Bug#589706: marked as done (SSLv2 should be disabled)

Debian Bug Tracking System
Sun, 19 Dec 2010 11:33:22 -0800

Your message dated Sun, 19 Dec 2010 19:32:18 +0000
with message-id <e1puozs-0008h4...@franck.debian.org>
and subject line Bug#589706: fixed in openssl 1.0.0c-2
has caused the Debian Bug report #589706,
regarding SSLv2 should be disabled
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
589706: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=589706
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: openssl
Version: 0.9.8o-1
Severity: normal
Tags: patch, security
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu maverick ubuntu-patch

Since SSLv2 is considered dangerous, it should be removed from OpenSSL. It
hasn't be available in NSS or GnuTLS for a very long time.

This patch implements a form for disabling SSLv2 -- all contexts have
NO_SSL2 set, and the ssl2 method is rejected in SSL_CTX_new (similar to how
FIPS mode works).

Thanks,

-Kees

-- 
Kees Cook                                            @debian.org

diff -Nru openssl-0.9.8o/debian/patches/no-sslv2.patch 
openssl-0.9.8o/debian/patches/no-sslv2.patch
--- openssl-0.9.8o/debian/patches/no-sslv2.patch        1970-01-01 
01:00:00.000000000 +0100
+++ openssl-0.9.8o/debian/patches/no-sslv2.patch        2010-07-19 
22:40:36.000000000 +0200
@@ -0,0 +1,125 @@
+Description: disallow SSLv2 initialization, force it disabled for other 
methods.
+Author: Kees Cook <k...@ubuntu.com>
+
+Index: openssl-0.9.8o/ssl/ssl_lib.c
+===================================================================
+--- openssl-0.9.8o.orig/ssl/ssl_lib.c  2010-02-17 20:43:08.000000000 +0100
++++ openssl-0.9.8o/ssl/ssl_lib.c       2010-07-19 22:10:51.885282388 +0200
+@@ -986,8 +986,10 @@
+               return 1;
+ 
+       case SSL_CTRL_OPTIONS:
++              larg|=SSL_OP_NO_SSLv2;
+               return(s->options|=larg);
+       case SSL_CTRL_CLEAR_OPTIONS:
++              larg&=~SSL_OP_NO_SSLv2;
+               return(s->options&=~larg);
+       case SSL_CTRL_MODE:
+               return(s->mode|=larg);
+@@ -1096,8 +1098,10 @@
+       case SSL_CTRL_SESS_CACHE_FULL:
+               return(ctx->stats.sess_cache_full);
+       case SSL_CTRL_OPTIONS:
++              larg|=SSL_OP_NO_SSLv2;
+               return(ctx->options|=larg);
+       case SSL_CTRL_CLEAR_OPTIONS:
++              larg&=~SSL_OP_NO_SSLv2;
+               return(ctx->options&=~larg);
+       case SSL_CTRL_MODE:
+               return(ctx->mode|=larg);
+@@ -1444,7 +1448,7 @@
+       {
+       SSL_CTX *ret=NULL;
+       
+-      if (meth == NULL)
++      if (meth == NULL || meth->version <= SSL2_VERSION)
+               {
+               SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_NULL_SSL_METHOD_PASSED);
+               return(NULL);
+@@ -1603,6 +1607,9 @@
+        */
+       ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
+ 
++      /* Force no SSLv2 for all methods */
++      ret->options |= SSL_OP_NO_SSLv2;
++
+       return(ret);
+ err:
+       SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
+Index: openssl-0.9.8o/test/testssl
+===================================================================
+--- openssl-0.9.8o.orig/test/testssl   2005-02-02 00:48:36.000000000 +0100
++++ openssl-0.9.8o/test/testssl        2010-07-19 22:10:51.885282388 +0200
+@@ -33,17 +33,17 @@
+ #############################################################################
+ 
+ echo test sslv2
+-$ssltest -ssl2 $extra || exit 1
++$ssltest -ssl2 $extra && exit 1
+ 
+ echo test sslv2 with server authentication
+-$ssltest -ssl2 -server_auth $CA $extra || exit 1
++$ssltest -ssl2 -server_auth $CA $extra && exit 1
+ 
+ if [ $dsa_cert = NO ]; then
+   echo test sslv2 with client authentication
+-  $ssltest -ssl2 -client_auth $CA $extra || exit 1
++  $ssltest -ssl2 -client_auth $CA $extra && exit 1
+ 
