From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] Net-SSLeay: Update to version 1.88
Date: Wed, 23 Oct 2019 10:14:02 +0100
Message-ID: <B8EF3A81-9661-449E-AE39-FF604BF05102@ipfire.org>
In-Reply-To: <7612f720a3ed549b653e3b24ff438edeb45ff022.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3169033974659174182=="
List-Id: <development.lists.ipfire.org>

--===============3169033974659174182==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

Does it support TLSv1.3?

Debian is shipping a patch because sendEmail is hardcoded to TLSv1.0. Those a=
re the things I find not okay and why such a project needs to be actively mai=
ntained.

If you like, please check some other distributions and add the patches. If it=
 is somewhat maintained by a Debian maintainer I am okay with having it in IP=
Fire.

For this, I searched for about 2 minutes and this is a bad bad problem.

Best,
-Michael

Description: Fix ssl enabled bug.
Bug-Debian: http://bugs.debian.org/679911
Author: Alejandro Garrido Mota <alejandro(a)debian.org>
--- a/sendEmail
+++ b/sendEmail
@@ -1903,7 +1903,7 @@
     if ($conf{'tls_server'} =3D=3D 1 and $conf{'tls_client'} =3D=3D 1 and $o=
pt{'tls'} =3D~ /^(yes|auto)$/) {
         printmsg("DEBUG =3D> Starting TLS", 2);
         if (SMTPchat('STARTTLS')) { quit($conf{'error'}, 1); }
-        if (! IO::Socket::SSL->start_SSL($SERVER, SSL_version =3D> 'SSLv3 TL=
Sv1')) {
+        if (! IO::Socket::SSL->start_SSL($SERVER, SSL_version =3D> 'SSLv23:!=
SSLv2')) {
             quit("ERROR =3D> TLS setup failed: " . IO::Socket::SSL::errstr()=
, 1);
         }
         printmsg("DEBUG =3D> TLS: Using cipher: ". $SERVER->get_cipher(), 3);


