Bug#871427: marked as done (argyll: please switch to SSLv23_… or TLS_…_method)

[Debian Bug Tracking System]

Your message dated Sun, 03 Dec 2017 15:20:16 +0000
with message-id <e1elw40-0006ll...@fasolo.debian.org>
and subject line Bug#871427: fixed in argyll 2.0.0+repack-1
has caused the Debian Bug report #871427,
regarding argyll: please switch to SSLv23_… or TLS_…_method
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
871427: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871427
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: argyll
Version: 1.9.2+repack-1
Severity: important
User: pkg-openssl-de...@lists.alioth.debian.org
Usertags: TLS1.0_1.1_removal

Your packages uses a function which requests a TLS1.0 and/or TLS1.1 only
connection. Since openssl 1.1.0f-4 (currently in unstable) this means
won't work because it provides TLS1.2. See also [0].
Please switch to
        SSLv23_method() | SSLv23_server_method() | SSLv23_client_method()

or the recommended openssl 1.1+ functions:
        TLS_method() | TLS_server_method() | TLS_client_method()

as per man-page [1].
The code I identified and probably needs to be replaced:
argyll-1.9.2+repack/ccast/ccpacket.c
|         // Want to use TLS_client_method(), but older OpenSSL doesn't have 
it...
|         if ((p->ctx = SSL_CTX_new(TLSv1_client_method())) == NULL)

An example for replacing a TLSv1 only connection with any possible
version would look like this:

-  ctx = SSL_CTX_new(TLSv1_client_method());
+  ctx = SSL_CTX_new(SSLv23_client_method());

If you want to use the openssl 1.1 function you need extra version
checks:

-  ctx = SSL_CTX_new(TLSv1_client_method());
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
+    !defined(LIBRESSL_VERSION_NUMBER)  && !defined(OPENSSL_IS_BORINGSSL)
+    ctx = SSL_CTX_new (TLS_client_method ());
+#else
+    ctx = SSL_CTX_new (SSLv23_client_method ());
+#endif

Note that that openssl is usually configured (at build time) to not
allow SSLv2 and SSLv3 connections. However if upstream wants to be sure
to have it disable you can add this:

+#ifdef OPENSSL_NO_SSL3
+    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
+#endif
+
+#ifdef OPENSSL_NO_SSL2
+    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+#endif

to make sure it is not used for a connection even if the currently
install libssl library is supporting it.

[0] 
https://lists.debian.org/msgid-search/20170807014238.mf64rdvgpdkpa...@roeckx.be
[1] https://manpages.debian.org/stretch/libssl-doc/SSLv23_method.3ssl.en.html

