Bug#880571: sylpheed: cannon connect to servers using TLSv1 and TLSv1.1

Thu, 02 Nov 2017 06:09:43 -0700 

Package: sylpheed
Version: 3.6.0-1
Severity: normal
Tags: patch

Dear Maintainer,

the Debian openssl package deprecated TLSv1 and TLSv1.1 in August 2017,
see:
https://lists.debian.org/debian-devel-announce/2017/08/msg00004.html
https://anonscm.debian.org/viewvc/pkg-openssl/openssl/branches/1.1.0/debian/patches/tls1_2_default.patch?revision=912&view=markup
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875423

It's not clear if this decision is final and will affect the next Debian
stable release, however in the meantime, sylpheed in Debian unstable
cannot connect to servers using older TLS protocol versions.

Sylpheed gives this message when connecting to a server using TLSv1:

  (sylpheed:20968): LibSylph-WARNING **: SSL_connect() failed with error 1, ret 
= -1 (error:1417118C:SSL routines:tls_process_server_hello:version too low)

The OpenSSL error is:

  SSL routines:tls_process_server_hello:version too low

I am attaching a patch to fix this behavior.

I am not sure if this change should be in the official package, let me
know what your opinion is on this matter.

Thanks,
   Antonio

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (900, 'unstable'), (500, 'unstable-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.13.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=it_IT.utf8, LC_CTYPE=it_IT.utf8 (charmap=UTF-8), 
LANGUAGE=it_IT.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages sylpheed depends on:
ii  libassuan0           2.4.3-3
ii  libatk1.0-0          2.26.1-1
ii  libc6                2.24-17
ii  libcairo2            1.15.8-2
ii  libcompfaceg1        1:1.5.2-5+b2
ii  libdbus-1-3          1.12.0-1
ii  libdbus-glib-1-2     0.108-2
ii  libenchant1c2a       1.6.0-11.1
ii  libfontconfig1       2.12.3-0.2
ii  libfreetype6         2.8.1-0.1
ii  libgdk-pixbuf2.0-0   2.36.11-1
ii  libglib2.0-0         2.54.2-1
ii  libgpg-error0        1.27-4
ii  libgpgme11           1.9.0-6
ii  libgtk2.0-0          2.24.31-2
ii  libgtkspell0         2.0.16-1.1
ii  libldap-2.4-2        2.4.45+dfsg-1
ii  libpango-1.0-0       1.40.13-1
ii  libpangocairo-1.0-0  1.40.13-1
ii  libpangoft2-1.0-0    1.40.13-1
ii  libssl1.1            1.1.0f-5
ii  pinentry-gtk2        1.0.0-3

Versions of packages sylpheed recommends:
ii  aspell-it [aspell-dictionary]  2.4-20070901-0-2.1
ii  ca-certificates                20170717
ii  sylpheed-i18n                  3.6.0-1
ii  xfonts-100dpi                  1:1.0.4+nmu1
ii  xfonts-75dpi                   1:1.0.4+nmu1

Versions of packages sylpheed suggests:
ii  bogofilter        1.2.4+dfsg1-10
pn  bsfilter          <none>
pn  claws-mail-tools  <none>
ii  curl              7.56.1-1
pn  jpilot            <none>
pn  sylpheed-doc      <none>

-- no debconf information
-- 
Antonio Ospite
https://ao2.it
https://twitter.com/ao2it

A: Because it messes up the order in which people normally read text.
   See http://en.wikipedia.org/wiki/Posting_style
Q: Why is top-posting such a bad thing?

>From 97235129beab0b3a23ec95db3e922321cdf43cf3 Mon Sep 17 00:00:00 2001
From: Antonio Ospite <a...@ao2.it>
Date: Thu, 2 Nov 2017 13:37:53 +0100
Subject: [PATCH] libsylph/ssl.c: explicitly enable the supported protocol
 versions
X-Face: z*RaLf`X<@C75u6Ig9}{oW$H;1_\2t5)({*|jhM<pyWR#k60!#=#>/Vb;]yA5<GWI5`6u&+
 ;6b'@y|8w"wB;4/e!7wYYrcqdJFY,~%Gk_4]cq$Ei/7<j&N3ah(m`ku?pX.&+~:_/wC~dwn^)MizBG
 !pE^+iDQQ1yC6^,)YDKkxDd!T>\I~93>J<_`<4)A{':UrE

The Debian openssl package deprecated TLSv1 and TLSv1.1 in August 2017,
see:
https://lists.debian.org/debian-devel-announce/2017/08/msg00004.html
https://anonscm.debian.org/viewvc/pkg-openssl/openssl/branches/1.1.0/debian/patches/tls1_2_default.patch?revision=912&view=markup
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875423

It's not clear if this decision is final and will affect the next Debian
stable release, however in the meantime, sylpheed in Debian unstable
cannot connect to servers using older TLS protocol versions.

Work around that by explicitly setting the minimum protocol versions.
---
 libsylph/ssl.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libsylph/ssl.c b/libsylph/ssl.c
index 84139250..61e770f8 100644
--- a/libsylph/ssl.c
+++ b/libsylph/ssl.c
@@ -132,6 +132,8 @@ void ssl_init(void)
                debug_print(_("SSLv23 not available\n"));
        } else {
                debug_print(_("SSLv23 available\n"));
+               /* XXX workaround for Debian systems, see Debian bug #875423 */
+               SSL_CTX_set_min_proto_version(ssl_ctx_SSLv23, SSL3_VERSION);
                if ((certs_file || certs_dir) &&
                    !SSL_CTX_load_verify_locations(ssl_ctx_SSLv23, certs_file,
                                                   certs_dir))
@@ -144,6 +146,8 @@ void ssl_init(void)
                debug_print(_("TLSv1 not available\n"));
        } else {
                debug_print(_("TLSv1 available\n"));
+               /* XXX workaround for Debian systems, see Debian bug #875423 */
+               SSL_CTX_set_min_proto_version(ssl_ctx_TLSv1, TLS1_VERSION);
                /* disable SSLv2/SSLv3 */
                SSL_CTX_set_options(ssl_ctx_TLSv1,
                                    SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
-- 
2.15.0

Reply via email to