Bug#854711: marked as done (unblock: netkit-ftp-ssl/0.17.34+0.2-4)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Fri, 10 Feb 2017 17:58:06 +0000
with message-id <20170210175806.4x4rml5dhtx2jfm7@powdarrmonkey.net>
and subject line Re: Bug#854711: Unblocking package netkit-ftp-ssl, resolving #854460.
has caused the Debian Bug report #854711,
regarding unblock: netkit-ftp-ssl/0.17.34+0.2-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
854711: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854711
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: Unblocking package netkit-ftp-ssl, resolving #854460.
• From: Mats Erik Andersson <mats.andersson@gisladisker.se>
• Date: Thu, 9 Feb 2017 19:28:55 +0100
• Message-id: <[🔎] 20170209182855.GA67386@aun.utmark.mea>

Package: release.debian.org
Severity: important
Tags: patch

Being the maintainer of netkit-ftp-ssl, I request an unblocking
of netkit-ftp-ssl in version 0.17.34+0.2-4. This upload resolves
successfully the bug #854460 of severity 'important'.

The problem is interoperability with TLS-able FTP servers, like
Proftpd, which mandate that the data connection reuse the session
identity set by the control channel.

The presently available version in testing, 0.17.34+0.2-3, is
not able to fetch files or get listings with TLS protection due
to an accidental inactivation of function SSL_copy_session_id().
This is a legacy function, not documented in any manual page,
and only mentioned in one file 'ssleay.txt' of the openssl archive.

The debdiff reactivates this function call, which was commented
out by me due to a misunderstanding. In addition, it turns out
to be decisive to forbid the use of libssl in version 1.1 for
the binary package. The reason being that libssl (>= 1.1.0)
only succeeds to reuse the session identity a single time,
yes really a single time, with the present unintrusive and
long time used solution. Therefore I had to change the build
dependency to read

    libssl1.0-dev | libssl-dev (<< 1.1.0~)

Both changes are necessary and they lead also to a package that
can be built directly in Wheezy without any changes, allowing
trivial backporting.

The packages netkit-ftp-ssl, linux-ftpd-ssl and netkit-telnet-ssl
have seen substantial improvement for certificate verification
and identification for this Debian release, but only the binary
ftp-ssl is affected by the present issue.

Best regards,
  Mats Erik Andersson, DM

diff -Nru netkit-ftp-ssl-0.17.34+0.2/debian/changelog netkit-ftp-ssl-0.17.34+0.2/debian/changelog
--- netkit-ftp-ssl-0.17.34+0.2/debian/changelog	2017-01-18 19:33:56.000000000 +0100
+++ netkit-ftp-ssl-0.17.34+0.2/debian/changelog	2017-02-08 18:39:46.000000000 +0100
@@ -1,3 +1,14 @@
+netkit-ftp-ssl (0.17.34+0.2-4) unstable; urgency=medium
+
+  * Correctly reuse SSL session identity in data connection.
+    This suffices for libssl1.0, not for libssl1.1.  (Closes: #854460)
+    + debian/patches/700_prefer_tls.diff: Reactivate commented out
+      function call to SSL_copy_session_id().
+    + debian/control: Prefer libssl1.0-dev and condition libssl-dev
+      on "<< 1.1.0~" for trivial backporting.
+
+ -- Mats Erik Andersson <mats.andersson@gisladisker.se>  Wed, 08 Feb 2017 18:39:46 +0100
+
 netkit-ftp-ssl (0.17.34+0.2-3) unstable; urgency=low
 
   * Allow verification mode to print additional details about the
diff -Nru netkit-ftp-ssl-0.17.34+0.2/debian/control netkit-ftp-ssl-0.17.34+0.2/debian/control
--- netkit-ftp-ssl-0.17.34+0.2/debian/control	2017-01-10 15:37:21.000000000 +0100
+++ netkit-ftp-ssl-0.17.34+0.2/debian/control	2017-02-08 18:30:50.000000000 +0100
@@ -4,7 +4,7 @@
 Maintainer: Mats Erik Andersson <mats.andersson@gisladisker.se>
 Uploaders: Alberto Gonzalez Iniesta <agi@inittab.org>
 Standards-Version: 3.9.8
-Build-Depends: debhelper (>= 9), libeditline-dev, libncurses5-dev, libssl-dev | libssl1.0-dev
+Build-Depends: debhelper (>= 9), libeditline-dev, libncurses5-dev, libssl1.0-dev | libssl-dev (<< 1.1.0~)
 
