Your message dated Sat, 12 Aug 2017 09:19:11 +0000
with message-id <e1dgszb-000hrc...@fasolo.debian.org>
and subject line Bug#871428: fixed in dcap 2.47.10-4
has caused the Debian Bug report #871428,
regarding dcap: please switch to SSLv23_… or TLS_…_method
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
871428: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871428
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: dcap
Version: 2.47.10-3
Severity: important
User: pkg-openssl-de...@lists.alioth.debian.org
Usertags: TLS1.0_1.1_removal
Your packages uses a function which requests a TLS1.0 and/or TLS1.1 only
connection. Since openssl 1.1.0f-4 (currently in unstable) this means
won't work because it provides TLS1.2. See also [0].
Please switch to
SSLv23_method() | SSLv23_server_method() | SSLv23_client_method()
or the recommended openssl 1.1+ functions:
TLS_method() | TLS_server_method() | TLS_client_method()
as per man-page [1].
The code I identified and probably needs to be replaced:
dcap-2.47.10/plugins/ssl/sslTunnel.c:
| int eInit(int fd)
| {
|…
| ssl_ctx = SSL_CTX_new(TLSv1_client_method());
| ssl_con = (SSL *) SSL_new(ssl_ctx);
|
An example for replacing a TLSv1 only connection with any possible
version would look like this:
- ctx = SSL_CTX_new(TLSv1_client_method());
+ ctx = SSL_CTX_new(SSLv23_client_method());
If you want to use the openssl 1.1 function you need extra version
checks:
- ctx = SSL_CTX_new(TLSv1_client_method());
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
+ !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)
+ ctx = SSL_CTX_new (TLS_client_method ());
+#else
+ ctx = SSL_CTX_new (SSLv23_client_method ());
+#endif
Note that that openssl is usually configured (at build time) to not
allow SSLv2 and SSLv3 connections. However if upstream wants to be sure
to have it disable you can add this:
+#ifdef OPENSSL_NO_SSL3
+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
+#endif
+
+#ifdef OPENSSL_NO_SSL2
+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+#endif
to make sure it is not used for a connection even if the currently
install libssl library is supporting it.
[0]
https://lists.debian.org/msgid-search/20170807014238.mf64rdvgpdkpa...@roeckx.be
[1] https://manpages.debian.org/stretch/libssl-doc/SSLv23_method.3ssl.en.html
Sebastian
--- End Message ---
--- Begin Message ---
Source: dcap
Source-Version: 2.47.10-4
We believe that the bug you reported is fixed in the latest version of
dcap, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 871...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mattias Ellert <mattias.ell...@physics.uu.se> (supplier of updated dcap package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 12 Aug 2017 10:10:20 +0200
Source: dcap
Binary: dcap libdcap1 dcap-dev dcap-tunnel-gsi dcap-tunnel-krb dcap-tunnel-ssl
dcap-tunnel-telnet
Architecture: source amd64
Version: 2.47.10-4
Distribution: unstable
Urgency: medium
Maintainer: Mattias Ellert <mattias.ell...@physics.uu.se>
Changed-By: Mattias Ellert <mattias.ell...@physics.uu.se>
Description:
dcap - Client Tools for dCache
dcap-dev - Client Development Files for dCache
dcap-tunnel-gsi - GSI tunnel for dCache
dcap-tunnel-krb - Kerberos tunnel for dCache
dcap-tunnel-ssl - SSL tunnel for dCache
dcap-tunnel-telnet - Telnet tunnel for dCache
libdcap1 - Client Libraries for dCache
Closes: 871428
Changes:
dcap (2.47.10-4) unstable; urgency=medium
.
