[Pkg-sympa-devel] Bug#783595: sympa: LDAP support for SSLv3 broken on Debian 8.0 ("Jessie")
Florian Wunderlich
spamtrap at factor3.de
Tue Apr 28 08:58:44 UTC 2015
Package: sympa
Version: 6.1.23~dfsg-2
Severity: important
Tags: patch
Both LDAP authentication and LDAP data sources using ssl_version sslv3 are
broken in Debian 8.0. The LDAP server used is OpenLDAP from Debian 8.0. A
real (non-self signed) certificate is used.
This thus affects /etc/sympa/auth.conf and /var/lib/sympa/list_data/*/config.
A completely nondescript error message is emitted ("Unable to connect to
the LDAP server").
Debugging this using
openssl s_server -accept 636 \
-key mykey.pem \
-cert mycert.pem
prints the following:
ACCEPT
ERROR
139697326311056:error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol:s23_srvr.c:610:
shutting down SSL
CONNECTION CLOSED
Replacing sslv3 with tlsv1 resolves the problem, but Sympa has another bug
in this regard where /usr/share/sympa/lib/List.pm has a bad ssl_version
constant for TLSv1: it uses "tls" instead of "tlsv1".
Thus:
1. Replace "sslv3" with "tlsv1" for "ssl_version" in /etc/sympa/auth.conf
2. Patch /usr/share/sympa/lib/List.pm:
--- /usr/share/sympa/lib/List.pm~ 2015-04-28 10:30:05.879888964 +0200
+++ /usr/share/sympa/lib/List.pm 2015-04-28 10:30:30.679888964 +0200
@@ -877,7 +877,7 @@
'gettext_id' => 'use SSL (LDAPS)',
'order' => 2.5,
},
- 'ssl_version' => {'format' => ['sslv2','sslv3','tls'],
+ 'ssl_version' => {'format' => ['sslv2','sslv3','tlsv1'],
'default' => 'sslv3',
'gettext_id' => 'SSL version',
'order' => 2.5,
@@ -1001,7 +1001,7 @@
'gettext_id' => 'use SSL (LDAPS)',
'order' => 2.5,
},
- 'ssl_version' => {'format' => ['sslv2','sslv3','tls'],
+ 'ssl_version' => {'format' => ['sslv2','sslv3','tlsv1'],
'default' => '',
'gettext_id' => 'SSL version',
'order' => 2.5,
@@ -1579,7 +1579,7 @@
# include_ldap_2level_query.ssl_version, include_ldap_query.ssl_version
'sslv2' => {'gettext_id' => 'SSL version 2'},
'sslv3' => {'gettext_id' => 'SSL version 3'},
- 'tls' => {'gettext_id' => 'TLS'},
+ 'tlsv1' => {'gettext_id' => 'TLS'},
# editor.reception, owner_include.reception, owner.reception,
# editor_include.reception
3. Either change the ssl_version parameter for all data sources on the
Web interface to "TLS", or edit /var/lib/sympa/list_data/*/config accordingly.
-- System Information:
Debian Release: 8.0
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages sympa depends on:
ii adduser 3.113+nmu3
ii ca-certificates 20141019
ii dbconfig-common 1.8.47+nmu3
ii debconf [debconf-2.0] 1.5.56
ii libarchive-zip-perl 1.39-1
ii libc6 2.19-18
ii libcgi-fast-perl 1:2.04-1
ii libcgi-pm-perl 4.09-1
ii libdbd-mysql-perl 4.028-2+b1
ii libdbd-pg-perl 3.4.2-1
ii libdbd-sqlite3-perl 1.44-1
ii libdbd-sybase-perl 1.14-1+b2
ii libdbi-perl 1.631-3+b1
ii libfcgi-perl 0.77-1+b1
ii libfile-copy-recursive-perl 0.38-1
ii libhtml-format-perl 2.11-1
ii libhtml-stripscripts-parser-perl 1.03-1
ii libhtml-tree-perl 5.03-1
ii libintl-perl 1.23-1
ii libio-stringy-perl 2.110-5
ii libmailtools-perl 2.13-1
ii libmime-charset-perl 1.011.1-1
ii libmime-encwords-perl 1.014.3-1
ii libmime-lite-html-perl 1.24-1
ii libmime-tools-perl 5.505-1
ii libmsgcat-perl 1.03-6+b1
ii libnet-ldap-perl 1:0.6400+dfsg-2
ii libnet-netmask-perl 1.9021-1
ii libregexp-common-perl 2013031301-1
ii libsoap-lite-perl 1.11-1
ii libtemplate-perl 2.24-1.2+b1
ii libterm-progressbar-perl 2.16-1
ii libunicode-linebreak-perl 0.0.20140601-2
ii libxml-libxml-perl 2.0116+dfsg-1+b1
ii lsb-base 4.1+Debian13+nmu1
ii mhonarc 2.6.19-1
ii perl 5.20.2-3
ii perl-modules 5.20.2-3
ii postfix [mail-transport-agent] 2.11.3-1
ii rsyslog [system-log-daemon] 8.4.2-1
ii sqlite3 3.8.7.1-1
Versions of packages sympa recommends:
ii apache2-suexec 2.4.10-10
ii apache2-suexec-pristine [apache2-suexec] 2.4.10-10
ii doc-base 0.10.6
ii libapache2-mod-fcgid 1:2.3.9-1+b1
ii libcrypt-ciphersaber-perl 0.61-4
ii libfile-nfslock-perl 1.24-1
ii libio-socket-ssl-perl 2.002-2
ii libmail-dkim-perl 0.40-1
ii locales 2.19-18
ii logrotate 3.8.7-1+b1
ii postgresql 9.4+165
Versions of packages sympa suggests:
ii apache2 [httpd-cgi] 2.4.10-10
ii apache2-mpm-worker [httpd-cgi] 2.4.10-10
pn libauthcas-perl <none>
pn libdbd-oracle-perl <none>
pn libtext-wrap-perl <none>
ii openssl 1.0.1k-3
-- Configuration Files:
/etc/sympa/auth.conf [Errno 13] Permission denied: u'/etc/sympa/auth.conf'
/etc/sympa/sympa.conf-smime.in [Errno 13] Permission denied: u'/etc/sympa/sympa.conf-smime.in'
/etc/sympa/topics.conf [Errno 13] Permission denied: u'/etc/sympa/topics.conf'
-- debconf information excluded
More information about the Pkg-sympa-devel
mailing list