Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Hi, dma currently use the TLSv1_client_method() function that means that it only support TLS 1.0 which is considered deprecated (and forbidden by PCI certification). For what I can read, major providers are planning to remove support for TLS 1.0 and TLS 1.1 current 2020. The attached patches (cherry-picked from upstream) are switching to the "version-flexible" function (TLS_client_method()) Could this be included in buster? Kind regards, Laurent Bigonville -- System Information: Debian Release: bullseye/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_FIRMWARE_WORKAROUND Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), LANGUAGE=fr_BE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: SELinux: enabled - Mode: Permissive - Policy name: refpolicy
diff -Nru dma-0.11/debian/changelog dma-0.11/debian/changelog --- dma-0.11/debian/changelog 2016-05-29 12:29:47.000000000 +0200 +++ dma-0.11/debian/changelog 2019-07-29 20:56:49.000000000 +0200 @@ -1,3 +1,12 @@ +dma (0.11-1+deb10u1) buster; urgency=medium + + * d/p/0002-crypto-Don-t-limit-to-TLSv1-only.patch: Do not limit SSL + connection to TLSv1 (Closes: #871429) + * d/p/0003-properly-deal-with-SSL_connect-return-value.patch: Properly check + the return code of SSL_connect() + + -- Laurent Bigonville <bi...@debian.org> Mon, 29 Jul 2019 20:56:49 +0200 + dma (0.11-1) unstable; urgency=medium [ Arno Töll ] diff -Nru dma-0.11/debian/patches/0002-crypto-Don-t-limit-to-TLSv1-only.patch dma-0.11/debian/patches/0002-crypto-Don-t-limit-to-TLSv1-only.patch --- dma-0.11/debian/patches/0002-crypto-Don-t-limit-to-TLSv1-only.patch 1970-01-01 01:00:00.000000000 +0100 +++ dma-0.11/debian/patches/0002-crypto-Don-t-limit-to-TLSv1-only.patch 2019-07-29 20:56:49.000000000 +0200 @@ -0,0 +1,27 @@ +From: Michael Tremer <michael.tre...@ipfire.org> +Date: Sun, 11 Feb 2018 11:05:43 +0000 +Subject: crypto: Don't limit to TLSv1 only + +Signed-off-by: Michael Tremer <michael.tre...@ipfire.org> +--- + crypto.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/crypto.c b/crypto.c +index 897b55b..440c882 100644 +--- a/crypto.c ++++ b/crypto.c +@@ -93,7 +93,12 @@ smtp_init_crypto(int fd, int feature) + SSL_library_init(); + SSL_load_error_strings(); + +- meth = TLSv1_client_method(); ++ // Allow any possible version ++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) ++ meth = TLS_client_method(); ++#else ++ meth = SSLv23_client_method(); ++#endif + + ctx = SSL_CTX_new(meth); + if (ctx == NULL) { diff -Nru dma-0.11/debian/patches/0003-properly-deal-with-SSL_connect-return-value.patch dma-0.11/debian/patches/0003-properly-deal-with-SSL_connect-return-value.patch --- dma-0.11/debian/patches/0003-properly-deal-with-SSL_connect-return-value.patch 1970-01-01 01:00:00.000000000 +0100 +++ dma-0.11/debian/patches/0003-properly-deal-with-SSL_connect-return-value.patch 2019-07-29 20:56:49.000000000 +0200 @@ -0,0 +1,22 @@ +From: Simon Schubert <2...@0x2c.org> +Date: Thu, 13 Sep 2018 16:44:50 +0200 +Subject: properly deal with SSL_connect() return value + +Submitted-by: lc3412 +--- + crypto.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto.c b/crypto.c +index 440c882..ef08144 100644 +--- a/crypto.c ++++ b/crypto.c +@@ -160,7 +160,7 @@ smtp_init_crypto(int fd, int feature) + + /* Open SSL connection */ + error = SSL_connect(config.ssl); +- if (error < 0) { ++ if (error != 1) { + syslog(LOG_ERR, "remote delivery deferred: SSL handshake failed fatally: %s", + ssl_errstr()); + return (1); diff -Nru dma-0.11/debian/patches/series dma-0.11/debian/patches/series --- dma-0.11/debian/patches/series 2016-05-29 12:29:47.000000000 +0200 +++ dma-0.11/debian/patches/series 2019-07-29 20:56:49.000000000 +0200 @@ -1,2 +1,3 @@ 03-debian-locations.patch -#10-liblockfile.patch +0002-crypto-Don-t-limit-to-TLSv1-only.patch +0003-properly-deal-with-SSL_connect-return-value.patch