Sebastian

--- End Message ---

--- Begin Message ---

Source: argyll
Source-Version: 2.0.0+repack-1

We believe that the bug you reported is fixed in the latest version of
argyll, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 871...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jörg Frings-Fürst <debian@jff.email> (supplier of updated argyll package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 01 Dec 2017 10:35:30 +0100
Source: argyll
Binary: argyll argyll-ref argyll-doc
Architecture: source
Version: 2.0.0+repack-1
Distribution: unstable
Urgency: medium
Maintainer: Jörg Frings-Fürst <debian@jff.email>
Changed-By: Jörg Frings-Fürst <debian@jff.email>
Description:
 argyll     - Color Management System, calibrator and profiler
 argyll-doc - Color Management System, calibrator and profiler (documentation)
 argyll-ref - Color Management System, calibrator and profiler (data files)
Closes: 871427
Changes:
 argyll (2.0.0+repack-1) unstable; urgency=medium
 .
   * Switch from repack to Files-Excluded.
   * Refresh patches.
   * Change to my new email address.
   * debian/changelog:
     - Remove trailing whitespaces.
   * debian/control:
     - Remove duplicates Priority fields.
     - Requested versions are lesser as there are in old-stable:
       + Remove dpkg amd dpkg-dev from (Build|Pre)-Depends.
       + Remove versions from Recommend udev.
       + Remove Replaces & Breaks argyll from argyll-ref.
   * debian/rules:
     - Add script to remove executable flag from upstream source.
   * Declare compliance with Debian Policy 4.1.2.0 (No changes needed).
   * Change to secure URI.
     - Homepage in debian/copyright, debian/watch and debian/control.
   * debian/patches/0130_openssl.patch:
     - Switch from SSLv23_client_method to TLS_client_method (Closes: #871427).
Checksums-Sha1:
 019a05976d8f6fa9b42860261b3788ebd9b169b7 2215 argyll_2.0.0+repack-1.dsc
 be2eea24ce07319b9d8a400e85aa0077107e9675 6069816 
argyll_2.0.0+repack.orig.tar.xz
 67d0e30bd7c4fe7f307d9e3fea3b97c917993517 281548 
argyll_2.0.0+repack-1.debian.tar.xz
 fd0875c7616dfb925610c4f073c423c8780b2bd2 7336 
argyll_2.0.0+repack-1_source.buildinfo
Checksums-Sha256:
 8bcc4d140f1f385ab4c1f59c9f1c3519844c5f740a4d85b8711c32a37395b19a 2215 
argyll_2.0.0+repack-1.dsc
 2b6d84d4bf7340c28fe3e2c316f295f186f981b38260524740e0cff42ecfc5bc 6069816 
argyll_2.0.0+repack.orig.tar.xz
 101f288899be1eadb863cc2b4b03ae1be482cbe7f345b743264aba8605603df2 281548 
argyll_2.0.0+repack-1.debian.tar.xz
 ceb09dc1aa320689e3b14881928d1a227c2a097878d2e4cf9ceff7fda476b7ea 7336 
argyll_2.0.0+repack-1_source.buildinfo
Files:
 cbbe18b5c3d6898956ebd781c94d11f2 2215 graphics optional 
argyll_2.0.0+repack-1.dsc
 28d0c1e97441a99e13a113d3cfa27c5e 6069816 graphics optional 
argyll_2.0.0+repack.orig.tar.xz
 e70bbf0a5b048404b28e9c5541c16319 281548 graphics optional 
argyll_2.0.0+repack-1.debian.tar.xz
 2a8846f2e107f47c01875094c6227f07 7336 graphics optional 
argyll_2.0.0+repack-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEednFjFDWtapl1TDBdZd4qaNrSU8FAlokEjAACgkQdZd4qaNr
SU/ALg/+PSiieqcbagS+xaYkILoBBlKBf6Lrln6/YISjv9gHD63EDcNLC472Bs6y
hPNrotNPHnn7yTQcwfLGZdjrt4LX4R6JNEWLN993na+MWghHXtTE/VqHpnP06VBe
UAJmFSgOvA4bakgIkXdJZ7OpJUkqxw11kbdZ22V9zqUnUHorEN3rXotpnCePaZky
hk1ZKKn+lYHBCtuhdmMHczy+5VFUTC4ElGV1aXg5PxvYsGD7TGAhb//JcnR0QZUT
LzDhFsUxifJiqsflZLzatZTvwVxP1lam3O6LrI1MVVfTseZz7aXpEormu4jIvmSw
MilNqTAEtfOc+a4dOJT6eK/i9QqNQfLIs2jZ87AMH+ZvFpXMnRp/0CYvjJM8ceqA
7bWxdWMNByKZVwz5DQedJ32/Jgdcl74/itEofOb+LCFNzF8Uf1p/huisDP+TyixY
WEBFePrjeiGas8O2ihHQ/P35HvytjE3bw4SE4XhAM6DfEQQjd+6t/XdVHwcfCfbJ
C0jdYRXCG2tv6396tQA3omPwruOIdkZmnVmxTPWofVE4QCJZyez4l+L9uq/OEWI6
4Uc9Nkd9BiCr8h/m2MV1N5qKUEYPYks4x463xmgZvb7xSS01G26ACTsTOssXl9Pv
b3GrQwHQ0Poz/xZER5w76bT1uo2Ax28741H+HBt6Wuc58GUIlUU=
=5nkd
-----END PGP SIGNATURE-----

--- End Message ---