Package: release.debian.org User: [email protected] UserTags: unblock
This is a proposed upload to testing-proposed-updates It is a far more concise and targeted fix than the upstream 1.9.8 release discussed previously. The main reason for this unblock request: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772632 based on the outcome of discussion on the debian-security list: https://lists.debian.org/debian-security/2014/12/msg00032.html This update enables TLS v1.1 and v1.2 when acting as a server and enables v1.1 when acting as a client. This is achieved by using the generic SSLv23_method instead of the discouraged TLSv1_method. This approach ensures that if the OpenSSL maintainers add or remove protocol versions because of future vulnerabilities, this package will benefit from those changes without needing to be patched further or recompiled. The (much smaller) debdiff is attached, it was generated with filterdiff to remove autotools stuff: debdiff resiprocate_1.9.7-1.dsc resiprocate_1.9.7-2.dsc | filterdiff -x '*/aclocal.m4' -x '*/config.*' -x '*/configure' -x '*/depcomp' -x '*/*.in' -x '*/install-sh' -x '*/ltmain.sh' -x '*/m4/*' -x '*/missing' -x '*/resiprocate.spec' > /tmp/resiprocate-1.9.7-2.debdiff
diff -Nru resiprocate-1.9.7/debian/changelog resiprocate-1.9.7/debian/changelog --- resiprocate-1.9.7/debian/changelog 2014-05-31 12:51:11.000000000 +0200 +++ resiprocate-1.9.7/debian/changelog 2014-12-09 11:56:59.000000000 +0100 @@ -1,3 +1,10 @@ +resiprocate (1.9.7-2) testing-proposed-updates; urgency=medium + + * Use SSLv23_method instead of TLSv1_method and + avoid TLS 1.2 when acting as client. (Closes: #772632) + + -- Daniel Pocock <[email protected]> Tue, 09 Dec 2014 11:34:48 +0100 + resiprocate (1.9.7-1) unstable; urgency=medium * New upstream release. diff -Nru resiprocate-1.9.7/debian/patches/0001-use-SSLv23_method.patch resiprocate-1.9.7/debian/patches/0001-use-SSLv23_method.patch --- resiprocate-1.9.7/debian/patches/0001-use-SSLv23_method.patch 1970-01-01 01:00:00.000000000 +0100 +++ resiprocate-1.9.7/debian/patches/0001-use-SSLv23_method.patch 2014-12-09 11:30:51.000000000 +0100 @@ -0,0 +1,50 @@ +diff --git a/repro/ReproRunner.cxx b/repro/ReproRunner.cxx +index 929392b..a2f09de 100644 +--- a/repro/ReproRunner.cxx ++++ b/repro/ReproRunner.cxx +@@ -1338,6 +1338,7 @@ ReproRunner::addTransports(bool& allTransportsSpecifyRecordRoute) + wsCookieContextFactory.reset(new BasicWsCookieContextFactory(infoCookieName, extraCookieName, macCookieName)); + } + ++ SecurityTypes::SSLType defaultSSLType = SecurityTypes::SSLv23; + try + { + // Check if advanced transport settings are provided +@@ -1448,7 +1449,7 @@ ReproRunner::addTransports(bool& allTransportsSpecifyRecordRoute) + ipAddr, // interface to bind to + tlsDomain, + Data::Empty, // private key passphrase - not currently used +- SecurityTypes::TLSv1, // sslType ++ defaultSSLType, // sslType + 0, // transport flags + tlsCertificate, tlsPrivateKey, + cvm, // tls client verification mode +@@ -1576,8 +1577,8 @@ ReproRunner::addTransports(bool& allTransportsSpecifyRecordRoute) + } + if (tlsPort) + { +- if (mUseV4) mSipStack->addTransport(TLS, tlsPort, V4, StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP); +- if (mUseV6) mSipStack->addTransport(TLS, tlsPort, V6, StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP); ++ if (mUseV4) mSipStack->addTransport(TLS, tlsPort, V4, StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP); ++ if (mUseV6) mSipStack->addTransport(TLS, tlsPort, V6, StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP); + } + if (wsPort) + { +@@ -1586,13 +1587,13 @@ ReproRunner::addTransports(bool& allTransportsSpecifyRecordRoute) + } + if (wssPort) + { +- if (mUseV4) mSipStack->addTransport(WSS, wssPort, V4, StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP, basicWsConnectionValidator, wsCookieContextFactory); +- if (mUseV6) mSipStack->addTransport(WSS, wssPort, V6, StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP, basicWsConnectionValidator, wsCookieContextFactory); ++ if (mUseV4) mSipStack->addTransport(WSS, wssPort, V4, StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP, basicWsConnectionValidator, wsCookieContextFactory); ++ if (mUseV6) mSipStack->addTransport(WSS, wssPort, V6, StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP, basicWsConnectionValidator, wsCookieContextFactory); + } + if (dtlsPort) + { +- if (mUseV4) mSipStack->addTransport(DTLS, dtlsPort, V4, StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, tlsCertificate, tlsPrivateKey); +- if (mUseV6) mSipStack->addTransport(DTLS, dtlsPort, V6, StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, tlsCertificate, tlsPrivateKey); ++ if (mUseV4) mSipStack->addTransport(DTLS, dtlsPort, V4, StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, tlsCertificate, tlsPrivateKey); ++ if (mUseV6) mSipStack->addTransport(DTLS, dtlsPort, V6, StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, tlsCertificate, tlsPrivateKey); + } + } + } diff -Nru resiprocate-1.9.7/debian/patches/0002-client-avoid-TLSv1_2.patch resiprocate-1.9.7/debian/patches/0002-client-avoid-TLSv1_2.patch --- resiprocate-1.9.7/debian/patches/0002-client-avoid-TLSv1_2.patch 1970-01-01 01:00:00.000000000 +0100 +++ resiprocate-1.9.7/debian/patches/0002-client-avoid-TLSv1_2.patch 2014-12-09 11:33:41.000000000 +0100 @@ -0,0 +1,16 @@ +diff --git a/resip/stack/ssl/TlsConnection.cxx b/resip/stack/ssl/TlsConnection.cxx +index c3537aa..145d089 100644 +--- a/resip/stack/ssl/TlsConnection.cxx ++++ b/resip/stack/ssl/TlsConnection.cxx +@@ -122,6 +122,11 @@ TlsConnection::TlsConnection( Transport* transport, const Tuple& tuple, + } + SSL_set_verify(mSsl, verify_mode, 0); + } ++ else ++ { ++ // some TLS v1.2 servers have been troublesome ++ SSL_set_options(mSsl, SSL_OP_NO_TLSv1_2); ++ } + + mBio = BIO_new_socket((int)fd,0/*close flag*/); + assert( mBio ); diff -Nru resiprocate-1.9.7/debian/patches/series resiprocate-1.9.7/debian/patches/series --- resiprocate-1.9.7/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ resiprocate-1.9.7/debian/patches/series 2014-12-09 11:33:48.000000000 +0100 @@ -0,0 +1,2 @@ +0001-use-SSLv23_method.patch +0002-client-avoid-TLSv1_2.patch
