Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )

To: debian-user@lists.debian.org
Subject: Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )
From: Reco <recoverym4n@gmail.com>
Date: Wed, 6 Sep 2017 18:01:18 +0300
Message-id: <[🔎] 20170906150116.ebi5o33bvqw73z3g@e1030>
In-reply-to: <[🔎] 20170906075709.GB17792@tuxteam.de>
References: <04g86e-9f2.ln1@anthive.com> <c08b6e-072.ln1@anthive.com> <[🔎] CAJCaPNT19F+d-s-FPDHo_nE+6+FxhSRgiwS7J0WZ6eamQYyr=w@mail.gmail.com> <[🔎] 201709051415.11273.gheskett@shentel.net> <[🔎] CAJCaPNQumS1CkxO4MSdOHpkJ_EhE7RSdtgBMyG+s3NuLKoZHxg@mail.gmail.com> <[🔎] 1dppq9p10spvv8@mids.svenhartge.de> <[🔎] 20170906075709.GB17792@tuxteam.de>

	Hi.

On Wed, Sep 06, 2017 at 09:57:09AM +0200, tomas@tuxteam.de wrote:
> On Tue, Sep 05, 2017 at 11:40:46PM +0200, Sven Hartge wrote:
> > Michael Grant <mgrant@grant.org> wrote:
> > 
> > > Is there something I can set on Debian side to force this newer
> > > openssl to accept older 1.x connections?
> > 
> > No, you can't.
> > 
> > Kurt Roeckx, the DD maintaining OpenSSL, patched it in such a way that a
> > program needs to call a special function of OpenSSL to override the
> > default minimum TLS-version of TLS1.2.
> > 
> > Problem is: next to no program implements this as of yet.
> 
> Isn't there any LD_PRELOAD [1] [2] [3] trick one could play? I mean
> interposing something between the executable and the lib to slightly
> modify the lib's default behaviour?

There'll be once someone writes it. Maybe I'll do it this weekend.

Looking at tls1_2_default.patch from Debian's openssl, the only thing
that needs to be done is to override this change:

@@ -2372,7 +2372,10 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
         goto err;

     ret->method = meth;
-    ret->min_proto_version = 0;
+    if (meth->version == TLS_ANY_VERSION)
+        ret->min_proto_version = TLS1_2_VERSION;
+    else
+        ret->min_proto_version = 0;
     ret->max_proto_version = 0;
     ret->session_cache_mode = SSL_SESS_CACHE_SERVER;
     ret->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT;

I.e. intercept a call to SSL_CTX_new, set meth->version to, say
TLS1_0_VERSION and call a real SSL_CTX_new.

I'll need it anyway once buster becomes stable as I'm forced to use a
certain cirrus IMAP server which only advertises TLS 1.0.

Reco

Reply to:

Follow-Ups:
- Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )
  - From: <tomas@tuxteam.de>

References:
- Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )
  - From: Michael Grant <mgrant@grant.org>
- Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )
  - From: Gene Heskett <gheskett@shentel.net>
- Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )
  - From: Michael Grant <mgrant@grant.org>
- Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )
  - From: Sven Hartge <sven@svenhartge.de>
- Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )
  - From: <tomas@tuxteam.de>

Prev by Date: Re: Suitable text editor [NOT word processor] or workaround?
Next by Date: Re: failure of cheese with a Microsoft LifeCam NX-6000
Previous by thread: Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )
Next by thread: Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )
Index(es):
- Date
- Thread