     protocols *below* X still enabled. In more practical terms it means
     that if application wants to disable TLS1.0 in favor of TLS1.1 and
     above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass
     SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. This applies to
     client side.
     [Andy Polyakov]

----cut---------cut---------cut---------cut---------cut---------cut-----

So this might not affect only libnet-ssleay-perl? At least if one uses
SSL_OP_NO_TLSv1_1.

Regards,
Salvatore

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: Re: What git repo?
Next by Date: Open tasks: clarification needed
Previous by thread: Re: What git repo?
Next by thread: Open tasks: clarification needed
Index(es):
- Date
- Thread