Control: unblock 907015 by -1
On Sat, Sep 29, 2018 at 06:53:27PM +0200, Sebastian Andrzej Siewior wrote:
> On 2018-08-29 11:38:54 [-0600], dann frazier wrote:
> > > > error:141a318a:ssl routines:tls_process_ske_dhe:dh key too small
> > > >
> > > > I found that backporting bip 0.9.0~rc3-1 to jessie worked. I further
> > > > found
> > > > that just cherry-picking the following commit back to bip 0.8.9 seems
> > > > to be
> > > > sufficient:
> > > >
> > > > 39414f8 Handle OpenSSL version 1.1
> > >
> > > I just tried backporting commit 39414f8 to the bip version in stretch,
> > > and it doesn't really fix the issue. There is probably some other commit
> > > that is needed.
> >
> > I literally poked that patch into debian/patches{/series}, quilt
> > applied it and rebuilt, and it started working for me. Maybe there's
> > something different about our configs?I'm not sure. I just tried it again with the same results. My config file is attached, with just the sensitive parts obscured. It doesn't seem to have anything related to this. In the end, I solved my personal problem by building a backport of the version in testing, and that just works. > May I ask what is the problem here is? It looks like DH key is less than > 1024bits in size. This is not per-se an openssl problem but "policy" > (which could be changed but I suggest to update the key instead). The problem is between clients with libssl 1.1.1 and bip from stable. bip uses keys that are too small, which are rejected by default by those clients due to the new default policy. > If there is anything that needs to be fixed in bip in order to work > (like missing SNI) then I would add a versioned BREAK to #907015 (after > an upload so please let me know). Since this is a problem between openssl on the client and bip on the server, adding a Breaks: does not really help with anything. > Otherwise I would unbreak this bug with #907015. Yes, I don't think it makes sense to clock openssl on this; the version of bip in testing/unstable is OK.
ip = "0.0.0.0";
port = 19999;
client_side_ssl = true;
client_side_ssl_pem = "/var/lib/bip/bip.pem";
log_level = 3;
pid_file="/var/run/bip/bip.pid";
log_root = "/var/log/bip/";
backlog_lines = 0; # number of lines in backlog, 0 means no limit
backlog_msg_only = true; # only include useful content in backlog
network {
name = "oftc";
ssl = true;
server { host = "irc.oftc.net"; port = 6697; };
};
network {
name = "freenode";
ssl = true;
server { host = "irc.freenode.net"; port = 6697; };
};
network {
name = "gimpnet";
ssl = true;
server { host = "irc.gimp.org"; port = 6697; };
};
user {
name = "terceiro";
password = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
ssl_check_mode = "ca";
ssl_check_store = "/etc/ssl/certs";
default_nick = "terceiro";
default_user = "terceiro";
default_realname = "Antonio Terceiro";
connection {
name = "oftc"; # used by bip only
network = "oftc"; # which ircnet to connect to
follow_nick = true;
ignore_first_nick = true;
no_client_away_msg = "currently disconnected";
on_connect_send = "PRIVMSG NickServ :IDENTIFY xxxxxxxxxxxxxxxxxxxx";
};
connection {
name = "freenode"; # used by bip only
network = "freenode"; # which ircnet to connect to
follow_nick = true;
ignore_first_nick = true;
no_client_away_msg = "currently disconnected";
on_connect_send = "PRIVMSG NickServ :IDENTIFY xxxxxxxxxxxxxxxxxxxx";
};
connection {
name = "gimpnet"; # used by bip only
network = "gimpnet"; # which ircnet to connect to
follow_nick = true;
ignore_first_nick = true;
no_client_away_msg = "currently disconnected";
on_connect_send = "PRIVMSG NickServ :IDENTIFY xxxxxxxxxxxxxxxxxxxx";
};
};
# vim: ft=conf
signature.asc
Description: PGP signature
