diff options
| author | Guilhem Moulin <guilhem@debian.org> | 2021-01-04 11:45:56 +0100 | 
|---|---|---|
| committer | Guilhem Moulin <guilhem@debian.org> | 2021-01-04 11:45:56 +0100 | 
| commit | 5bd9a03e0052753106fc96912c160cca8d45c0b9 (patch) | |
| tree | f247cc9fda0e2650615ddd7ed5e32308c730fb1c /debian/patches | |
| parent | f93cf8f0dffeee34935f187af3d08a2f3eb3fde1 (diff) | |
Prepare new release, restoring compatibility with Net::SSLeay 1.83.debian/0.5.6-1_bpo10+1debian/buster-backports
Diffstat (limited to 'debian/patches')
| -rw-r--r-- | debian/patches/Restore-compatibility-with-Net-SSLeay-1.83.patch | 129 | ||||
| -rw-r--r-- | debian/patches/series | 1 | 
2 files changed, 130 insertions, 0 deletions
| diff --git a/debian/patches/Restore-compatibility-with-Net-SSLeay-1.83.patch b/debian/patches/Restore-compatibility-with-Net-SSLeay-1.83.patch new file mode 100644 index 0000000..c695b82 --- /dev/null +++ b/debian/patches/Restore-compatibility-with-Net-SSLeay-1.83.patch @@ -0,0 +1,129 @@ +From: Guilhem Moulin <guilhem@debian.org> +Date: Mon, 4 Jan 2021 10:19:53 +0100 +Subject: Restore compatibility with Net::SSLeay 1.83 + +Buster has Net::SSLeay 1.85 so we can't use Net::SSLeay::version() in +debug mode (we have to use the version number → protocol name map +instead), and can use Net::SSLeay::CTX_set_ciphersuites() to set TLSv1.3 +ciphersuites. + +It's unfortunate that Net::SSLeay manual doesn't say when these function +were added… + +This partially reverts commits 55b8c321048b1d4ebfbd30968e11d2a68ee4d242, +35f4ecefa9c9ff55acfdb337b215e3d13345c86d and +57988c83bb4b3f1780f045880ac4a8f36a51c55c. + +Forwarded: not-needed +--- + doc/interimap.1.md        |  6 +++--- + doc/pullimap.1.md         |  4 ++-- + lib/Net/IMAP/InterIMAP.pm | 18 ++++++++++-------- + tests/tls-ciphers/t       |  9 --------- + 4 files changed, 15 insertions(+), 22 deletions(-) + +diff --git a/doc/interimap.1.md b/doc/interimap.1.md +index 03adbf5..58c8e98 100644 +--- a/doc/interimap.1.md ++++ b/doc/interimap.1.md +@@ -401,10 +401,10 @@ Valid options are: +     `TLSv1.1`, `TLSv1.2`, and `TLSv1.3`, depending on the OpenSSL +     version used. +  +-*SSL_cipherlist*, *SSL_ciphersuites* ++*SSL_cipherlist* +  +-:   Sets the TLSv1.2 and below cipher list resp. TLSv1.3 cipher suites. +-    The combination of these lists is sent to the server, which then ++:   Sets the TLSv1.2 and below cipher list. ++    This list is sent to the server, which then +     determines which cipher to use (normally the first supported one +     from the list sent by the client).  The default suites depend on the +     OpenSSL version and its configuration, see [`ciphers`(1ssl)] for +diff --git a/doc/pullimap.1.md b/doc/pullimap.1.md +index 900221a..c2fcee0 100644 +--- a/doc/pullimap.1.md ++++ b/doc/pullimap.1.md +@@ -222,8 +222,8 @@ Valid options are: +  + *SSL_cipherlist*, *SSL_ciphersuites* +  +-:   Sets the TLSv1.2 and below cipher list resp. TLSv1.3 cipher suites. +-    The combination of these lists is sent to the server, which then ++:   Sets the TLSv1.2 and below cipher list. ++    This list is sent to the server, which then +     determines which cipher to use (normally the first supported one +     from the list sent by the client).  