+   echo test sslv2 with both client and server authentication
+-  $ssltest -ssl2 -server_auth -client_auth $CA $extra || exit 1
++  $ssltest -ssl2 -server_auth -client_auth $CA $extra && exit 1
+ fi
+ 
+ echo test sslv3
+@@ -71,17 +71,17 @@
+ $ssltest -server_auth -client_auth $CA $extra || exit 1
+ 
+ echo test sslv2 via BIO pair
+-$ssltest -bio_pair -ssl2 $extra || exit 1
++$ssltest -bio_pair -ssl2 $extra && exit 1
+ 
+ echo test sslv2 with server authentication via BIO pair
+-$ssltest -bio_pair -ssl2 -server_auth $CA $extra || exit 1
++$ssltest -bio_pair -ssl2 -server_auth $CA $extra && exit 1
+ 
+ if [ $dsa_cert = NO ]; then
+   echo test sslv2 with client authentication via BIO pair
+-  $ssltest -bio_pair -ssl2 -client_auth $CA $extra || exit 1
++  $ssltest -bio_pair -ssl2 -client_auth $CA $extra && exit 1
+ 
+   echo test sslv2 with both client and server authentication via BIO pair
+-  $ssltest -bio_pair -ssl2 -server_auth -client_auth $CA $extra || exit 1
++  $ssltest -bio_pair -ssl2 -server_auth -client_auth $CA $extra && exit 1
+ fi
+ 
+ echo test sslv3 via BIO pair
+Index: openssl-0.9.8o/doc/ssl/SSL_CTX_new.pod
+===================================================================
+--- openssl-0.9.8o.orig/doc/ssl/SSL_CTX_new.pod        2010-07-19 
22:35:59.305282967 +0200
++++ openssl-0.9.8o/doc/ssl/SSL_CTX_new.pod     2010-07-19 22:39:09.324088083 
+0200
+@@ -30,6 +30,9 @@
+ and will also indicate that it only understand SSLv2. A server will only
+ understand SSLv2 client hello messages.
+ 
++Note: these methods are disabled. The SSLv2 protocol is considered unsafe,
++and all attempts to use it will result in the error "null ssl method passed".
++
+ =item SSLv3_method(void), SSLv3_server_method(void), SSLv3_client_method(void)
+ 
+ A TLS/SSL connection established with these methods will only understand the
+Index: openssl-0.9.8o/doc/ssl/SSL_CTX_set_options.pod
+===================================================================
+--- openssl-0.9.8o.orig/doc/ssl/SSL_CTX_set_options.pod        2010-07-19 
22:39:31.044042368 +0200
++++ openssl-0.9.8o/doc/ssl/SSL_CTX_set_options.pod     2010-07-19 
22:40:34.534120783 +0200
+@@ -202,6 +202,9 @@
+ 
+ Do not use the SSLv2 protocol.
+ 
++Note: this option is always set and cannot be disabled. SSLv2 is never
++available.
++
+ =item SSL_OP_NO_SSLv3
+ 
+ Do not use the SSLv3 protocol.
diff -Nru openssl-0.9.8o/debian/patches/series 
openssl-0.9.8o/debian/patches/series
--- openssl-0.9.8o/debian/patches/series        2010-06-14 17:04:09.000000000 
+0200
+++ openssl-0.9.8o/debian/patches/series        2010-07-19 22:10:48.000000000 
+0200
@@ -21,3 +21,4 @@
 aesni.patch
 perlpath-quilt.patch
 Bsymbolic-functions.patch
+no-sslv2.patch
diff -Nru openssl-0.9.8o/debian/rules openssl-0.9.8o/debian/rules
--- openssl-0.9.8o/debian/rules 2010-07-19 16:44:00.000000000 +0200
+++ openssl-0.9.8o/debian/rules 2010-07-19 22:44:41.000000000 +0200
@@ -71,9 +71,11 @@
 clean:
        dh_testdir
        dh_testroot
+       dh_clean
        -rm -f build
        -./Configure $(CONFARGS) debian-$(DEB_HOST_ARCH)
        [ ! -f Makefile ] || make -f Makefile  clean clean-shared
+       [ ! -f test/Makefile ] || make -C test clean
        #-make -f Makefile  dclean
 #      perl util/ssldir.pl /usr/local/ssl
        -rm -f test/.rnd test/testkey.pem test/testreq.pem test/certCA.srl
@@ -88,7 +90,6 @@
        -rm -f libcrypto.* libssl.*
        -cd test && rm -f .rnd tmp.bntest tmp.bctest *.o *.obj lib tags core 
.pure .nfs* *.old *.bak fluff bntest ectest  ecdsatest ecdhtest ideatest 
md2test  md4test md5test hmactest rc2test rc4test rc5test destest shatest 
sha1test sha256t sha512t mdc2test rmdtest randtest dhtest enginetest bftest 
casttest ssltest exptest dsatest rsa_test evp_test *.ss *.srl log dummytest 
newkey.pem igetest
        -rm Makefile apps/CA.pl tools/c_rehash crypto/opensslconf.h 
crypto/x86_64cpuid.S
-       dh_clean
 
