From mboxrd@z Thu Jan 1 00:00:00 1970 From: ummeegge To: development@lists.ipfire.org Subject: Re: [PATCH] Net-SSLeay: Update to version 1.88 Date: Thu, 24 Oct 2019 15:57:28 +0200 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2452503361019655407==" List-Id: --===============2452503361019655407== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Michael, On Mi, 2019-10-23 at 10:14 +0100, Michael Tremer wrote: > Hi, >=20 > Does it support TLSv1.3? If the new Net-SSLeay is available it should yes. >=20 > Debian is shipping a patch because sendEmail is hardcoded to TLSv1.0. > Those are the things I find not okay and why such a project needs to > be actively maintained. >=20 > If you like, please check some other distributions and add the > patches. If it is somewhat maintained by a Debian maintainer I am > okay with having it in IPFire. >=20 > For this, I searched for about 2 minutes and this is a bad bad > problem. >=20 > Best, > -Michael >=20 > Description: Fix ssl enabled bug. > Bug-Debian: http://bugs.debian.org/679911 > Author: Alejandro Garrido Mota > --- a/sendEmail > +++ b/sendEmail > @@ -1903,7 +1903,7 @@ > if ($conf{'tls_server'} =3D=3D 1 and $conf{'tls_client'} =3D=3D 1 and > $opt{'tls'} =3D~ /^(yes|auto)$/) { > printmsg("DEBUG =3D> Starting TLS", 2); > if (SMTPchat('STARTTLS')) { quit($conf{'error'}, 1); } > - if (! IO::Socket::SSL->start_SSL($SERVER, SSL_version =3D> > 'SSLv3 TLSv1')) { > + if (! IO::Socket::SSL->start_SSL($SERVER, SSL_version =3D> > 'SSLv23:!SSLv2')) { > quit("ERROR =3D> TLS setup failed: " . > IO::Socket::SSL::errstr(), 1); > } > printmsg("DEBUG =3D> TLS: Using cipher: ". $SERVER- > >get_cipher(), 3); This patch is already in the IPFire sources from sendEmail integrated and i think it is in first case because of compatibility reasons since it admits SSLv3, TLSv1.0, TLSv1.1+ and forbids only SSLv2. In IO- Socket-SSL documentation it is also explained like that: " SSL_version Sets the version of the SSL protocol used to transmit data. 'SSLv23' uses a handshake compatible with SSL2.0, SSL3.0 and TLS1.x, while 'SSLv2', 'SSLv3', 'TLSv1', 'TLSv1_1', 'TLSv1_2', or 'TLSv1_3' restrict handshake and protocol to the specified version. All values are case-insensitive. Instead of 'TLSv1_1', 'TLSv1_2', and 'TLSv1_3' one can also use 'TLSv11', 'TLSv12', and 'TLSv13'. Support for 'TLSv1_1', 'TLSv1_2', and 'TLSv1_3' requires recent versions of Net::SSLeay and openssl. " <-- From https://metacpan.org/pod/IO::Socket::SSL . To permit only TLSv1.2 and TLSv1.3 something like this=20 --- /tmp/sendEmail.orig 2019-10-24 13:32:31.704118956 +0000 +++ /tmp/sendEmail 2019-10-24 13:39:48.855084039 +0000 @@ -1903,7 +1903,7 @@ if ($conf{'tls_server'} =3D=3D 1 and $conf{'tls_client'} =3D=3D 1 and $o= pt{'tls'} =3D~ /^(yes|auto)$/) { printmsg("DEBUG =3D> Starting TLS", 2); if (SMTPchat('STARTTLS')) { quit($conf{'error'}, 1); } - if (! IO::Socket::SSL->start_SSL($SERVER, SSL_version =3D> 'SSLv23:!= SSLv2')) { + if (! IO::Socket::SSL->start_SSL($SERVER, SSL_version =3D> '!SSLv2:!= SSLv3:!TLSv1:!TLSv1_1:TLSv1_2')) { quit("ERROR =3D> TLS setup failed: " . IO::Socket::SSL::errstr()= , 1); } printmsg("DEBUG =3D> TLS: Using cipher: ". $SERVER->get_cipher(), 3); is needed. Have tested both version, the regular source and the above=20 patch and grab the traffic via tshark. Both versions used TLSv1.2 since it is the best one which web.de in that case has offered. >=20 >=20 > > On 22 Oct 2019, at 15:33, ummeegge wrote: > >=20 > > Hi Michael, > >=20 > > On Di, 2019-10-22 at 12:39 +0100, Michael Tremer wrote: > > > Hi, > > >=20 > > > > On 21 Oct 2019, at 12:14, ummeegge wrote: > > > >=20 > > > > Hi Michael, > > > >=20 > > > > On Mo, 2019-10-21 at 10:43 +0100, Michael Tremer wrote: > > > > > Hi, > > > > >=20 > > > > > Just to clarify this: Do we need it for software to function > > > > > or > > > > > is it > > > > > a nice to have? > > > >=20 > > > > I just tested sendEmail with this combination (IO-Socket-SSL > > > > and > > > > Net- > > > > SSLeay) where it was needed while those tests. > > > >=20 > > > > >=20 > > > > > The update has already been on the servers, but since we > > > > > broke so > > > > > many things we had to revert the patches and build it again. > > > > > About > > > > > four times by now. Poor Arne. Therefore I hope that we can > > > > > avoid > > > > > building it for a fifth time. > > > >=20 > > > > Understandable, am really not sure what else depends on the > > > > combination > > > > with IO-Socket-SSL and Net-SSLeay, the git send-email problem > > > > for > > > > example needed only an updated IO-Socket-SSL . The only problem > > > > i > > > > have > > > > encountered without an updated Net-SSLeay was with sendEmail > > > > (IPFire > > > > addon). There was also the explanaition from Cpan which i=C2=B4ve > > > > posted > > > > in > > > > the IO-Socket-SSL patch conversation. That=C2=B4s why i=C2=B4d send t= his > > > > patch > > > > here too. > > >=20 > > > Didn=E2=80=99t we plan to drop sendEmail because it is no longer > > > supported? > >=20 > > Did some tests with it and it seems that sendEmail uses the current > > actual Crypto with an updated Net-SSLeay and IO-Socket-SSL and it > > just > > works. Spoken from simplicity and functionality, sendEMail is > > currently > > a favorit for me. > > Nevertheless, their is no further development since 2005 and i can > > understand it if you want to drop it. Since it is only a Perl > > script, > > it is easy to add it again fot those which want it to have.=20 > >=20 > > >=20 > > > Best, > > > -Michael > >=20 > > Best, > >=20 > > Erik=20 > >=20 > > >=20 > > > >=20 > > > > So i haven=C2=B4t recognized malfunctioning in the core structure of > > > > IPFire > > > > until now but am also not using all components. Difficult to > > > > say > > > > from > > > > my side if it is really needed or if it can may wait until the > > > > next > > > > core update... > > > >=20 > > > > >=20 > > > > > Best, > > > > > -Michael > > > >=20 > > > > Best, > > > >=20 > > > > Erik > > > >=20 > > > > >=20 > > > > > > On 20 Oct 2019, at 15:39, ummeegge > > > > > > wrote: > > > > > >=20 > > > > > > Hi all, > > > > > > it seems that the updated IO-Socket-SSL also needs this > > > > > > updated > > > > > > version > > > > > > of Net-SSLeay. Have tested sendEmail with an updated IO- > > > > > > Socket- > > > > > > SSL > > > > > > only > > > > > > and it did not worked. After Net-SSLeay has also been > > > > > > updated > > > > > > sendEMail > > > > > > worked again. Am not sure which system components depends > > > > > > on an > > > > > > updated > > > > > > of those moduls too. > > > > > >=20 > > > > > > It might be may an idea to add this update to the core 137 > > > > > > update > > > > > > since > > > > > > the new version of IO-Socket-SSL has been already included > > > > > > with > > > > > > Core > > > > > > 136. > > > > > >=20 > > > > > > Best, > > > > > >=20 > > > > > > Erik > > > > > >=20 > > > > > >=20 > > > > > > On Mi, 2019-09-25 at 14:25 +0100, Michael Tremer wrote: > > > > > > > Reviewed-by: Michael Tremer > > > > > > >=20 > > > > > > > > On 25 Sep 2019, at 11:05, Erik Kapfer < > > > > > > > > ummeegge(a)ipfire.org> > > > > > > > > wrote: > > > > > > > >=20 > > > > > > > > Signed-off-by: Erik Kapfer > > > > > > > > --- > > > > > > > > config/rootfiles/common/Net_SSLeay | 1 - > > > > > > > > lfs/Net_SSLeay | 6 +++--- > > > > > > > > 2 files changed, 3 insertions(+), 4 deletions(-) > > > > > > > >=20 > > > > > > > > diff --git a/config/rootfiles/common/Net_SSLeay > > > > > > > > b/config/rootfiles/common/Net_SSLeay > > > > > > > > index 4f14b74a7..bba719b03 100644 > > > > > > > > --- a/config/rootfiles/common/Net_SSLeay > > > > > > > > +++ b/config/rootfiles/common/Net_SSLeay > > > > > > > > @@ -4,7 +4,6 @@ usr/lib/perl5/site_perl/5.30.0/MACHINE- > > > > > > > > linux- > > > > > > > > thread-multi/Net/SSLeay.pm > > > > > > > > usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread- > > > > > > > > multi/Net/SSLeay/Handle.pm > > > > > > > > #usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread- > > > > > > > > multi/auto/Net/SSLeay > > > > > > > > #usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread- > > > > > > > > multi/auto/Net/SSLeay/.packlist > > > > > > > > -#usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread- > > > > > > > > multi/auto/Net/SSLeay/SSLeay.bs > > > > > > > > usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread- > > > > > > > > multi/auto/Net/SSLeay/SSLeay.so > > > > > > > > usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread- > > > > > > > > multi/auto/Net/SSLeay/autosplit.ix > > > > > > > > usr/lib/perl5/site_perl/5.30.0/MACHINE-linux-thread- > > > > > > > > multi/auto/Net/SSLeay/debug_read.al > > > > > > > > diff --git a/lfs/Net_SSLeay b/lfs/Net_SSLeay > > > > > > > > index 90c0a310a..762bf1f4a 100644 > > > > > > > > --- a/lfs/Net_SSLeay > > > > > > > > +++ b/lfs/Net_SSLeay > > > > > > > > @@ -1,7 +1,7 @@ > > > > > > > > ####################################################### > > > > > > > > #### > > > > > > > > #### > > > > > > > > #### > > > > > > > > ############ > > > > > > > > # =20 > > > > > > > > =20 > > > > > > > >=20 > > > > > > > >=20 > > > > > > > > # > > > > > > > > # IPFire.org - A linux based > > > > > > > > firewall # > > > > > > > > -# Copyright (C) 2007-2018 IPFire Team < > > > > > > > > info(a)ipfire.org>=20 > > > > > > > >=20 > > > > > > > >=20 > > > > > > > > # > > > > > > > > +# Copyright (C) 2007-2019 IPFire Team < > > > > > > > > info(a)ipfire.org>=20 > > > > > > > >=20 > > > > > > > >=20 > > > > > > > > # > > > > > > > > # =20 > > > > > > > > =20 > > > > > > > >=20 > > > > > > > >=20 > > > > > > > > # > > > > > > > > # This program is free software: you can redistribute > > > > > > > > it > > > > > > > > and/or > > > > > > > > modify # > > > > > > > > # it under the terms of the GNU General Public License > > > > > > > > as > > > > > > > > published > > > > > > > > by # > > > > > > > > @@ -24,7 +24,7 @@ > > > > > > > >=20 > > > > > > > > include Config > > > > > > > >=20 > > > > > > > > -VER =3D 1.82 > > > > > > > > +VER =3D 1.88 > > > > > > > >=20 > > > > > > > > THISAPP =3D Net-SSLeay-$(VER) > > > > > > > > DL_FILE =3D $(THISAPP).tar.gz > > > > > > > > @@ -40,7 +40,7 @@ objects =3D $(DL_FILE) > > > > > > > >=20 > > > > > > > > $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) > > > > > > > >=20 > > > > > > > > -$(DL_FILE)_MD5 =3D 2170469d929d5173bacffd0cb2d7fafa > > > > > > > > +$(DL_FILE)_MD5 =3D fcef4985f5f7e0381e3dddd0ee7878d1 > > > > > > > >=20 > > > > > > > > install : $(TARGET) > > > > > > > >=20 > > > > > > > > --=20 > > > > > > > > 2.12.2 >=20 >=20 --===============2452503361019655407==--