Your message dated Sat, 12 Aug 2017 09:19:11 +0000 with message-id <e1dgszb-000hrc...@fasolo.debian.org> and subject line Bug#871428: fixed in dcap 2.47.10-4 has caused the Debian Bug report #871428, regarding dcap: please switch to SSLv23_… or TLS_…_method to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 871428: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871428 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: dcap Version: 2.47.10-3 Severity: important User: pkg-openssl-de...@lists.alioth.debian.org Usertags: TLS1.0_1.1_removal Your packages uses a function which requests a TLS1.0 and/or TLS1.1 only connection. Since openssl 1.1.0f-4 (currently in unstable) this means won't work because it provides TLS1.2. See also [0]. Please switch to SSLv23_method() | SSLv23_server_method() | SSLv23_client_method() or the recommended openssl 1.1+ functions: TLS_method() | TLS_server_method() | TLS_client_method() as per man-page [1]. The code I identified and probably needs to be replaced: dcap-2.47.10/plugins/ssl/sslTunnel.c: | int eInit(int fd) | { |… | ssl_ctx = SSL_CTX_new(TLSv1_client_method()); | ssl_con = (SSL *) SSL_new(ssl_ctx); | An example for replacing a TLSv1 only connection with any possible version would look like this: - ctx = SSL_CTX_new(TLSv1_client_method()); + ctx = SSL_CTX_new(SSLv23_client_method()); If you want to use the openssl 1.1 function you need extra version checks: - ctx = SSL_CTX_new(TLSv1_client_method()); +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ + !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL) + ctx = SSL_CTX_new (TLS_client_method ()); +#else + ctx = SSL_CTX_new (SSLv23_client_method ()); +#endif Note that that openssl is usually configured (at build time) to not allow SSLv2 and SSLv3 connections. However if upstream wants to be sure to have it disable you can add this: +#ifdef OPENSSL_NO_SSL3 + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); +#endif + +#ifdef OPENSSL_NO_SSL2 + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); +#endif to make sure it is not used for a connection even if the currently install libssl library is supporting it. [0] https://lists.debian.org/msgid-search/20170807014238.mf64rdvgpdkpa...@roeckx.be [1] https://manpages.debian.org/stretch/libssl-doc/SSLv23_method.3ssl.en.html Sebastian
--- End Message ---
--- Begin Message ---Source: dcap Source-Version: 2.47.10-4 We believe that the bug you reported is fixed in the latest version of dcap, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 871...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mattias Ellert <mattias.ell...@physics.uu.se> (supplier of updated dcap package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 12 Aug 2017 10:10:20 +0200 Source: dcap Binary: dcap libdcap1 dcap-dev dcap-tunnel-gsi dcap-tunnel-krb dcap-tunnel-ssl dcap-tunnel-telnet Architecture: source amd64 Version: 2.47.10-4 Distribution: unstable Urgency: medium Maintainer: Mattias Ellert <mattias.ell...