Re: [PATCH] Net-SSLeay: Update to version 1.88

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 7379 bytes --]

Hi,

Does it support TLSv1.3?

Debian is shipping a patch because sendEmail is hardcoded to TLSv1.0. Those are the things I find not okay and why such a project needs to be actively maintained.

If you like, please check some other distributions and add the patches. If it is somewhat maintained by a Debian maintainer I am okay with having it in IPFire.

For this, I searched for about 2 minutes and this is a bad bad problem.

Best,
-Michael

Description: Fix ssl enabled bug.
Bug-Debian: http://bugs.debian.org/679911
Author: Alejandro Garrido Mota <alejandro(a)debian.org>
--- a/sendEmail
+++ b/sendEmail
@@ -1903,7 +1903,7 @@
     if ($conf{'tls_server'} == 1 and $conf{'tls_client'} == 1 and $opt{'tls'} =~ /^(yes|auto)$/) {
         printmsg("DEBUG => Starting TLS", 2);
         if (SMTPchat('STARTTLS')) { quit($conf{'error'}, 1); }
-        if (! IO::Socket::SSL->start_SSL($SERVER, SSL_version => 'SSLv3 TLSv1')) {
+        if (! IO::Socket::SSL->start_SSL($SERVER, SSL_version => 'SSLv23:!SSLv2')) {
             quit("ERROR => TLS setup failed: " . IO::Socket::SSL::errstr(), 1);
         }
         printmsg("DEBUG => TLS: Using cipher: ". $SERVER->get_cipher(), 3);