The default suites depend on the +     OpenSSL version and its configuration, see [`ciphers`(1ssl)] for +diff --git a/lib/Net/IMAP/InterIMAP.pm b/lib/Net/IMAP/InterIMAP.pm +index a171554..cc5436b 100644 +--- a/lib/Net/IMAP/InterIMAP.pm ++++ b/lib/Net/IMAP/InterIMAP.pm +@@ -24,7 +24,7 @@ use strict; + use Compress::Raw::Zlib qw/Z_OK Z_STREAM_END Z_FULL_FLUSH Z_SYNC_FLUSH MAX_WBITS/; + use Config::Tiny (); + use Errno qw/EEXIST EINTR/; +-use Net::SSLeay 1.86_06 (); ++use Net::SSLeay 1.83 (); + use List::Util qw/all first/; + use POSIX ':signal_h'; + use Socket qw/SOCK_STREAM SOCK_RAW SOCK_CLOEXEC IPPROTO_TCP SHUT_RDWR +@@ -67,7 +67,6 @@ my %OPTIONS = ( +     SSL_protocol_max => qr/\A(\P{Control}+)\z/, +     SSL_fingerprint => qr/\A((?:[A-Za-z0-9]+\$)?\p{AHex}+(?: (?:[A-Za-z0-9]+\$)?\p{AHex}+)*)\z/, +     SSL_cipherlist => qr/\A(\P{Control}+)\z/, +-    SSL_ciphersuites => qr/\A(\P{Control}*)\z/, # "an empty list is permissible" +     SSL_hostname => qr/\A(\P{Control}*)\z/, +     SSL_verify => qr/\A(YES|NO)\z/i, +     SSL_CApath => qr/\A(\P{Control}+)\z/, +@@ -1767,9 +1766,6 @@ sub _start_ssl($$) { +     if (defined (my $str = $self->{SSL_cipherlist})) { +         $self->_ssl_error("SSL_CTX_set_cipher_list()") unless Net::SSLeay::CTX_set_cipher_list($ctx, $str) == 1; +     } +-    if (defined (my $str = $self->{SSL_ciphersuites})) { +-        $self->_ssl_error("SSL_CTX_set_ciphersuites()") unless Net::SSLeay::CTX_set_ciphersuites($ctx, $str) == 1; +-    } +  +     my $vpm = Net::SSLeay::X509_VERIFY_PARAM_new() or $self->_ssl_error("X509_VERIFY_PARAM_new()"); +     my $purpose = Net::SSLeay::X509_PURPOSE_SSL_SERVER(); +@@ -1823,9 +1819,15 @@ sub _start_ssl($$) { +     Net::SSLeay::X509_VERIFY_PARAM_free($vpm); +  +     if ($self->{debug}) { +-        $self->log(sprintf('SSL protocol: %s (0x%x)', +-                          , Net::SSLeay::get_version($ssl) +-                          , Net::SSLeay::version($ssl))); ++        my $v = Net::SSLeay::version($ssl); ++        $self->log(sprintf('SSL protocol: %s (0x%x)', ($v == 0x0002 ? 'SSLv2' : ++                                                       $v == 0x0300 ? 'SSLv3' : ++                                                       $v == 0x0301 ? 'TLSv1' : ++                                                       $v == 0x0302 ? 'TLSv1.1' : ++                                                       $v == 0x0303 ? 'TLSv1.2' : ++                                                       $v == 0x0304 ? 'TLSv1.3' : ++                                                                      '??'), ++                                                      $v)); +         $self->log(sprintf('SSL cipher: %s (%d bits)' +                           , Net::SSLeay::get_cipher($ssl) +                           , Net::SSLeay::get_cipher_bits($ssl))); +diff --git a/tests/tls-ciphers/t b/tests/tls-ciphers/t +index 0dfc771..677c8c1 100644 +--- a/tests/tls-ciphers/t ++++ b/tests/tls-ciphers/t +@@ -15,17 +15,8 @@ grep -Fx "remote: SSL cipher: DHE-RSA-AES128-SHA256 (128 bits)" <"$STDERR" || er + with_remote_config <<-EOF + 	SSL_protocol_max = TLSv1.2 + 	SSL_cipherlist = NONEXISTENT:ECDHE-RSA-AES256-SHA384:ALL:!COMPLEMENTOFDEFAULT:!eNULL +-	SSL_ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 + EOF + interimap --debug || error + grep -Fx "remote: SSL cipher: ECDHE-RSA-AES256-SHA384 (256 bits)" <"$STDERR" || error +  +-with_remote_config <<-EOF +-	SSL_protocol_min = TLSv1.3 +-	SSL_cipherlist = DHE-RSA-AES128-SHA256 +-	SSL_ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +-EOF +-interimap --debug || error +-grep -Fx "remote: SSL cipher: TLS_CHACHA20_POLY1305_SHA256 (256 bits)" <"$STDERR" || error +- + # vim: set filetype=sh : diff --git a/debian/patches/series b/debian/patches/series index e237c35..e8c970f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@  Mention-the-Debian-BTS-in-the-manpages.patch  Skip-randomized-tests.patch +Restore-compatibility-with-Net-SSLeay-1.83.patch | 
