aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@debian.org>2021-01-04 11:45:56 +0100
committerGuilhem Moulin <guilhem@debian.org>2021-01-04 11:45:56 +0100
commit5bd9a03e0052753106fc96912c160cca8d45c0b9 (patch)
treef247cc9fda0e2650615ddd7ed5e32308c730fb1c
parentf93cf8f0dffeee34935f187af3d08a2f3eb3fde1 (diff)
Prepare new release, restoring compatibility with Net::SSLeay 1.83.debian/0.5.6-1_bpo10+1debian/buster-backports
-rw-r--r--debian/changelog10
-rw-r--r--debian/control2
-rw-r--r--debian/patches/Restore-compatibility-with-Net-SSLeay-1.83.patch129
-rw-r--r--debian/patches/series1
4 files changed, 141 insertions, 1 deletions
diff --git a/debian/changelog b/debian/changelog
index 36432b0..42cf4f2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+interimap (0.5.6-1~bpo10+1) buster-backports; urgency=medium
+
+ * Rebuild for buster-backports.
+ * Buster's Net::SSLeay 1.85 is lacking Net::SSLeay::version() and
+ Net::SSLeay::CTX_set_ciphersuites(); in order to restore compatibility
+ with Net::SSLeay 1.83 we revert to use our own protocol map in debug mode,
+ and remove the 'SSL_ciphersuites' option.
+
+ -- Guilhem Moulin <guilhem@debian.org> Mon, 04 Jan 2021 11:45:41 +0100
+
interimap (0.5.6-1) unstable; urgency=high
* New upstream bugfix release with the correct minimum Net::SSLeay version.
diff --git a/debian/control b/debian/control
index dda346e..2cad992 100644
--- a/debian/control
+++ b/debian/control
@@ -8,7 +8,7 @@ Build-Depends: debhelper-compat (= 13),
jq,
libconfig-tiny-perl <!nocheck>,
libdbd-sqlite3-perl <!nocheck>,
- libnet-ssleay-perl (>= 1.88~) <!nocheck>,
+ libnet-ssleay-perl (>= 1.83~) <!nocheck>,
openssl (>= 1.1.1~) <!nocheck>,
pandoc (>= 2.1~),
procps <!nocheck>,
diff --git a/debian/patches/Restore-compatibility-with-Net-SSLeay-1.83.patch b/debian/patches/Restore-compatibility-with-Net-SSLeay-1.83.patch
new file mode 100644
index 0000000..c695b82
--- /dev/null
+++ b/debian/patches/Restore-compatibility-with-Net-SSLeay-1.83.patch
@@ -0,0 +1,129 @@
+From: Guilhem Moulin <guilhem@debian.org>
+Date: Mon, 4 Jan 2021 10:19:53 +0100
+Subject: Restore compatibility with Net::SSLeay 1.83
+
+Buster has Net::SSLeay 1.85 so we can't use Net::SSLeay::version() in
+debug mode (we have to use the version number → protocol name map
+instead), and can use Net::SSLeay::CTX_set_ciphersuites() to set TLSv1.3
+ciphersuites.
+
+It's unfortunate that Net::SSLeay manual doesn't say when these function
+were added…
+
+This partially reverts commits 55b8c321048b1d4ebfbd30968e11d2a68ee4d242,
+35f4ecefa9c9ff55acfdb337b215e3d13345c86d and
+57988c83bb4b3f1780f045880ac4a8f36a51c55c.
+
+Forwarded: not-needed
+---
+ doc/interimap.1.md | 6 +++---
+ doc/pullimap.1.md | 4 ++--
+ lib/Net/IMAP/InterIMAP.pm | 18 ++++++++++--------
+ tests/tls-ciphers/t | 9 ---------
+ 4 files changed, 15 insertions(+), 22 deletions(-)
+
+diff --git a/doc/interimap.1.md b/doc/interimap.1.md
+index 03adbf5..58c8e98 100644
+--- a/doc/interimap.1.md
++++ b/doc/interimap.1.md
+@@ -401,10 +401,10 @@ Valid options are:
+ `TLSv1.1`, `TLSv1.2`, and `TLSv1.3`, depending on the OpenSSL
+ version used.
+
+-*SSL_cipherlist*, *SSL_ciphersuites*
++*SSL_cipherlist*
+
+-: Sets the TLSv1.2 and below cipher list resp. TLSv1.3 cipher suites.
+- The combination of these lists is sent to the server, which then
++: Sets the TLSv1.2 and below cipher list.
++ This list is sent to the server, which then
+ determines which cipher to use (normally the first supported one
+ from the list sent by the client). The default suites depend on the
+ OpenSSL version and its configuration, see [`ciphers`(1ssl)] for
+diff --git a/doc/pullimap.1.md b/doc/pullimap.1.md
+index 900221a..c2fcee0 100644
+--- a/doc/pullimap.1.md
++++ b/doc/pullimap.1.md
+@@ -222,8 +222,8 @@ Valid options are:
+
+ *SSL_cipherlist*, *SSL_ciphersuites*
+
+-: Sets the TLSv1.2 and below cipher list resp. TLSv1.3 cipher suites.
+- The combination of these lists is sent to the server, which then
++: Sets the TLSv1.2 and below cipher list.
