Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )
On Wed, Sep 06, 2017 at 09:57:09AM +0200, firstname.lastname@example.org wrote:
> On Tue, Sep 05, 2017 at 11:40:46PM +0200, Sven Hartge wrote:
> > Michael Grant <email@example.com> wrote:
> > > Is there something I can set on Debian side to force this newer
> > > openssl to accept older 1.x connections?
> > No, you can't.
> > Kurt Roeckx, the DD maintaining OpenSSL, patched it in such a way that a
> > program needs to call a special function of OpenSSL to override the
> > default minimum TLS-version of TLS1.2.
> > Problem is: next to no program implements this as of yet.
> Isn't there any LD_PRELOAD    trick one could play? I mean
> interposing something between the executable and the lib to slightly
> modify the lib's default behaviour?
There'll be once someone writes it. Maybe I'll do it this weekend.
Looking at tls1_2_default.patch from Debian's openssl, the only thing
that needs to be done is to override this change:
@@ -2372,7 +2372,10 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
ret->method = meth;
- ret->min_proto_version = 0;
+ if (meth->version == TLS_ANY_VERSION)
+ ret->min_proto_version = TLS1_2_VERSION;
+ ret->min_proto_version = 0;
ret->max_proto_version = 0;
ret->session_cache_mode = SSL_SESS_CACHE_SERVER;
ret->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT;
I.e. intercept a call to SSL_CTX_new, set meth->version to, say
TLS1_0_VERSION and call a real SSL_CTX_new.
I'll need it anyway once buster becomes stable as I'm forced to use a
certain cirrus IMAP server which only advertises TLS 1.0.