Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
Hi,
dma currently use the TLSv1_client_method() function that means that it
only support TLS 1.0 which is considered deprecated (and forbidden by
PCI certification).
For what I can read, major providers are planning to remove support for
TLS 1.0 and TLS 1.1 current 2020.
The attached patches (cherry-picked from upstream) are switching to the
"version-flexible" function (TLS_client_method())
Could this be included in buster?
Kind regards,
Laurent Bigonville
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1,
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8),
LANGUAGE=fr_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: refpolicy
diff -Nru dma-0.11/debian/changelog dma-0.11/debian/changelog
--- dma-0.11/debian/changelog 2016-05-29 12:29:47.0 +0200
+++ dma-0.11/debian/changelog 2019-07-29 20:56:49.0 +0200
@@ -1,3 +1,12 @@
+dma (0.11-1+deb10u1) buster; urgency=medium
+
+ * d/p/0002-crypto-Don-t-limit-to-TLSv1-only.patch: Do not limit SSL
+connection to TLSv1 (Closes: #871429)
+ * d/p/0003-properly-deal-with-SSL_connect-return-value.patch: Properly check
+the return code of SSL_connect()
+
+ -- Laurent Bigonville Mon, 29 Jul 2019 20:56:49 +0200
+
dma (0.11-1) unstable; urgency=medium
[ Arno Töll ]
diff -Nru dma-0.11/debian/patches/0002-crypto-Don-t-limit-to-TLSv1-only.patch
dma-0.11/debian/patches/0002-crypto-Don-t-limit-to-TLSv1-only.patch
--- dma-0.11/debian/patches/0002-crypto-Don-t-limit-to-TLSv1-only.patch
1970-01-01 01:00:00.0 +0100
+++ dma-0.11/debian/patches/0002-crypto-Don-t-limit-to-TLSv1-only.patch
2019-07-29 20:56:49.0 +0200
@@ -0,0 +1,27 @@
+From: Michael Tremer
+Date: Sun, 11 Feb 2018 11:05:43 +
+Subject: crypto: Don't limit to TLSv1 only
+
+Signed-off-by: Michael Tremer
+---
+ crypto.c | 7 ++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/crypto.c b/crypto.c
+index 897b55b..440c882 100644
+--- a/crypto.c
b/crypto.c
+@@ -93,7 +93,12 @@ smtp_init_crypto(int fd, int feature)
+ SSL_library_init();
+ SSL_load_error_strings();
+
+- meth = TLSv1_client_method();
++ // Allow any possible version
++#if (OPENSSL_VERSION_NUMBER >= 0x1010L)
++ meth = TLS_client_method();
++#else
++ meth = SSLv23_client_method();
++#endif
+
+ ctx = SSL_CTX_new(meth);
+ if (ctx == NULL) {
diff -Nru
dma-0.11/debian/patches/0003-properly-deal-with-SSL_connect-return-value.patch
dma-0.11/debian/patches/0003-properly-deal-with-SSL_connect-return-value.patch
---
dma-0.11/debian/patches/0003-properly-deal-with-SSL_connect-return-value.patch
1970-01-01 01:00:00.0 +0100
+++
dma-0.11/debian/patches/0003-properly-deal-with-SSL_connect-return-value.patch
2019-07-29 20:56:49.0 +0200
@@ -0,0 +1,22 @@
+From: Simon Schubert <2...@0x2c.org>
+Date: Thu, 13 Sep 2018 16:44:50 +0200
+Subject: properly deal with SSL_connect() return value
+
+Submitted-by: lc3412
+---
+ crypto.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto.c b/crypto.c
+index 440c882..ef08144 100644
+--- a/crypto.c
b/crypto.c
+@@ -160,7 +160,7 @@ smtp_init_crypto(int fd, int feature)
+
+ /* Open SSL connection */
+ error = SSL_connect(config.ssl);
+- if (error < 0) {
++ if (error != 1) {
+ syslog(LOG_ERR, "remote delivery deferred: SSL handshake failed
fatally: %s",
+ ssl_errstr());
+ return (1);
diff -Nru dma-0.11/debian/patches/series dma-0.11/debian/patches/series
--- dma-0.11/debian/patches/series 2016-05-29 12:29:47.0 +0200
+++ dma-0.11/debian/patches/series 2019-07-29 20:56:49.0 +0200
@@ -1,2 +1,3 @@
03-debian-locations.patch
-#10-liblockfile.patch
+0002-crypto-Don-t-limit-to-TLSv1-only.patch
+0003-properly-deal-with-SSL_connect-return-value.patch