 Package: ftp-ssl
 Architecture: any
diff -Nru netkit-ftp-ssl-0.17.34+0.2/debian/patches/700_prefer_tls.diff netkit-ftp-ssl-0.17.34+0.2/debian/patches/700_prefer_tls.diff
--- netkit-ftp-ssl-0.17.34+0.2/debian/patches/700_prefer_tls.diff	2017-01-18 19:33:41.000000000 +0100
+++ netkit-ftp-ssl-0.17.34+0.2/debian/patches/700_prefer_tls.diff	2017-02-08 15:39:49.000000000 +0100
@@ -23,7 +23,7 @@
  .
 Author: Mats Erik Andersson <debian@gisladisker.se>
 Forwarded: no
-Last-Update: 2017-01-18
+Last-Update: 2017-02-07
 
 diff -Naurp netkit-ftp-0.17.debian/ftp/cmds.c netkit-ftp-0.17/ftp/cmds.c
 --- netkit-ftp-0.17.debian/ftp/cmds.c	2016-12-23 00:05:51.820239257 +0100
@@ -190,20 +190,8 @@
  .Xr ftpd 8 ,
 diff -Naurp netkit-ftp-0.17.debian/ftp/ftp.c netkit-ftp-0.17/ftp/ftp.c
 --- netkit-ftp-0.17.debian/ftp/ftp.c	2016-12-23 00:05:52.380213160 +0100
-+++ netkit-ftp-0.17/ftp/ftp.c	2017-01-18 19:19:27.145786765 +0100
-@@ -1672,7 +1672,10 @@ dataconn(const char *lmode)
- 	     * this quick assuming Eric has this going
- 	     * okay! ;-)
- 	     */
--	    SSL_copy_session_id(ssl_data_con,ssl_con);
-+	    /* MEA: Do not use deterministic session identities
-+	     * in a subordinate connection.
-+	     */
-+	    //SSL_copy_session_id(ssl_data_con,ssl_con);
- 
- 	    /* we are doing I/O and not using select so 
- 	     * it is "safe" to read ahead
-@@ -1686,12 +1689,17 @@ dataconn(const char *lmode)
++++ netkit-ftp-0.17/ftp/ftp.c	2017-02-07 23:35:32.871433587 +0100
+@@ -1686,12 +1686,17 @@ dataconn(const char *lmode)
  
  	    if ((ret=SSL_connect(ssl_data_con))<=0) {
                  static char errbuf[1024];
@@ -224,7 +212,7 @@
  		fflush(stderr);
  
  		/* abort time methinks ... */
-@@ -2111,16 +2119,50 @@ printbytes(off_t bytes)
+@@ -2111,16 +2116,50 @@ printbytes(off_t bytes)
  }
  
  #ifdef USE_SSL
@@ -279,7 +267,7 @@
  	    }
  	    if (n == ERROR) {		/* do normal USER/PASS */
  		printf("SSL not available\n");
-@@ -2133,6 +2175,31 @@ ssl_init(void)
+@@ -2133,6 +2172,31 @@ ssl_init(void)
  		}
  	    } else if (n == CONTINUE || n == COMPLETE ) {
  		/* do SSL */
@@ -311,7 +299,7 @@
  		ssl_con=(SSL *)SSL_new(ssl_ctx);
  		if (!ssl_con) {
  		    ERR_print_errors_fp(stderr);
-@@ -2142,37 +2209,60 @@ ssl_init(void)
+@@ -2142,37 +2206,60 @@ ssl_init(void)
  		SSL_set_fd(ssl_con,fileno(cout));
  		set_ssl_trace(ssl_con);
  
@@ -381,7 +369,7 @@
  		    fflush(stderr);
  		    ssl_active_flag=1;
  		}
-@@ -2187,6 +2277,8 @@ ssl_init(void)
+@@ -2187,6 +2274,8 @@ ssl_init(void)
  		    fprintf(stderr, "Data connection security level refused.\n");
  		    return ERROR;
  		}

--- End Message ---

--- Begin Message ---

• To: Mats Erik Andersson <mats.andersson@gisladisker.se>, 854711-done@bugs.debian.org
• Subject: Re: Bug#854711: Unblocking package netkit-ftp-ssl, resolving #854460.
• From: Jonathan Wiltshire <jmw@debian.org>
• Date: Fri, 10 Feb 2017 17:58:06 +0000
• Message-id: <20170210175806.4x4rml5dhtx2jfm7@powdarrmonkey.net>
• In-reply-to: <[🔎] 20170209182855.GA67386@aun.utmark.mea>
• References: <[🔎] 20170209182855.GA67386@aun.utmark.mea>

On Thu, Feb 09, 2017 at 07:28:55PM +0100, Mats Erik Andersson wrote:
> Being the maintainer of netkit-ftp-ssl, I request an unblocking
> of netkit-ftp-ssl in version 0.17.34+0.2-4. This upload resolves
> successfully the bug #854460 of severity 'important'.

Unblocked, thanks.

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

--- End Message ---