@physics.uu.se> Changed-By: Mattias Ellert <mattias.ell...@physics.uu.se> Description: dcap - Client Tools for dCache dcap-dev - Client Development Files for dCache dcap-tunnel-gsi - GSI tunnel for dCache dcap-tunnel-krb - Kerberos tunnel for dCache dcap-tunnel-ssl - SSL tunnel for dCache dcap-tunnel-telnet - Telnet tunnel for dCache libdcap1 - Client Libraries for dCache Closes: 871428 Changes: dcap (2.47.10-4) unstable; urgency=medium . * Don't use deprecated TLSv1_client_method (Closes: #871428) * Migrate to dbgsym packages * Support DEB_BUILD_OPTIONS=nocheck Checksums-Sha1: c4370848e0a017a90c79ec6fb49ff187f092a583 2280 dcap_2.47.10-4.dsc d5b56bcd38dfd4363419e2edc0cd17733025a026 8524 dcap_2.47.10-4.debian.tar.xz 906fcfd8fdbc67246110d71e4c597f2e7e24076d 19354 dcap-dbgsym_2.47.10-4_amd64.deb 279299d9ec30b5ddcfc45990aa2e4b87095cd03c 105388 dcap-dev_2.47.10-4_amd64.deb fab2b4200e7640f4ff37aac9d6e8bdecb26d2101 27238 dcap-tunnel-gsi-dbgsym_2.47.10-4_amd64.deb 84cf96df2b03e39b62b8f1cba23a7fbb2c438285 55176 dcap-tunnel-gsi_2.47.10-4_amd64.deb f3470d9d9b41d8b4cb1237676404fc49347c0b7b 23150 dcap-tunnel-krb-dbgsym_2.47.10-4_amd64.deb 87a34c2d7f772c4323ea3d56304b5b7432427f8b 55242 dcap-tunnel-krb_2.47.10-4_amd64.deb c2bd657eb6230715924c6bd928f9c84e620ca732 9760 dcap-tunnel-ssl-dbgsym_2.47.10-4_amd64.deb 392c28a8cd0031596f15d9af16efc1cb7ac447ba 50288 dcap-tunnel-ssl_2.47.10-4_amd64.deb e53cc02040f5cc8611e8313306e11426a988d5d9 11070 dcap-tunnel-telnet-dbgsym_2.47.10-4_amd64.deb 2548399264b3353eb70a1099a9129e06103aa3bd 50762 dcap-tunnel-telnet_2.47.10-4_amd64.deb 30a810dea045ebb1b5eb1557b6f81358863c2508 9931 dcap_2.47.10-4_amd64.buildinfo 0e93341436ec38200082edb0be84b7531ad943ec 55910 dcap_2.47.10-4_amd64.deb e3614901f21d1759583175ce8a6087fbfe2c1ce7 289164 libdcap1-dbgsym_2.47.10-4_amd64.deb e50e352bc2c6d0cd0e8b19024a88fd0f41ceda58 110288 libdcap1_2.47.10-4_amd64.deb Checksums-Sha256: 0b59a6e143b818e574367af2222b5d3abfc8016efedbb4f784e959c76103b8bc 2280 dcap_2.47.10-4.dsc 9e41d47ee3ae8048e11cfb2df73af4189fef4b76ab7177b26acb19cf75b021f0 8524 dcap_2.47.10-4.debian.tar.xz 0f5b0f00b7b43600462d0d73f5e0f13b927a2d1ad158fa0b595191f1c24b273d 19354 dcap-dbgsym_2.47.10-4_amd64.deb b511203d557c12e36075403715b88e0c0272694e11cc5c0c828156837be77fb7 105388 dcap-dev_2.47.10-4_amd64.deb c8ea95d14b8a1704cdc15eb5c5e81a9ce24c8e3455fd6f5aef8c7d743ec969b9 27238 dcap-tunnel-gsi-dbgsym_2.47.10-4_amd64.deb 87ea75a6356c28e3b339773b4378e77487ddbd4d6117ee82599b2766123ddbb7 55176 dcap-tunnel-gsi_2.47.10-4_amd64.deb d61f80b50e2bed98c7c7b368514c3f30875ac5215ff3784f696d6e4188cdb5fe 23150 dcap-tunnel-krb-dbgsym_2.47.10-4_amd64.deb de73bb1ea1908d07b10456aa480447a70e90a63d0fd8870a3ae7d79c853d9989 55242 dcap-tunnel-krb_2.47.10-4_amd64.deb 1f94b34dbcf4a0983f4974504a42d280665b83404654fb4add16f9dca23f4926 9760 dcap-tunnel-ssl-dbgsym_2.47.10-4_amd64.deb c8c695b1cd87ccfad72694a86cb26138dd0140a57bde247fa67f4d8dd9d9720d 