--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: stretch-pu: package erlang-p1-tls/1.0.7-2+b1
- From: Philipp Huebner <debalance@debian.org>
- Date: Thu, 10 Aug 2017 16:00:16 +0200
- Message-id: <150237361624.19523.29755902691919077.reportbug@carter.debalance.de>
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
I would like to update erlang-p1-tls in stretch to fix a regression from
jessie-backports to stretch regarding the use of ECDSA certificates with
ejabberd.
The regression happened because of the different openssl versions (1.0 vs. 1.1).
This is quite important as it makes all TLS enabled connections between ejabberd
and other servers or clients impossible when ECDSA certificates are deployed.
The added patch is based on upstream commits already present in testing.
It has been tested and verified to work on Stretch.
The output of `git diff debian/1.0.7-2 debian/1.0.7-2+deb9u1` is
attached.
Regards,
Philipp
diff --git a/debian/changelog b/debian/changelog
index 2bd0d6c..c9c215f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+erlang-p1-tls (1.0.7-2+deb9u1) stretch; urgency=medium
+
+ * Added backported upstream patch to "use openssl built-in function for
+ setting up ECDH curves" (Closes: 871264)
+ Thanks Adrien Dorsaz for reporting and providing the patch.
+
+ -- Philipp Huebner <debalance@debian.org> Thu, 10 Aug 2017 15:37:09 +0200
+
erlang-p1-tls (1.0.7-2) unstable; urgency=medium
* Added erlang-base to Build-Depends
diff --git a/debian/patches/backport-openssl-ecdh-curve-auto-selection.patch b/debian/patches/backport-openssl-ecdh-curve-auto-selection.patch
new file mode 100644
index 0000000..f7875f2
--- /dev/null
+++ b/debian/patches/backport-openssl-ecdh-curve-auto-selection.patch
@@ -0,0 +1,55 @@
+Backport upstream patch to "use openssl built-in function for setting up ECDH curves".
+
+This patch includes these upstream commits:
+
+commit 94101d38d965abd90012acd404922519a3295e55
+Author: Paweł Chmielowski <pchmielowski@process-one.net>
+Date: Mon Jul 10 22:33:04 2017 +0200
+
+ Revert condition from last commit
+
+commit bffee501cd05be3511bbdc0c8f7ed78e36276d5a
+Author: Paweł Chmielowski <pchmielowski@process-one.net>
+Date: Mon Jul 10 22:27:57 2017 +0200
+
+ SSL_CTX_set_ecdh_auto was available starting with openssl 1.0.2
+
+commit b9c17209cc4a9cf149f8a64903b4c2b46c125dac
+Author: Paweł Chmielowski <pchmielowski@process-one.net>
+Date: Mon Jul 10 22:20:42 2017 +0200
+
+ Use openssl built-in function for setting up ECDH curves (thanks to user pitchum)
+
+--- a/c_src/fast_tls_drv.c
++++ b/c_src/fast_tls_drv.c
+@@ -383,17 +383,7 @@
+ #ifndef OPENSSL_NO_ECDH
+ static void setup_ecdh(SSL_CTX *ctx)
+ {
+- EC_KEY *ecdh;
+-
+- if (SSLeay() < 0x1000005fL) {
+- return;
+- }
+-
+- ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+- SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
+- SSL_CTX_set_tmp_ecdh(ctx, ecdh);
+-
+- EC_KEY_free(ecdh);
++ SSL_CTX_set_ecdh_auto(ctx, 1);
+ }
+ #endif
+
+@@ -951,6 +941,11 @@
+ }
+ #endif
+
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L || OPENSSL_VERSION_NUMBER < 0x10002000
++#undef SSL_CTX_set_ecdh_auto
++#define SSL_CTX_set_ecdh_auto(A, B) do {} while(0)
++#endif
++
+ DRIVER_INIT(fast_tls_drv) /* must match name in driver_entry */
+ {
+ CRYPTO_set_mem_functions(our_alloc, our_realloc, our_free);
diff --git a/debian/patches/series b/debian/patches/series
index c8eeb16..cab0e41 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
remove-deps.diff
+backport-openssl-ecdh-curve-auto-selection.patch
--- End Message ---