Bug#871427: marked as done (argyll: please switch to SSLv23_… or TLS_…_method)

[Debian Bug Tracking System]

Your message dated Sat, 09 Sep 2017 13:19:05 +0000
with message-id <e1dqff7-0008ba...@fasolo.debian.org>
and subject line Bug#871427: fixed in argyll 1.9.2+repack-2
has caused the Debian Bug report #871427,
regarding argyll: please switch to SSLv23_… or TLS_…_method
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
871427: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871427
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: argyll
Version: 1.9.2+repack-1
Severity: important
User: pkg-openssl-de...@lists.alioth.debian.org
Usertags: TLS1.0_1.1_removal

Your packages uses a function which requests a TLS1.0 and/or TLS1.1 only
connection. Since openssl 1.1.0f-4 (currently in unstable) this means
won't work because it provides TLS1.2. See also [0].
Please switch to
        SSLv23_method() | SSLv23_server_method() | SSLv23_client_method()

or the recommended openssl 1.1+ functions:
        TLS_method() | TLS_server_method() | TLS_client_method()

as per man-page [1].
The code I identified and probably needs to be replaced:
argyll-1.9.2+repack/ccast/ccpacket.c
|         // Want to use TLS_client_method(), but older OpenSSL doesn't have 
it...
|         if ((p->ctx = SSL_CTX_new(TLSv1_client_method())) == NULL)

An example for replacing a TLSv1 only connection with any possible
version would look like this:

-  ctx = SSL_CTX_new(TLSv1_client_method());
+  ctx = SSL_CTX_new(SSLv23_client_method());

If you want to use the openssl 1.1 function you need extra version
checks:

-  ctx = SSL_CTX_new(TLSv1_client_method());
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
+    !defined(LIBRESSL_VERSION_NUMBER)  && !defined(OPENSSL_IS_BORINGSSL)
+    ctx = SSL_CTX_new (TLS_client_method ());
+#else
+    ctx = SSL_CTX_new (SSLv23_client_method ());
+#endif

Note that that openssl is usually configured (at build time) to not
allow SSLv2 and SSLv3 connections. However if upstream wants to be sure
to have it disable you can add this:

+#ifdef OPENSSL_NO_SSL3
+    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
+#endif
+
+#ifdef OPENSSL_NO_SSL2
+    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+#endif

to make sure it is not used for a connection even if the currently
install libssl library is supporting it.

[0] 
https://lists.debian.org/msgid-search/20170807014238.mf64rdvgpdkpa...@roeckx.be
[1] https://manpages.debian.org/stretch/libssl-doc/SSLv23_method.3ssl.en.html

Sebastian

--- End Message ---

--- Begin Message ---

Source: argyll
Source-Version: 1.9.2+repack-2

We believe that the bug you reported is fixed in the latest version of
argyll, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 871...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jörg Frings-Fürst <deb...@jff-webhosting.net> (supplier of updated argyll 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 31 Aug 2017 06:49:06 +0200
Source: argyll
Binary: argyll argyll-ref argyll-doc
Architecture: source
Version: 1.9.2+repack-2
Distribution: unstable
Urgency: medium
Maintainer: Jörg Frings-Fürst <deb...@jff-webhosting.net>
Changed-By: Jörg Frings-Fürst <deb...@jff-webhosting.net>
Description:
 argyll     - Color Management System, calibrator and profiler
 argyll-doc - Color Management System, calibrator and profiler (documentation)
 argyll-ref - Color Management System, calibrator and profiler (data files)
Closes: 871427
Changes:
 argyll (1.9.2+repack-2) unstable; urgency=medium
 .
   * New README.source to explain the branching model used.
   * Declare compliance with Debian Policy 4.0.1. (No changes needed).
   * debian/copyright:
     - Add 2017 to debian/*.
   * debian/control:
     - Remove dh-autoreconf.
       + Not longer needed since debhelper compatibility level >= 10.
   * debian/rules:
     - For better handling replace dpkg-parsechangelog with SOURCE_DATE_EPOCH
       from pkg-info.mk.
   * New patch 0130_openssl.patch:
     - Enable all ssl connections since openssl provides only connetions with
       TLS1.2 or greater (Closes: #871427).
   * Use the automatic debug symbol packages:
     - Remove argyll-dbg section from debian/control.
     - Use --dbgsym-migration at override_dh_strip from debian/rules.
   * Refresh patches:
     - 0100_spelling.patch.
Checksums-Sha1:
 5481ffcb7db81c9230608c0262be2ce935229905 2237 argyll_1.9.2+repack-2.dsc
 ddf366a4cfd4432b1b81bbfd2e44e92092c1444b 281120 
argyll_1.9.2+repack-2.debian.tar.xz
 a356c6c80d044ae6c39047a0d2b8fbb4a4c27eac 7603 
argyll_1.9.2+repack-2_source.buildinfo
Checksums-Sha256:
 27b51d7d636d3589681453124d7bf1c70b861c56903eef3234cae2642d4547ca 2237 
argyll_1.9.2+repack-2.dsc
 29c3436801fb68906b45686485daabb63ecb12e0f607915c65e1e173d3b8d3d2 281120 
argyll_1.9.2+repack-2.debian.tar.xz
 93938df90c93305c27f46296a453d975d87a550106f31c9ff88ee3745fc18f29 7603 
argyll_1.9.2+repack-2_source.buildinfo
Files:
 895a7103bb45101ec13bac15540603da 2237 graphics optional 
argyll_1.9.2+repack-2.dsc
 09f8211275553012fe5ca4a4b1600211 281120 graphics optional 
argyll_1.9.2+repack-2.debian.tar.xz
 829849206fbae738c8266b6783b6dd56 7603 graphics optional 
argyll_1.9.2+repack-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEednFjFDWtapl1TDBdZd4qaNrSU8FAlmz5rkACgkQdZd4qaNr
SU8VbRAAlIMMLJifmQ7DKXCHWmRdXehZV7FbTj7xjp0GqhtPSez+A2Rg5PJjrELp
+Pu/MJD5cmK/Qkjz/qxjhap8BCRSopR3HunF3PKpMI0g/swrgrgsn6xtlbsjuOD7
KKcXlSaeud1yw3bDsUw0xUVkAJONeSq0A1sYAKB5wVL/psZ+9y+6aThzAsxDjAUS
drqelv8GSB2Qr5D+v6sf+MdkPyIKK+iUakoMvjBkuQjeQvxVJm80w8E41Wm5r4si
Ogf3NOtr9AFS/PSPURWEKZpds+bZbiFbglVCKMUBj7IfSbtuaBmBTVZG9C9pw9Hr
ixmR1jFDMyBOdwGLbLTXvoy4EUsI13EE2pP7JHYltU9GZNJJI2FYNjQTXNBm3r2S
DvpzQBfzbeU9QzcARLayDWZdSoQI+WDzXL5hY+iNJVYPBuxge8wdy3xi1sDo3x3d
5biiXzTeuK1xKkUCKRUDBr2y5hhiw9O79mG1YetY4azmb622wDcq83xkw+m/ceKG
hE7mGSsx/aB+yJ+8a+zZKPFZ6B4RMUcGeN++hTz9sFWNTHxq6jrdXR0E7L25KWrp
EUisixFUTntrOSzspM6oBD8Bsb4R7zCzwmbtozw3f4z5KMHz4SyjZH7gNVFCOfvS
0mYx6+FzpVnStXFGXbjLtmzr6JaSGkU6C0KgpKDenM3n69YEv2c=
=WE+/
-----END PGP SIGNATURE-----

--- End Message ---