From 5bd9a03e0052753106fc96912c160cca8d45c0b9 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 4 Jan 2021 11:45:56 +0100 Subject: Prepare new release, restoring compatibility with Net::SSLeay 1.83. --- debian/changelog | 10 ++ debian/control | 2 +- ...estore-compatibility-with-Net-SSLeay-1.83.patch | 129 +++++++++++++++++++++ debian/patches/series | 1 + 4 files changed, 141 insertions(+), 1 deletion(-) create mode 100644 debian/patches/Restore-compatibility-with-Net-SSLeay-1.83.patch (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 36432b0..42cf4f2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +interimap (0.5.6-1~bpo10+1) buster-backports; urgency=medium + + * Rebuild for buster-backports. + * Buster's Net::SSLeay 1.85 is lacking Net::SSLeay::version() and + Net::SSLeay::CTX_set_ciphersuites(); in order to restore compatibility + with Net::SSLeay 1.83 we revert to use our own protocol map in debug mode, + and remove the 'SSL_ciphersuites' option. + + -- Guilhem Moulin Mon, 04 Jan 2021 11:45:41 +0100 + interimap (0.5.6-1) unstable; urgency=high * New upstream bugfix release with the correct minimum Net::SSLeay version. diff --git a/debian/control b/debian/control index dda346e..2cad992 100644 --- a/debian/control +++ b/debian/control @@ -8,7 +8,7 @@ Build-Depends: debhelper-compat (= 13), jq, libconfig-tiny-perl , libdbd-sqlite3-perl , - libnet-ssleay-perl (>= 1.88~) , + libnet-ssleay-perl (>= 1.83~) , openssl (>= 1.1.1~) , pandoc (>= 2.1~), procps , diff --git a/debian/patches/Restore-compatibility-with-Net-SSLeay-1.83.patch b/debian/patches/Restore-compatibility-with-Net-SSLeay-1.83.patch new file mode 100644 index 0000000..c695b82 --- /dev/null +++ b/debian/patches/Restore-compatibility-with-Net-SSLeay-1.83.patch @@ -0,0 +1,129 @@ +From: Guilhem Moulin +Date: Mon, 4 Jan 2021 10:19:53 +0100 +Subject: Restore compatibility with Net::SSLeay 1.83 + +Buster has Net::SSLeay 1.85 so we can't use Net::SSLeay::version() in +debug mode (we have to use the version number → protocol name map +instead), and can use Net::SSLeay::CTX_set_ciphersuites() to set TLSv1.3 +ciphersuites. + +It's unfortunate that Net::SSLeay manual doesn't say when these function +were added… + +This partially reverts commits 55b8c321048b1d4ebfbd30968e11d2a68ee4d242, +35f4ecefa9c9ff55acfdb337b215e3d13345c86d and +57988c83bb4b3f1780f045880ac4a8f36a51c55c. + +Forwarded: not-needed +--- + doc/interimap.1.md | 6 +++--- + doc/pullimap.1.md | 4 ++-- + lib/Net/IMAP/InterIMAP.pm | 18 ++++++++++-------- + tests/tls-ciphers/t | 9 --------- + 4 files changed, 15 insertions(+), 22 deletions(-) + +diff --git a/doc/interimap.1.md b/doc/interimap.1.md +index 03adbf5..58c8e98 100644 +--- a/doc/interimap.1.md ++++ b/doc/interimap.1.md +@@ -401,10 +401,10 @@ Valid options are: + `TLSv1.1`, `TLSv1.2`, and `TLSv1.3`, depending on the OpenSSL + version used. + +-*SSL_cipherlist*, *SSL_ciphersuites* ++*SSL_cipherlist* + +-: Sets the TLSv1.2 and below cipher list resp. TLSv1.3 cipher suites. +- The combination of these lists is sent to the server, which then ++: Sets the TLSv1.2 and below cipher list. ++ This list is sent to the server, which then + determines which cipher to use (normally the first supported one + from the list sent by the client). The default suites depend on the + OpenSSL version and its configuration, see [`ciphers`(1ssl)] for +diff --git a/doc/pullimap.1.md b/doc/pullimap.1.md +index 900221a..c2fcee0 100644 +--- a/doc/pullimap.1.md ++++ b/doc/pullimap.1.md +@@ -222,8 +222,8 @@ Valid options are: + + *SSL_cipherlist*, *SSL_ciphersuites* + +-: Sets the TLSv1.2 and below cipher list resp. TLSv1.3 cipher