++ This list is sent to the server, which then
+ determines which cipher to use (normally the first supported one
+ from the list sent by the client). The default suites depend on the
+ OpenSSL version and its configuration, see [`ciphers`(1ssl)] for
+diff --git a/lib/Net/IMAP/InterIMAP.pm b/lib/Net/IMAP/InterIMAP.pm
+index a171554..cc5436b 100644
+--- a/lib/Net/IMAP/InterIMAP.pm
++++ b/lib/Net/IMAP/InterIMAP.pm
+@@ -24,7 +24,7 @@ use strict;
+ use Compress::Raw::Zlib qw/Z_OK Z_STREAM_END Z_FULL_FLUSH Z_SYNC_FLUSH MAX_WBITS/;
+ use Config::Tiny ();
+ use Errno qw/EEXIST EINTR/;
+-use Net::SSLeay 1.86_06 ();
++use Net::SSLeay 1.83 ();
+ use List::Util qw/all first/;
+ use POSIX ':signal_h';
+ use Socket qw/SOCK_STREAM SOCK_RAW SOCK_CLOEXEC IPPROTO_TCP SHUT_RDWR
+@@ -67,7 +67,6 @@ my %OPTIONS = (
+ SSL_protocol_max => qr/\A(\P{Control}+)\z/,
+ SSL_fingerprint => qr/\A((?:[A-Za-z0-9]+\$)?\p{AHex}+(?: (?:[A-Za-z0-9]+\$)?\p{AHex}+)*)\z/,
+ SSL_cipherlist => qr/\A(\P{Control}+)\z/,
+- SSL_ciphersuites => qr/\A(\P{Control}*)\z/, # "an empty list is permissible"
+ SSL_hostname => qr/\A(\P{Control}*)\z/,
+ SSL_verify => qr/\A(YES|NO)\z/i,
+ SSL_CApath => qr/\A(\P{Control}+)\z/,
+@@ -1767,9 +1766,6 @@ sub _start_ssl($$) {
+ if (defined (my $str = $self->{SSL_cipherlist})) {
+ $self->_ssl_error("SSL_CTX_set_cipher_list()") unless Net::SSLeay::CTX_set_cipher_list($ctx, $str) == 1;
+ }
+- if (defined (my $str = $self->{SSL_ciphersuites})) {
+- $self->_ssl_error("SSL_CTX_set_ciphersuites()") unless Net::SSLeay::CTX_set_ciphersuites($ctx, $str) == 1;
+- }
+
+ my $vpm = Net::SSLeay::X509_VERIFY_PARAM_new() or $self->_ssl_error("X509_VERIFY_PARAM_new()");
+ my $purpose = Net::SSLeay::X509_PURPOSE_SSL_SERVER();
+@@ -1823,9 +1819,15 @@ sub _start_ssl($$) {
+ Net::SSLeay::X509_VERIFY_PARAM_free($vpm);
+
+ if ($self->{debug}) {
+- $self->log(sprintf('SSL protocol: %s (0x%x)',
+- , Net::SSLeay::get_version($ssl)
+- , Net::SSLeay::version($ssl)));
++ my $v = Net::SSLeay::version($ssl);
++ $self->log(sprintf('SSL protocol: %s (0x%x)', ($v == 0x0002 ? 'SSLv2' :
++ $v == 0x0300 ? 'SSLv3' :
++ $v == 0x0301 ? 'TLSv1' :
++ $v == 0x0302 ? 'TLSv1.1' :
++ $v == 0x0303 ? 'TLSv1.2' :
++ $v == 0x0304 ? 'TLSv1.3' :
++ '??'),
++ $v));
+ $self->log(sprintf('SSL cipher: %s (%d bits)'
+ , Net::SSLeay::get_cipher($ssl)
+ , Net::SSLeay::get_cipher_bits($ssl)));
+diff --git a/tests/tls-ciphers/t b/tests/tls-ciphers/t
+index 0dfc771..677c8c1 100644
+--- a/tests/tls-ciphers/t
++++ b/tests/tls-ciphers/t
+@@ -15,17 +15,8 @@ grep -Fx "remote: SSL cipher: DHE-RSA-AES128-SHA256 (128 bits)" <"$STDERR" || er
+ with_remote_config <<-EOF
+ SSL_protocol_max = TLSv1.2
+ SSL_cipherlist = NONEXISTENT:ECDHE-RSA-AES256-SHA384:ALL:!COMPLEMENTOFDEFAULT:!eNULL
+- SSL_ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
+ EOF
+ interimap --debug || error
+ grep -Fx "remote: SSL cipher: ECDHE-RSA-AES256-SHA384 (256 bits)" <"$STDERR" || error
+
+-with_remote_config <<-EOF
+- SSL_protocol_min = TLSv1.3
+- SSL_cipherlist = DHE-RSA-AES128-SHA256
+- SSL_ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
+-EOF
+-interimap --debug || error
+-grep -Fx "remote: SSL cipher: TLS_CHACHA20_POLY1305_SHA256 (256 bits)" <"$STDERR" || error
+-
+ # vim: set filetype=sh :
diff --git a/debian/patches/series b/debian/patches/series
index e237c35..e8c970f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
Mention-the-Debian-BTS-in-the-manpages.patch
Skip-randomized-tests.patch
+Restore-compatibility-with-Net-SSLeay-1.83.patch