> On 22 Oct 2019, at 15:33, ummeegge <ummeegge(a)ipfire.org> wrote:
> 
> Hi Michael,
> 
> On Di, 2019-10-22 at 12:39 +0100, Michael Tremer wrote:
>> Hi,
>> 
>>> On 21 Oct 2019, at 12:14, ummeegge <ummeegge(a)ipfire.org> wrote:
>>> 
>>> Hi Michael,
>>> 
>>> On Mo, 2019-10-21 at 10:43 +0100, Michael Tremer wrote:
>>>> Hi,
>>>> 
>>>> Just to clarify this: Do we need it for software to function or
>>>> is it
>>>> a nice to have?
>>> 
>>> I just tested sendEmail with this combination (IO-Socket-SSL and
>>> Net-
>>> SSLeay) where it was needed while those tests.
>>> 
>>>> 
>>>> The update has already been on the servers, but since we broke so
>>>> many things we had to revert the patches and build it again.
>>>> About
>>>> four times by now. Poor Arne. Therefore I hope that we can avoid
>>>> building it for a fifth time.
>>> 
>>> Understandable, am really not sure what else depends on the
>>> combination
>>> with IO-Socket-SSL and Net-SSLeay, the git send-email problem for
>>> example needed only an updated IO-Socket-SSL . The only problem i
>>> have
>>> encountered without an updated Net-SSLeay was with sendEmail
>>> (IPFire
>>> addon). There was also the explanaition from Cpan which i´ve posted
>>> in
>>> the IO-Socket-SSL patch conversation. That´s why i´d send this
>>> patch
>>> here too.
>> 
>> Didn’t we plan to drop sendEmail because it is no longer supported?
> 
> Did some tests with it and it seems that sendEmail uses the current
> actual Crypto with an updated Net-SSLeay and IO-Socket-SSL and it just
> works. Spoken from simplicity and functionality, sendEMail is currently
> a favorit for me.
> Nevertheless, their is no further development since 2005 and i can
> understand it if you want to drop it. Since it is only a Perl script,
> it is easy to add it again fot those which want it to have. 
> 
>> 
>> Best,
>> -Michael
> 
> Best,
> 
> Erik 
> 
>> 
>>> 
>>> So i haven´t recognized malfunctioning in the core structure of
>>> IPFire
>>> until now but am also not using all components. Difficult to say
>>> from
>>> my side if it is really needed or if it can may wait until the next
>>> core update...
>>> 
>>>> 
>>>> Best,
>>>> -Michael
>>> 
>>> Best,
>>> 
>>> Erik
>>> 
>>>> 
>>>>> On 20 Oct 2019, at 15:39, ummeegge <ummeegge(a)ipfire.org> wrote:
>>>>> 
>>>>> Hi all,
>>>>> it seems that the updated IO-Socket-SSL also needs this updated
>>>>> version
>>>>> of Net-SSLeay. Have tested sendEmail with an updated IO-Socket-
>>>>> SSL
>>>>> only
>>>>> and it did not worked. After Net-SSLeay has also been updated
>>>>> sendEMail
>>>>> worked again. Am not sure which system components depends on an
>>>>> updated
>>>>> of those moduls too.
>>>>> 
>>>>> It might be may an idea to add this update to the core 137
>>>>> update
>>>>> since
>>>>> the new version of IO-Socket-SSL has been already included with
>>>>> Core
>>>>> 136.
>>>>> 
>>>>> Best,
>>>>> 
>>>>> Erik
>>>>> 
>>>>> 
>>>>> On Mi, 2019-09-25 at 14:25 +0100, Michael Tremer wrote:
>>>>>> Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
>>>>>> 
>>>>>>> On 25 Sep 2019, at 11:05, Erik Kapfer <ummeegge(a)ipfire.org>
>>>>>>> wrote:
>>>>>>> 
>>>>>>> Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org>
>>>>>>> ---
>>>>>>> config/rootfiles/common/Net_SSLeay | 1 -
>>>>>>> lfs/Net_SSLeay                     | 6 +++---
>>>>>>> 2 files changed, 3 insertions(+), 4 deletions(-)
>>>>>>> 
>>>>>>> diff --git a/config/rootfiles/common/Net_SSLeay
>>>>>>> b/config/rootfiles/common/Net_SSLeay
>>>>>>> index 4f14b74a7..bba719b03 100644
>>>>>>> --- a/config/rootfiles/common/Net_SSLeay
>>>>>>> +++ b/config/rootfiles/common/Net_SSLeay
>>>>>>> @@ -4,7 +4,6 @@ usr/lib/perl5/site_perl/5.30.0/MACHINE-
>>>>>>> linux-
>>>>>>> thread-multi/Net/SSLeay.pm
>>>>>>> usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread-
>>>>>>> multi/Net/SSLeay/Handle.pm
>>>>>>> #usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread-
>>>>>>> multi/auto/Net/SSLeay
>>>>>>> #usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread-
>>>>>>> multi/auto/Net/SSLeay/.packlist
>>>>>>> -#usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread-
>>>>>>> multi/auto/Net/SSLeay/SSLeay.bs
>>>>>>> usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread-
>>>>>>> multi/auto/Net/SSLeay/SSLeay.so
>>>>>>> usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread-
>>>>>>> multi/auto/Net/SSLeay/autosplit.ix
>>>>>>> usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread-
>>>>>>> multi/auto/Net/SSLeay/debug_read.al
>>>>>>> diff --git a/lfs/Net_SSLeay b/lfs/Net_SSLeay
>>>>>>> index 90c0a310a..762bf1f4a 100644
>>>>>>> --- a/lfs/Net_SSLeay
>>>>>>> +++ b/lfs/Net_SSLeay
>>>>>>> @@ -1,7 +1,7 @@
>>>>>>> ###########################################################
>>>>>>> ####
>>>>>>> ####
>>>>>>> ############
>>>>>>> #                                                          
>>>>>>> 
>>>>>>> 
>>>>>>>         #
>>>>>>> # IPFire.org - A linux based
>>>>>>> firewall                                         #
>>>>>>> -# Copyright (C) 2007-2018  IPFire Team  <info(a)ipfire.org> 
>>>>>>> 
>>>>>>> 
>>>>>>>          #
>>>>>>> +# Copyright (C) 2007-2019  IPFire Team  <info(a)ipfire.org> 
>>>>>>> 
>>>>>>> 
>>>>>>>          #
>>>>>>> #                                                          
>>>>>>> 
>>>>>>> 
>>>>>>>         #
>>>>>>> # This program is free software: you can redistribute it
>>>>>>> and/or
>>>>>>> modify        #
>>>>>>> # it under the terms of the GNU General Public License as
>>>>>>> published
>>>>>>> by        #
>>>>>>> @@ -24,7 +24,7 @@
>>>>>>> 
>>>>>>> include Config
>>>>>>> 
>>>>>>> -VER        = 1.82
>>>>>>> +VER        = 1.88
>>>>>>> 
>>>>>>> THISAPP    = Net-SSLeay-$(VER)
>>>>>>> DL_FILE    = $(THISAPP).tar.gz
>>>>>>> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>>>>>>> 
>>>>>>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>>>>>> 
>>>>>>> -$(DL_FILE)_MD5 = 2170469d929d5173bacffd0cb2d7fafa
>>>>>>> +$(DL_FILE)_MD5 = fcef4985f5f7e0381e3dddd0ee7878d1
>>>>>>> 
>>>>>>> install : $(TARGET)
>>>>>>> 
>>>>>>> -- 
>>>>>>> 2.12.2