 binary-indep:  build
        dh_testdir

--- End Message ---

--- Begin Message ---

Source: openssl
Source-Version: 1.0.0c-2

We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive:

libcrypto1.0.0-udeb_1.0.0c-2_amd64.udeb
  to main/o/openssl/libcrypto1.0.0-udeb_1.0.0c-2_amd64.udeb
libssl-dev_1.0.0c-2_amd64.deb
  to main/o/openssl/libssl-dev_1.0.0c-2_amd64.deb
libssl-doc_1.0.0c-2_all.deb
  to main/o/openssl/libssl-doc_1.0.0c-2_all.deb
libssl1.0.0-dbg_1.0.0c-2_amd64.deb
  to main/o/openssl/libssl1.0.0-dbg_1.0.0c-2_amd64.deb
libssl1.0.0_1.0.0c-2_amd64.deb
  to main/o/openssl/libssl1.0.0_1.0.0c-2_amd64.deb
openssl_1.0.0c-2.debian.tar.gz
  to main/o/openssl/openssl_1.0.0c-2.debian.tar.gz
openssl_1.0.0c-2.dsc
  to main/o/openssl/openssl_1.0.0c-2.dsc
openssl_1.0.0c-2_amd64.deb
  to main/o/openssl/openssl_1.0.0c-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 589...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kurt Roeckx <k...@roeckx.be> (supplier of updated openssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 19 Dec 2010 16:24:16 +0100
Source: openssl
Binary: openssl libssl1.0.0 libcrypto1.0.0-udeb libssl-dev libssl-doc 
libssl1.0.0-dbg
Architecture: source all amd64
Version: 1.0.0c-2
Distribution: experimental
Urgency: low
Maintainer: Debian OpenSSL Team <pkg-openssl-de...@lists.alioth.debian.org>
Changed-By: Kurt Roeckx <k...@roeckx.be>
Description: 
 libcrypto1.0.0-udeb - crypto shared library - udeb (udeb)
 libssl-dev - SSL development libraries, header files and documentation
 libssl-doc - SSL development documentation documentation
 libssl1.0.0 - SSL shared libraries
 libssl1.0.0-dbg - Symbol tables for libssl and libcrypto
 openssl    - Secure Socket Layer (SSL) binary and related cryptographic tools
Closes: 589706
Changes: 
 openssl (1.0.0c-2) experimental; urgency=low
 .
   * Set $ in front of {sparcv9_asm} so that the sparc v9 variant builds.
   * Always define _GNU_SOURCE, not only for Linux.
   * Drop SSL2 support (Closes: #589706)
Checksums-Sha1: 
 c9a245f43ee90383ead3198c3ddd375c1a3a8470 1952 openssl_1.0.0c-2.dsc
 5bf1f91f596e5528fe94bb082238848310f4e036 55004 openssl_1.0.0c-2.debian.tar.gz
 95791ffb33514f8a3821670537fc5498c2053c1a 1191534 libssl-doc_1.0.0c-2_all.deb
 b8d46b2587341c63fcc0ec7b4004e1298ece7d25 687314 openssl_1.0.0c-2_amd64.deb
 41c4782c7077595e6a09c57ea89831627c8f2421 1132420 libssl1.0.0_1.0.0c-2_amd64.deb
 12df2fd3bccc5af226854f21e119bfd88304b294 720876 
libcrypto1.0.0-udeb_1.0.0c-2_amd64.udeb
 853fecfc04218a52e5dd0c361e9e600a45a28da8 1617070 libssl-dev_1.0.0c-2_amd64.deb