* Don't use deprecated TLSv1_client_method (Closes: #871428)
* Migrate to dbgsym packages
* Support DEB_BUILD_OPTIONS=nocheck
Checksums-Sha1:
c4370848e0a017a90c79ec6fb49ff187f092a583 2280 dcap_2.47.10-4.dsc
d5b56bcd38dfd4363419e2edc0cd17733025a026 8524 dcap_2.47.10-4.debian.tar.xz
906fcfd8fdbc67246110d71e4c597f2e7e24076d 19354 dcap-dbgsym_2.47.10-4_amd64.deb
279299d9ec30b5ddcfc45990aa2e4b87095cd03c 105388 dcap-dev_2.47.10-4_amd64.deb
fab2b4200e7640f4ff37aac9d6e8bdecb26d2101 27238
dcap-tunnel-gsi-dbgsym_2.47.10-4_amd64.deb
84cf96df2b03e39b62b8f1cba23a7fbb2c438285 55176
dcap-tunnel-gsi_2.47.10-4_amd64.deb
f3470d9d9b41d8b4cb1237676404fc49347c0b7b 23150
dcap-tunnel-krb-dbgsym_2.47.10-4_amd64.deb
87a34c2d7f772c4323ea3d56304b5b7432427f8b 55242
dcap-tunnel-krb_2.47.10-4_amd64.deb
c2bd657eb6230715924c6bd928f9c84e620ca732 9760
dcap-tunnel-ssl-dbgsym_2.47.10-4_amd64.deb
392c28a8cd0031596f15d9af16efc1cb7ac447ba 50288
dcap-tunnel-ssl_2.47.10-4_amd64.deb
e53cc02040f5cc8611e8313306e11426a988d5d9 11070
dcap-tunnel-telnet-dbgsym_2.47.10-4_amd64.deb
2548399264b3353eb70a1099a9129e06103aa3bd 50762
dcap-tunnel-telnet_2.47.10-4_amd64.deb
30a810dea045ebb1b5eb1557b6f81358863c2508 9931 dcap_2.47.10-4_amd64.buildinfo
0e93341436ec38200082edb0be84b7531ad943ec 55910 dcap_2.47.10-4_amd64.deb
e3614901f21d1759583175ce8a6087fbfe2c1ce7 289164
libdcap1-dbgsym_2.47.10-4_amd64.deb
e50e352bc2c6d0cd0e8b19024a88fd0f41ceda58 110288 libdcap1_2.47.10-4_amd64.deb
Checksums-Sha256:
0b59a6e143b818e574367af2222b5d3abfc8016efedbb4f784e959c76103b8bc 2280
dcap_2.47.10-4.dsc
9e41d47ee3ae8048e11cfb2df73af4189fef4b76ab7177b26acb19cf75b021f0 8524
dcap_2.47.10-4.debian.tar.xz
0f5b0f00b7b43600462d0d73f5e0f13b927a2d1ad158fa0b595191f1c24b273d 19354
dcap-dbgsym_2.47.10-4_amd64.deb
b511203d557c12e36075403715b88e0c0272694e11cc5c0c828156837be77fb7 105388
dcap-dev_2.47.10-4_amd64.deb
c8ea95d14b8a1704cdc15eb5c5e81a9ce24c8e3455fd6f5aef8c7d743ec969b9 27238
dcap-tunnel-gsi-dbgsym_2.47.10-4_amd64.deb
87ea75a6356c28e3b339773b4378e77487ddbd4d6117ee82599b2766123ddbb7 55176
dcap-tunnel-gsi_2.47.10-4_amd64.deb
d61f80b50e2bed98c7c7b368514c3f30875ac5215ff3784f696d6e4188cdb5fe 23150
dcap-tunnel-krb-dbgsym_2.47.10-4_amd64.deb
de73bb1ea1908d07b10456aa480447a70e90a63d0fd8870a3ae7d79c853d9989 55242
dcap-tunnel-krb_2.47.10-4_amd64.deb
1f94b34dbcf4a0983f4974504a42d280665b83404654fb4add16f9dca23f4926 9760
dcap-tunnel-ssl-dbgsym_2.47.10-4_amd64.deb
c8c695b1cd87ccfad72694a86cb26138dd0140a57bde247fa67f4d8dd9d9720d 50288
dcap-tunnel-ssl_2.47.10-4_amd64.deb
c61f161d534fa0308ff75f6d11c071fb7f3737e110c2755d8f1acd406164242f 11070
dcap-tunnel-telnet-dbgsym_2.47.10-4_amd64.deb
f6f4d9fa940044c4bfe6b0202efff2695a34639ce54f68b20488320d855826a8 50762
