[pkg-fetchmail-maint] Bug#775255: Bug#775255: fetchmail: Fails to start when libssl has SSLv3 disabled
Nico Golde
nion at debian.org
Sat Jan 17 13:30:45 UTC 2015
severity 775255 wishlist
retitle 775255 provide possibility to disable sslv3 or remove completely
thanks
Hi,
* Chiraag Nataraj <chiraag.nataraj at gmail.com> [2015-01-14 03:50]:
> Yes, it works with the version of libssl from unstable since SSLv3 is not
> disabled in that version. The main problem is that currently, fetchmail does
> not work with more secure versions of libssl (which have SSLv3 disabled
> completely). I just provided one solution (completely disable SSLv3 in
> fetchmail), but if another one (such as automatically detecting that libssl
> does not provide SSLv3 and therefore not even attempting to load the SSLv3
> symbols) works better, that's fine too.
>
> Currently, the version of fetchmail in experimental is the same as the
> version of fetchmail in unstable. If necessary, you could release a
> different version of fetchmail for experimental which drops SSLv3 support
> entirely (if updating the one in unstable seems like a bad idea currently),
> since SSLv3 support *should* be dropped at some point due to the POODLE bug.
>
> This is not an issue of fetchmail negotiating SSLv3 by default, this is an
> issue of fetchmail looking for symbols in libssl *which don't exist*.
>
> The first would only surface if, for example, libssl provided an empty
> implementation of SSLv3 but still exported the symbols. What's happening
> right now is that the symbols don't even exist, which leads to the program
> not working at all. This is regardless of whether or not I actually utilize
> SSLv3 as my protocol (which I never specifically requested).
I'm glad you are explaining this to me, but I think you misunderstood my point.
It is clear to me where this error is coming from and that it is openssl
essentially breaking compatibility here.
I merely made the point that in the git version of fetchmail sslv3 is by
default not negotiated, which is why I think your patch is not helpful as it
clearly wasn't upstream's intention to remove this support entirely, at least
not in this form.
So in conclusion, also after seeing Matthias' take on this, I'll change this
bug to wishlist for providing a possibility to disable sslv3 or remove it
entirely. I know this is not your original intention with filing the bug, but
there is nothing to fix from the fetchmail package point of view right now,
this is something the openssl maintainer needs to fix by properly bumping the
soname and package names. My alternative would be to close the bug or reassign
it to openssl, but I do think that it's reasonable to ask for this particular
"feature change" anyway, so we can as well track it.
Cheers
Nico
--
Nico Golde - XMPP: nion at jabber.ccc.de - GPG: 0xA0A0AAAA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-fetchmail-maint/attachments/20150117/9e6be83d/attachment.sig>
More information about the pkg-fetchmail-maint
mailing list