Package: sylpheed Version: 3.6.0-1 Severity: normal Tags: patch Dear Maintainer,
the Debian openssl package deprecated TLSv1 and TLSv1.1 in August 2017, see: https://lists.debian.org/debian-devel-announce/2017/08/msg00004.html https://anonscm.debian.org/viewvc/pkg-openssl/openssl/branches/1.1.0/debian/patches/tls1_2_default.patch?revision=912&view=markup https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875423 It's not clear if this decision is final and will affect the next Debian stable release, however in the meantime, sylpheed in Debian unstable cannot connect to servers using older TLS protocol versions. Sylpheed gives this message when connecting to a server using TLSv1: (sylpheed:20968): LibSylph-WARNING **: SSL_connect() failed with error 1, ret = -1 (error:1417118C:SSL routines:tls_process_server_hello:version too low) The OpenSSL error is: SSL routines:tls_process_server_hello:version too low I am attaching a patch to fix this behavior. I am not sure if this change should be in the official package, let me know what your opinion is on this matter. Thanks, Antonio -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (900, 'unstable'), (500, 'unstable-debug') Architecture: amd64 (x86_64) Kernel: Linux 4.13.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=it_IT.utf8, LC_CTYPE=it_IT.utf8 (charmap=UTF-8), LANGUAGE=it_IT.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages sylpheed depends on: ii libassuan0 2.4.3-3 ii libatk1.0-0 2.26.1-1 ii libc6 2.24-17 ii libcairo2 1.15.8-2 ii libcompfaceg1 1:1.5.2-5+b2 ii libdbus-1-3 1.12.0-1 ii libdbus-glib-1-2 0.108-2 ii libenchant1c2a 1.6.0-11.1 ii libfontconfig1 2.12.3-0.2 ii libfreetype6 2.8.1-0.1 ii libgdk-pixbuf2.0-0 2.36.11-1 ii libglib2.0-0 2.54.2-1 ii libgpg-error0 1.27-4 ii libgpgme11 1.9.0-6 ii libgtk2.0-0 2.24.31-2 ii libgtkspell0 2.0.16-1.1 ii libldap-2.4-2 2.4.45+dfsg-1 ii libpango-1.0-0 1.40.13-1 ii libpangocairo-1.0-0 1.40.13-1 ii libpangoft2-1.0-0 1.40.13-1 ii libssl1.1 1.1.0f-5 ii pinentry-gtk2 1.0.0-3 Versions of packages sylpheed recommends: ii aspell-it [aspell-dictionary] 2.4-20070901-0-2.1 ii ca-certificates 20170717 ii sylpheed-i18n 3.6.0-1 ii xfonts-100dpi 1:1.0.4+nmu1 ii xfonts-75dpi 1:1.0.4+nmu1 Versions of packages sylpheed suggests: ii bogofilter 1.2.4+dfsg1-10 pn bsfilter <none> pn claws-mail-tools <none> ii curl 7.56.1-1 pn jpilot <none> pn sylpheed-doc <none> -- no debconf information -- Antonio Ospite https://ao2.it https://twitter.com/ao2it A: Because it messes up the order in which people normally read text. See http://en.wikipedia.org/wiki/Posting_style Q: Why is top-posting such a bad thing?
>From 97235129beab0b3a23ec95db3e922321cdf43cf3 Mon Sep 17 00:00:00 2001 From: Antonio Ospite <a...@ao2.it> Date: Thu, 2 Nov 2017 13:37:53 +0100 Subject: [PATCH] libsylph/ssl.c: explicitly enable the supported protocol versions X-Face: z*RaLf`X<@C75u6Ig9}{oW$H;1_\2t5)({*|jhM<pyWR#k60!#=#>/Vb;]yA5<GWI5`6u&+ ;6b'@y|8w"wB;4/e!7wYYrcqdJFY,~%Gk_4]cq$Ei/7<j&N3ah(m`ku?pX.&+~:_/wC~dwn^)MizBG !pE^+iDQQ1yC6^,)YDKkxDd!T>\I~93>J<_`<4)A{':UrE The Debian openssl package deprecated TLSv1 and TLSv1.1 in August 2017, see: https://lists.debian.org/debian-devel-announce/2017/08/msg00004.html https://anonscm.debian.org/viewvc/pkg-openssl/openssl/branches/1.1.0/debian/patches/tls1_2_default.patch?revision=912&view=markup https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875423 It's not clear if this decision is final and will affect the next Debian stable release, however in the meantime, sylpheed in Debian unstable cannot connect to servers using older TLS protocol versions. Work around that by explicitly setting the minimum protocol versions. --- libsylph/ssl.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libsylph/ssl.c b/libsylph/ssl.c index 84139250..61e770f8 100644 --- a/libsylph/ssl.c +++ b/libsylph/ssl.c @@ -132,6 +132,8 @@ void ssl_init(void) debug_print(_("SSLv23 not available\n")); } else { debug_print(_("SSLv23 available\n")); + /* XXX workaround for Debian systems, see Debian bug #875423 */ + SSL_CTX_set_min_proto_version(ssl_ctx_SSLv23, SSL3_VERSION); if ((certs_file || certs_dir) && !SSL_CTX_load_verify_locations(ssl_ctx_SSLv23, certs_file, certs_dir)) @@ -144,6 +146,8 @@ void ssl_init(void) debug_print(_("TLSv1 not available\n")); } else { debug_print(_("TLSv1 available\n")); + /* XXX workaround for Debian systems, see Debian bug #875423 */ + SSL_CTX_set_min_proto_version(ssl_ctx_TLSv1, TLS1_VERSION); /* disable SSLv2/SSLv3 */ SSL_CTX_set_options(ssl_ctx_TLSv1, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3); -- 2.15.0