50288 dcap-tunnel-ssl_2.47.10-4_amd64.deb c61f161d534fa0308ff75f6d11c071fb7f3737e110c2755d8f1acd406164242f 11070 dcap-tunnel-telnet-dbgsym_2.47.10-4_amd64.deb f6f4d9fa940044c4bfe6b0202efff2695a34639ce54f68b20488320d855826a8 50762 dcap-tunnel-telnet_2.47.10-4_amd64.deb f613e3c9aeb8d45fa72bd99444e80f73ac66b744ab8501f4428fac01c744c113 9931 dcap_2.47.10-4_amd64.buildinfo 3d538159e981a1cba066fb4e08f033fc71b6ef7ddbf7a8909c9f4fa2d8276af9 55910 dcap_2.47.10-4_amd64.deb e60d3ce34cffba66f2624507b90d0893bc266b872f2fc4515f245be84d2616b1 289164 libdcap1-dbgsym_2.47.10-4_amd64.deb 7221176142e951244f22c82652f030193bd9ddf69ac7a5231165dd0654e0ba7a 110288 libdcap1_2.47.10-4_amd64.deb Files: fe185da6c2a7cbbd32032cbe8b36bd87 2280 libs optional dcap_2.47.10-4.dsc 81b30ca740ce16c772fcef99d1011336 8524 libs optional dcap_2.47.10-4.debian.tar.xz b14e38a2904b74e632068b541a2eca5a 19354 debug extra dcap-dbgsym_2.47.10-4_amd64.deb ff7bfba2ea716090469e8038b730d1a0 105388 libdevel optional dcap-dev_2.47.10-4_amd64.deb beb55fd83a98ed5f26a6a9ca9100e14a 27238 debug extra dcap-tunnel-gsi-dbgsym_2.47.10-4_amd64.deb 26c986d7a2f80e5ca6831a39e928ca56 55176 libs optional dcap-tunnel-gsi_2.47.10-4_amd64.deb 08cd8f0062c77804194dcc0a2fd330a1 23150 debug extra dcap-tunnel-krb-dbgsym_2.47.10-4_amd64.deb 9b151d65e2ca0c3daa9d25acd34fdfc2 55242 libs optional dcap-tunnel-krb_2.47.10-4_amd64.deb 07e74c3d2f46744202bbfa57db13af64 9760 debug extra dcap-tunnel-ssl-dbgsym_2.47.10-4_amd64.deb d15241cbfea41b33678d4acf88890b7a 50288 libs optional dcap-tunnel-ssl_2.47.10-4_amd64.deb 0c0346480ccc720d5fdfac351c8d9b6b 11070 debug extra dcap-tunnel-telnet-dbgsym_2.47.10-4_amd64.deb 2a01b92debee8d1d65388f1634d2a624 50762 libs optional dcap-tunnel-telnet_2.47.10-4_amd64.deb f5746c4f871eeabb6e1825cc9720f44e 9931 libs optional dcap_2.47.10-4_amd64.buildinfo 600c4a114d998130079800d11b69a3ba 55910 net optional dcap_2.47.10-4_amd64.deb 859c44555c419b6a63d8dec4ed7886e4 289164 debug extra libdcap1-dbgsym_2.47.10-4_amd64.deb 68deac2d3dcf321a7942252248d08fb0 110288 libs optional libdcap1_2.47.10-4_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE6hgwr99NQxrZ4RRS6K7C/zvhqUsFAlmOwgUACgkQ6K7C/zvh qUux3xAAihDHt4hXAxgJ5C/lVSGbXHLhLmtSMpyFN80Iz9+VxnbF0FryoLyX4UlR XFMjzO7TmqKf+pO/OlY/nTTopaa9rDidwydHCH5nQgNuX+E74zZ1Z5d7rCkfREso WGdtdXSqJzD549i7QmusS+qrbG9E1v3KsGuAZiGL8bKAC5LAIq10QNNNCGyysoN2 eLr+WVFhZD+FBFnQ0kZ7fZBZwh1xAa7X/+d64FErDbCxXQ86DCADsov9MkQb42oh NWb2NpqKCxA8uGj72gDQ8T8rumnDEKAD/yO2nFWMFZjvcEugbNfjEgWRtKmWBRX3 mz/200ce14A3bGxK04f865u8jQpUUd54dtWVwepDYDhfol8+dyIr/v0O2xlVTbv0 6UCzFM0HM7QBbKJ4V2EGfwBPzepdJpIsdjnxF3ZF7cdLh5FGYdp0GDv4PFCPTfdu myL+Pv6+MXsoEDdDhAt7cJh9KzvObsmDzBe8tzxgiZpOsBclhOjDeSlvAhPNKtM+ D1nhgYbdQxVbnmAcD22xSXuwd9DTCN41zi/El7M1vetgCkGwBoJLP+fAi4Ofc4JS /Ms8QRQl9gyBrdFceJhQftaldB4GQGn/Ar7soxa+dI74LrSHMdYYPzOIt97I0j8P nXT0/I5zCO9Ky0DCl9eMc3OK8ImGT7amd8QW1++paZDqWr825xI= =lnGM -----END PGP SIGNATURE-----
--- End Message ---