suites. +- The combination of these lists is sent to the server, which then ++: Sets the TLSv1.2 and below cipher list. ++ This list is sent to the server, which then + determines which cipher to use (normally the first supported one + from the list sent by the client). The default suites depend on the + OpenSSL version and its configuration, see [`ciphers`(1ssl)] for +diff --git a/lib/Net/IMAP/InterIMAP.pm b/lib/Net/IMAP/InterIMAP.pm +index a171554..cc5436b 100644 +--- a/lib/Net/IMAP/InterIMAP.pm ++++ b/lib/Net/IMAP/InterIMAP.pm +@@ -24,7 +24,7 @@ use strict; + use Compress::Raw::Zlib qw/Z_OK Z_STREAM_END Z_FULL_FLUSH Z_SYNC_FLUSH MAX_WBITS/; + use Config::Tiny (); + use Errno qw/EEXIST EINTR/; +-use Net::SSLeay 1.86_06 (); ++use Net::SSLeay 1.83 (); + use List::Util qw/all first/; + use POSIX ':signal_h'; + use Socket qw/SOCK_STREAM SOCK_RAW SOCK_CLOEXEC IPPROTO_TCP SHUT_RDWR +@@ -67,7 +67,6 @@ my %OPTIONS = ( + SSL_protocol_max => qr/\A(\P{Control}+)\z/, + SSL_fingerprint => qr/\A((?:[A-Za-z0-9]+\$)?\p{AHex}+(?: (?:[A-Za-z0-9]+\$)?\p{AHex}+)*)\z/, + SSL_cipherlist => qr/\A(\P{Control}+)\z/, +- SSL_ciphersuites => qr/\A(\P{Control}*)\z/, # "an empty list is permissible" + SSL_hostname => qr/\A(\P{Control}*)\z/, + SSL_verify => qr/\A(YES|NO)\z/i, + SSL_CApath => qr/\A(\P{Control}+)\z/, +@@ -1767,9 +1766,6 @@ sub _start_ssl($$) { + if (defined (my $str = $self->{SSL_cipherlist})) { + $self->_ssl_error("SSL_CTX_set_cipher_list()") unless Net::SSLeay::CTX_set_cipher_list($ctx, $str) == 1; + } +- if (defined (my $str = $self->{SSL_ciphersuites})) { +- $self->_ssl_error("SSL_CTX_set_ciphersuites()") unless Net::SSLeay::CTX_set_ciphersuites($ctx, $str) == 1; +- } + + my $vpm = Net::SSLeay::X509_VERIFY_PARAM_new() or $self->_ssl_error("X509_VERIFY_PARAM_new()"); + my $purpose = Net::SSLeay::X509_PURPOSE_SSL_SERVER(); +@@ -1823,9 +1819,15 @@ sub _start_ssl($$) { + Net::SSLeay::X509_VERIFY_PARAM_free($vpm); + + if ($self->{debug}) { +- $self->log(sprintf('SSL protocol: %s (0x%x)', +- , Net::SSLeay::get_version($ssl) +- , Net::SSLeay::version($ssl))); ++ my $v = Net::SSLeay::version($ssl); ++ $self->log(sprintf('SSL protocol: %s (0x%x)', ($v == 0x0002 ? 'SSLv2' : ++ $v == 0x0300 ? 'SSLv3' : ++ $v == 0x0301 ? 'TLSv1' : ++ $v == 0x0302 ? 'TLSv1.1' : ++ $v == 0x0303 ? 'TLSv1.2' : ++ $v == 0x0304 ? 'TLSv1.3' : ++ '??'), ++ $v)); + $self->log(sprintf('SSL cipher: %s (%d bits)' + , Net::SSLeay::get_cipher($ssl) + , Net::SSLeay::get_cipher_bits($ssl))); +diff --git a/tests/tls-ciphers/t b/tests/tls-ciphers/t +index 0dfc771..677c8c1 100644 +--- a/tests/tls-ciphers/t ++++ b/tests/tls-ciphers/t +@@ -15,17 +15,8 @@ grep -Fx "remote: SSL cipher: DHE-RSA-AES128-SHA256 (128 bits)" <"$STDERR" || er + with_remote_config <<-EOF + SSL_protocol_max = TLSv1.2 + SSL_cipherlist = NONEXISTENT:ECDHE-RSA-AES256-SHA384:ALL:!COMPLEMENTOFDEFAULT:!eNULL +- SSL_ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 + EOF + interimap --debug || error + grep -Fx "remote: SSL cipher: ECDHE-RSA-AES256-SHA384 (256 bits)" <"$STDERR" || error + +-with_remote_config <<-EOF +- SSL_protocol_min = TLSv1.3 +- SSL_cipherlist = DHE-RSA-AES128-SHA256 +- SSL_ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +-EOF +-interimap --debug || error +-grep -Fx "remote: SSL cipher: TLS_CHACHA20_POLY1305_SHA256 (256 bits)" <"$STDERR" || error +- + # vim: set filetype=sh : diff --git a/debian/patches/series b/debian/patches/series index e237c35..e8c970f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ Mention-the-Debian-BTS-in-the-manpages.patch Skip-randomized-tests.patch +Restore-compatibility-with-Net-SSLeay-1.83.patch -- cgit v1.2.3