 19779b8908877b3911922c3e12f7802f4d09a2df 1982664 
libssl1.0.0-dbg_1.0.0c-2_amd64.deb
Checksums-Sha256: 
 f7d12b9bd00a9538fe19b8538a7b2911f27e4d94dd6bd91ea5595006bd07b175 1952 
openssl_1.0.0c-2.dsc
 52f1002a0fa3813763493fd6a3068db13d308b2ecaa3643312132efa8cfd6b9c 55004 
openssl_1.0.0c-2.debian.tar.gz
 fb7e52de37b562f1e6a75e7eaa53177262ccd410b610b5541ad8b145d3a22fff 1191534 
libssl-doc_1.0.0c-2_all.deb
 781c6d3c535c65f8374750aadbef1daa160d21cc62d7edce42640da3d656f608 687314 
openssl_1.0.0c-2_amd64.deb
 39ef2c248e3856ecb91706ffa93a40797f65cb7473c8bc77d7a1ae1ca3587e3e 1132420 
libssl1.0.0_1.0.0c-2_amd64.deb
 f603365a57f3df677b8581892bdace863a700b3061417ca45aadcead6a6bb7f1 720876 
libcrypto1.0.0-udeb_1.0.0c-2_amd64.udeb
 132d6086057aa0fa83a949d8cab72174ce0a43f01bf398d8bd01d251f1c4c2ce 1617070 
libssl-dev_1.0.0c-2_amd64.deb
 82c83b00ceb472363f0adb1564e6f27811b4bed56122474d03e7bd79bd8328ae 1982664 
libssl1.0.0-dbg_1.0.0c-2_amd64.deb
Files: 
 7175bd6cb501d327107ddcc8073f2321 1952 utils optional openssl_1.0.0c-2.dsc
 ec16c2afddf232d58d00f5d39895f226 55004 utils optional 
openssl_1.0.0c-2.debian.tar.gz
 88e8917cfca3d4f38d1884f64a96d0e9 1191534 doc optional 
libssl-doc_1.0.0c-2_all.deb
 ea8f44428b25a782759e84b3b9cd0b1b 687314 utils optional 
openssl_1.0.0c-2_amd64.deb
 1235707af7f10d661269219283cdbcc3 1132420 libs important 
libssl1.0.0_1.0.0c-2_amd64.deb
 5d3da3b53f366040bcd0a56fdffe59e7 720876 debian-installer optional 
libcrypto1.0.0-udeb_1.0.0c-2_amd64.udeb
 dcbc561e2be8fa57193b0f80a4548a73 1617070 libdevel optional 
libssl-dev_1.0.0c-2_amd64.deb
 08401abe3c1f74eb7fcb1f6cdd1ac11a 1982664 debug extra 
libssl1.0.0-dbg_1.0.0c-2_amd64.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCgAGBQJNDlmvAAoJEGpMZM6DE7XwkmEQAIggnN1b0iSj1PixIqXgA+wm
o2ueiKekTKM9P75A9XFGZjjDulOLX8gIXXqoGVcKjipxT9lcbXq2jiVKIlGePLUh
WzhS3i/7wvFL1p62jU2hkI7fshVaFZwUqzJUDT379S4ZJHSSl43XiKaS2FE422qI
xXfkwBZbANBl83fR5Cvk+md1tBZFm1WIfvjPxIqskh45TovKOIh3vbSq2ygr8RKw
kXr2lQ/6tCzZkNVCs7kPYXngIFzchBdhhRdsB1J5Whf2e3AFFklPa4e4fMXNOYlU
EZCRyPdsIns8MIxFE6SG+m1opyeWwHT53kwjNfOm/Q7c7qz7STQawS/OIiTX0Sqn
Y+bT26qCtMbvLq8yAOCTgSgg785buPA4cCNisOgEJILGD84zXpdBw6th8D3yvI9C
+BghS7ZPjo9h5pI6sy2QDcbdETHItJ+9qFQb8whHaTdYTXV4EUQUhJ57ndbLBk1k
9v1Y4QPh1JGweldmq1FVB7M3lcFbGtGBc3Bew+Q/1gue3DmRT6IA6P1VMKFm3b9X
Kpj0M7w/aPRabXmDy+YiN0RsEkXxx3vdHbOOcKmMkusoyH/C7orrx3+cckt2+2pr
OUv8izINAojakcJB5DZNg46Cc75/qSAYnT7OA1cHZkhXLbWARLlPf1pcFgdCvxME
0AOAo/QdqkSZ8nAv+426
=bIia
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to

debian-bugs-closed

Bug#589706: marked as done (SSLv2 should be disabled)