[Pkg-openssl-devel] Bug#707250: Fails to connect without -ssl3 for certain IMAPS servers
Ryan Kavanagh
rak at debian.org
Wed May 8 15:28:08 UTC 2013
Package: openssl
Version: 1.0.1e-2
Severity: normal
Tags: upstream patch
It is impossible to connect to certain IMAPS servers with certain
versions of openssl without the '-ssl3' flag, including the current
version in Debian, 1.0.1e. Here are the versions that worked and didn't
work:
* 0.9.8e : worked, RHEL
* 0.9.8o : worked, Debian (x3 hosts)
* 1.0.0 : failed, Debian
* 1.0.0f : worked, OpenBSD (x2 hosts)
* 1.0.1c : failed, Debian
* 1.0.1e : failed, Debian
This can be tested with the MIT exchange server:
(echo "001 capability" ; sleep 1) | openssl s_client -crlf -connect \
imap.exchange.mit.edu:imaps -debug
which hangs at
CONNECTED(00000003)
write to 0x1f85fc0 [0x1f86040] (320 bytes => 320 (0x140))
0000 - 16 03 01 01 3b 01 00 01-37 03 03 51 88 25 5d d6 ....;...7..Q.%].
...................... written data continues .......
...................... wait forever to get a response .......
and must be killed with a ^C.
However, one is able to connect if one adds on the '-ssl3' option,
obtaining the desired output of
* OK The Microsoft Exchange IMAP4 service is ready.
* CAPABILITY IMAP4 IMAP4rev1 AUTH=NTLM AUTH=GSSAPI AUTH=PLAIN STARTTLS CHILDREN IDLE NAMESPACE LITERAL+
001 OK CAPABILITY completed.
This seems to be related to the upstream bug report
http://rt.openssl.org/Ticket/Display.html?id=2771&user=guest&pass=guest
where two patches are provided. These have already been applied upstream
and are included in the 1.0.1e release. To be activated, they require
passing the '-DOPENSSL_NO_TLS1_2_CLIENT' option to Configure, which may
or may not desirable. The attached patch does this (you will
additionally need to disable the calls to "make test" at build time). It
is then possible to connect to the IMAPS servers without explicitly
passing the '-ssl3' flag.
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.8-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_CA.UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openssl depends on:
ii libc6 2.17-1
ii libssl1.0.0 1.0.1e-2
ii zlib1g 1:1.2.8.dfsg-1
openssl recommends no packages.
Versions of packages openssl suggests:
ii ca-certificates 20130119
-- no debconf information
--
|_)|_/ Ryan Kavanagh | Debian Developer
| \| \ http://ryanak.ca/ | GPG Key 4A11C97A
-------------- next part --------------
Index: debian/rules
===================================================================
--- debian/rules (revision 598)
+++ debian/rules (working copy)
@@ -19,7 +19,7 @@
DEB_HOST_ARCH = $(shell dpkg-architecture -qDEB_HOST_ARCH)
DEB_HOST_MULTIARCH=$(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
-CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 zlib enable-tlsext no-ssl2
+CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 zlib enable-tlsext no-ssl2 -DOPENSSL_NO_TLS1_2_CLIENT
OPT_alpha = ev4 ev5
OPT_i386 = i586 i686/cmov
ARCHOPTS = OPT_$(DEB_HOST_ARCH)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1876 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20130508/228a8329/attachment.pgp>
More information about the Pkg-openssl-devel
mailing list