[pkg-fetchmail-maint] Bug#775255: Bug#775255: fetchmail: Fails to start when libssl has SSLv3 disabled

Wed Jan 14 02:44:38 UTC 2015

Yes, it works with the version of libssl from unstable since SSLv3 is not disabled in that version. The main problem is that currently, fetchmail does not work with more secure versions of libssl (which have SSLv3 disabled completely). I just provided one solution (completely disable SSLv3 in fetchmail), but if another one (such as automatically detecting that libssl does not provide SSLv3 and therefore not even attempting to load the SSLv3 symbols) works better, that's fine too.

Currently, the version of fetchmail in experimental is the same as the version of fetchmail in unstable. If necessary, you could release a different version of fetchmail for experimental which drops SSLv3 support entirely (if updating the one in unstable seems like a bad idea currently), since SSLv3 support *should* be dropped at some point due to the POODLE bug.

This is not an issue of fetchmail negotiating SSLv3 by default, this is an issue of fetchmail looking for symbols in libssl *which don't exist*. The first would only surface if, for example, libssl provided an empty implementation of SSLv3 but still exported the symbols. What's happening right now is that the symbols don't even exist, which leads to the program not working at all. This is regardless of whether or not I actually utilize SSLv3 as my protocol (which I never specifically requested).

- Chiraag
-- 
Chiraag M Nataraj
Senior at the California Institute of Technology
Email: chiraag.nataraj at gmail.com
Phone: 610-350-6329
Website: http://chiraag.nataraj.us

On Wed, Jan 14, 2015 at 12:38:54AM +0100, Nico Golde wrote:
> Hi,
> * Chiraag Nataraj <chiraag.nataraj at gmail.com> [2015-01-13 12:22]:
> > Package: fetchmail
> > Version: 6.3.26-1+b1
> > Severity: grave
> > Justification: renders package unusable
> 
> You filed a bug against a version that works absolutely fine with the openssl 
> version it is supposed to work with. Hence, I'm inclined to close that bug or 
> downgrade it to wishlist in favor of removing/disabling sslv3 support in 
> fetchmail.
> 
> > When the latest version of libssl1.0.0 is installed from experimental (which has SSLv3 disabled), Fetchmail exits with the following error:
> > 
> > fetchmail: relocation error: fetchmail: symbol SSLv3_client_method, version OPENSSL_1.0.0 not defined in file libssl.so.1.0.0 with link time reference
> 
> See above
> 
> > Fetchmail should be rebuilt to not require SSLv3.
> 
> The patch you included simply removes this feature entirely:
> --- fetchmail-6.3.26/socket.c   2013-04-23 22:00:45.000000000 +0200
> +++ socket.c    2015-01-14 00:29:53.412608735 +0100
> @@ -913,8 +913,6 @@
>                         report(stderr, GT_("Your operating system does not support SSLv2.\n"));
>                         return -1;
>  #endif
> -               } else if(!strcasecmp("ssl3",myproto)) {
> -                       _ctx[sock] = SSL_CTX_new(SSLv3_client_method());
>                 } else if(!strcasecmp("tls1",myproto)) {
>                         _ctx[sock] = SSL_CTX_new(TLSv1_client_method());
>                 } else if (!strcasecmp("ssl23",myproto)) {
> 
> In the current git version of fetchmail, sslv3 is not negotiated by default, 
> unless a user explicitly requests to do so. As such I'm not sure how useful 
> this patch is as well.
> 
> Matthias, do you mind weighing in on this?
> 
> Thanks
> Nico
> -- 
> Nico Golde - XMPP: nion at jabber.ccc.de - GPG: 0xA0A0AAAA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-fetchmail-maint/attachments/20150113/49f808d7/attachment.sig>