dcap-tunnel-telnet_2.47.10-4_amd64.deb
f613e3c9aeb8d45fa72bd99444e80f73ac66b744ab8501f4428fac01c744c113 9931
dcap_2.47.10-4_amd64.buildinfo
3d538159e981a1cba066fb4e08f033fc71b6ef7ddbf7a8909c9f4fa2d8276af9 55910
dcap_2.47.10-4_amd64.deb
e60d3ce34cffba66f2624507b90d0893bc266b872f2fc4515f245be84d2616b1 289164
libdcap1-dbgsym_2.47.10-4_amd64.deb
7221176142e951244f22c82652f030193bd9ddf69ac7a5231165dd0654e0ba7a 110288
libdcap1_2.47.10-4_amd64.deb
Files:
fe185da6c2a7cbbd32032cbe8b36bd87 2280 libs optional dcap_2.47.10-4.dsc
81b30ca740ce16c772fcef99d1011336 8524 libs optional
dcap_2.47.10-4.debian.tar.xz
b14e38a2904b74e632068b541a2eca5a 19354 debug extra
dcap-dbgsym_2.47.10-4_amd64.deb
ff7bfba2ea716090469e8038b730d1a0 105388 libdevel optional
dcap-dev_2.47.10-4_amd64.deb
beb55fd83a98ed5f26a6a9ca9100e14a 27238 debug extra
dcap-tunnel-gsi-dbgsym_2.47.10-4_amd64.deb
26c986d7a2f80e5ca6831a39e928ca56 55176 libs optional
dcap-tunnel-gsi_2.47.10-4_amd64.deb
08cd8f0062c77804194dcc0a2fd330a1 23150 debug extra
dcap-tunnel-krb-dbgsym_2.47.10-4_amd64.deb
9b151d65e2ca0c3daa9d25acd34fdfc2 55242 libs optional
dcap-tunnel-krb_2.47.10-4_amd64.deb
07e74c3d2f46744202bbfa57db13af64 9760 debug extra
dcap-tunnel-ssl-dbgsym_2.47.10-4_amd64.deb
d15241cbfea41b33678d4acf88890b7a 50288 libs optional
dcap-tunnel-ssl_2.47.10-4_amd64.deb
0c0346480ccc720d5fdfac351c8d9b6b 11070 debug extra
dcap-tunnel-telnet-dbgsym_2.47.10-4_amd64.deb
2a01b92debee8d1d65388f1634d2a624 50762 libs optional
dcap-tunnel-telnet_2.47.10-4_amd64.deb
f5746c4f871eeabb6e1825cc9720f44e 9931 libs optional
dcap_2.47.10-4_amd64.buildinfo
600c4a114d998130079800d11b69a3ba 55910 net optional dcap_2.47.10-4_amd64.deb
859c44555c419b6a63d8dec4ed7886e4 289164 debug extra
libdcap1-dbgsym_2.47.10-4_amd64.deb
68deac2d3dcf321a7942252248d08fb0 110288 libs optional
libdcap1_2.47.10-4_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE6hgwr99NQxrZ4RRS6K7C/zvhqUsFAlmOwgUACgkQ6K7C/zvh
qUux3xAAihDHt4hXAxgJ5C/lVSGbXHLhLmtSMpyFN80Iz9+VxnbF0FryoLyX4UlR
XFMjzO7TmqKf+pO/OlY/nTTopaa9rDidwydHCH5nQgNuX+E74zZ1Z5d7rCkfREso
WGdtdXSqJzD549i7QmusS+qrbG9E1v3KsGuAZiGL8bKAC5LAIq10QNNNCGyysoN2
eLr+WVFhZD+FBFnQ0kZ7fZBZwh1xAa7X/+d64FErDbCxXQ86DCADsov9MkQb42oh
NWb2NpqKCxA8uGj72gDQ8T8rumnDEKAD/yO2nFWMFZjvcEugbNfjEgWRtKmWBRX3
mz/200ce14A3bGxK04f865u8jQpUUd54dtWVwepDYDhfol8+dyIr/v0O2xlVTbv0
6UCzFM0HM7QBbKJ4V2EGfwBPzepdJpIsdjnxF3ZF7cdLh5FGYdp0GDv4PFCPTfdu
myL+Pv6+MXsoEDdDhAt7cJh9KzvObsmDzBe8tzxgiZpOsBclhOjDeSlvAhPNKtM+
D1nhgYbdQxVbnmAcD22xSXuwd9DTCN41zi/El7M1vetgCkGwBoJLP+fAi4Ofc4JS
/Ms8QRQl9gyBrdFceJhQftaldB4GQGn/Ar7soxa+dI74LrSHMdYYPzOIt97I0j8P
nXT0/I5zCO9Ky0DCl9eMc3OK8ImGT7amd8QW1++paZDqWr825xI=
=lnGM
-----END PGP SIGNATURE-----
--- End Message ---