> On 22 Oct 2019, at 15:33, ummeegge <ummeegge(a)ipfire.org> wrote:
>=20
> Hi Michael,
>=20
> On Di, 2019-10-22 at 12:39 +0100, Michael Tremer wrote:
>> Hi,
>>=20
>>> On 21 Oct 2019, at 12:14, ummeegge <ummeegge(a)ipfire.org> wrote:
>>>=20
>>> Hi Michael,
>>>=20
>>> On Mo, 2019-10-21 at 10:43 +0100, Michael Tremer wrote:
>>>> Hi,
>>>>=20
>>>> Just to clarify this: Do we need it for software to function or
>>>> is it
>>>> a nice to have?
>>>=20
>>> I just tested sendEmail with this combination (IO-Socket-SSL and
>>> Net-
>>> SSLeay) where it was needed while those tests.
>>>=20
>>>>=20
>>>> The update has already been on the servers, but since we broke so
>>>> many things we had to revert the patches and build it again.
>>>> About
>>>> four times by now. Poor Arne. Therefore I hope that we can avoid
>>>> building it for a fifth time.
>>>=20
>>> Understandable, am really not sure what else depends on the
>>> combination
>>> with IO-Socket-SSL and Net-SSLeay, the git send-email problem for
>>> example needed only an updated IO-Socket-SSL . The only problem i
>>> have
>>> encountered without an updated Net-SSLeay was with sendEmail
>>> (IPFire
>>> addon). There was also the explanaition from Cpan which i=C2=B4ve posted
>>> in
>>> the IO-Socket-SSL patch conversation. That=C2=B4s why i=C2=B4d send this
>>> patch
>>> here too.
>>=20
>> Didn=E2=80=99t we plan to drop sendEmail because it is no longer supported?
>=20
> Did some tests with it and it seems that sendEmail uses the current
> actual Crypto with an updated Net-SSLeay and IO-Socket-SSL and it just
> works. Spoken from simplicity and functionality, sendEMail is currently
> a favorit for me.
> Nevertheless, their is no further development since 2005 and i can
> understand it if you want to drop it. Since it is only a Perl script,
> it is easy to add it again fot those which want it to have.=20
>=20
>>=20
>> Best,
>> -Michael
>=20
> Best,
>=20
> Erik=20
>=20
>>=20
>>>=20
>>> So i haven=C2=B4t recognized malfunctioning in the core structure of
>>> IPFire
>>> until now but am also not using all components. Difficult to say
>>> from
>>> my side if it is really needed or if it can may wait until the next
>>> core update...
>>>=20
>>>>=20
>>>> Best,
>>>> -Michael
>>>=20
>>> Best,
>>>=20
>>> Erik
>>>=20
>>>>=20
>>>>> On 20 Oct 2019, at 15:39, ummeegge <ummeegge(a)ipfire.org> wrote:
>>>>>=20
>>>>> Hi all,
>>>>> it seems that the updated IO-Socket-SSL also needs this updated
>>>>> version
>>>>> of Net-SSLeay. Have tested sendEmail with an updated IO-Socket-
>>>>> SSL
>>>>> only
>>>>> and it did not worked. After Net-SSLeay has also been updated
>>>>> sendEMail
>>>>> worked again. Am not sure which system components depends on an
>>>>> updated
>>>>> of those moduls too.
>>>>>=20
>>>>> It might be may an idea to add this update to the core 137
>>>>> update
>>>>> since
>>>>> the new version of IO-Socket-SSL has been already included with
>>>>> Core
>>>>> 136.
>>>>>=20
>>>>> Best,
>>>>>=20
>>>>> Erik
>>>>>=20
>>>>>=20
>>>>> On Mi, 2019-09-25 at 14:25 +0100, Michael Tremer wrote:
>>>>>> Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
>>>>>>=20
>>>>>>> On 25 Sep 2019, at 11:05, Erik Kapfer <ummeegge(a)ipfire.org>
>>>>>>> wrote:
>>>>>>>=20
>>>>>>> Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org>
>>>>>>> ---
>>>>>>> config/rootfiles/common/Net_SSLeay | 1 -
>>>>>>> lfs/Net_SSLeay                     | 6 +++---
>>>>>>> 2 files changed, 3 insertions(+), 4 deletions(-)
>>>>>>>=20
>>>>>>> diff --git a/config/rootfiles/common/Net_SSLeay
>>>>>>> b/config/rootfiles/common/Net_SSLeay
>>>>>>> index 4f14b74a7..bba719b03 100644
>>>>>>> --- a/config/rootfiles/common/Net_SSLeay
>>>>>>> +++ b/config/rootfiles/common/Net_SSLeay
>>>>>>> @@ -4,7 +4,6 @@ usr/lib/perl5/site_perl/5.30.0/MACHINE-
>>>>>>> linux-
>>>>>>> thread-multi/Net/SSLeay.pm
>>>>>>> usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread-
>>>>>>> multi/Net/SSLeay/Handle.pm
>>>>>>> #usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread-
>>>>>>> multi/auto/Net/SSLeay
>>>>>>> #usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread-
>>>>>>> multi/auto/Net/SSLeay/.packlist
>>>>>>> -#usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread-
>>>>>>> multi/auto/Net/SSLeay/SSLeay.bs
>>>>>>> usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread-
>>>>>>> multi/auto/Net/SSLeay/SSLeay.so
>>>>>>> usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread-
>>>>>>> multi/auto/Net/SSLeay/autosplit.ix
>>>>>>> usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread-
>>>>>>> multi/auto/Net/SSLeay/debug_read.al
>>>>>>> diff --git a/lfs/Net_SSLeay b/lfs/Net_SSLeay
>>>>>>> index 90c0a310a..762bf1f4a 100644
>>>>>>> --- a/lfs/Net_SSLeay
>>>>>>> +++ b/lfs/Net_SSLeay
>>>>>>> @@ -1,7 +1,7 @@
>>>>>>> ###########################################################
>>>>>>> ####
>>>>>>> ####
>>>>>>> ############
>>>>>>> #                                                         =20
>>>>>>>=20
>>>>>>>=20
>>>>>>>         #
>>>>>>> # IPFire.org - A linux based
>>>>>>> firewall                                         #
>>>>>>> -# Copyright (C) 2007-2018  IPFire Team  <info(a)ipfire.org>=20
>>>>>>>=20
>>>>>>>=20
>>>>>>>          #
>>>>>>> +# Copyright (C) 2007-2019  IPFire Team  <info(a)ipfire.org>=20
>>>>>>>=20
>>>>>>>=20
>>>>>>>          #
>>>>>>> #                                                         =20
>>>>>>>=20
>>>>>>>=20
>>>>>>>         #
>>>>>>> # This program is free software: you can redistribute it
>>>>>>> and/or
>>>>>>> modify        #
>>>>>>> # it under the terms of the GNU General Public License as
>>>>>>> published
>>>>>>> by        #
>>>>>>> @@ -24,7 +24,7 @@
>>>>>>>=20
>>>>>>> include Config
>>>>>>>=20
>>>>>>> -VER        =3D 1.82
>>>>>>> +VER        =3D 1.88
>>>>>>>=20
>>>>>>> THISAPP    =3D Net-SSLeay-$(VER)
>>>>>>> DL_FILE    =3D $(THISAPP).tar.gz
>>>>>>> @@ -40,7 +40,7 @@ objects =3D $(DL_FILE)
>>>>>>>=20
>>>>>>> $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE)
>>>>>>>=20
>>>>>>> -$(DL_FILE)_MD5 =3D 2170469d929d5173bacffd0cb2d7fafa
>>>>>>> +$(DL_FILE)_MD5 =3D fcef4985f5f7e0381e3dddd0ee7878d1
>>>>>>>=20
>>>>>>> install : $(TARGET)
>>>>>>>=20
>>>>>>> --=20
>>>>>>> 2.12.2


--===============3169033974659174182==--