[Pkg-sympa-devel] Bug#783595: sympa: LDAP support for SSLv3 broken on Debian 8.0 ("Jessie")

Florian Wunderlich spamtrap at factor3.de
Tue Apr 28 08:58:44 UTC 2015


Package: sympa
Version: 6.1.23~dfsg-2
Severity: important
Tags: patch

Both LDAP authentication and LDAP data sources using ssl_version sslv3 are
broken in Debian 8.0. The LDAP server used is OpenLDAP from Debian 8.0. A
real (non-self signed) certificate is used.

This thus affects /etc/sympa/auth.conf and /var/lib/sympa/list_data/*/config.

A completely nondescript error message is emitted ("Unable to connect to
the LDAP server").

Debugging this using

  openssl s_server -accept 636 \
    -key mykey.pem \
    -cert mycert.pem

prints the following:

ACCEPT
ERROR
139697326311056:error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol:s23_srvr.c:610:
shutting down SSL
CONNECTION CLOSED


Replacing sslv3 with tlsv1 resolves the problem, but Sympa has another bug
in this regard where /usr/share/sympa/lib/List.pm has a bad ssl_version
constant for TLSv1: it uses "tls" instead of "tlsv1".

Thus:

1. Replace "sslv3" with "tlsv1" for "ssl_version" in /etc/sympa/auth.conf

2. Patch /usr/share/sympa/lib/List.pm:

--- /usr/share/sympa/lib/List.pm~       2015-04-28 10:30:05.879888964 +0200
+++ /usr/share/sympa/lib/List.pm        2015-04-28 10:30:30.679888964 +0200
@@ -877,7 +877,7 @@
                                                                            'gettext_id' => 'use SSL (LDAPS)',
                                                                            'order' => 2.5,
                                                                        },
-                                                             'ssl_version' => {'format' => ['sslv2','sslv3','tls'],
+                                                             'ssl_version' => {'format' => ['sslv2','sslv3','tlsv1'],
                                                                                'default' => 'sslv3',
                                                                                'gettext_id' => 'SSL version',
                                                                                'order' => 2.5,
@@ -1001,7 +1001,7 @@
                                                                            'gettext_id' => 'use SSL (LDAPS)',
                                                                            'order' => 2.5,
                                                                        },
-                                                             'ssl_version' => {'format' => ['sslv2','sslv3','tls'],
+                                                             'ssl_version' => {'format' => ['sslv2','sslv3','tlsv1'],
                                                                                'default' => '',
                                                                                'gettext_id' => 'SSL version',
                                                                                'order' => 2.5,
@@ -1579,7 +1579,7 @@
     # include_ldap_2level_query.ssl_version, include_ldap_query.ssl_version
     'sslv2' => {'gettext_id' => 'SSL version 2'},
     'sslv3' => {'gettext_id' => 'SSL version 3'},
-    'tls'   => {'gettext_id' => 'TLS'},
+    'tlsv1'   => {'gettext_id' => 'TLS'},

     # editor.reception, owner_include.reception, owner.reception,
     # editor_include.reception


3. Either change the ssl_version parameter for all data sources on the
Web interface to "TLS", or edit /var/lib/sympa/list_data/*/config accordingly.


-- System Information:
Debian Release: 8.0
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages sympa depends on:
ii  adduser                           3.113+nmu3
ii  ca-certificates                   20141019
ii  dbconfig-common                   1.8.47+nmu3
ii  debconf [debconf-2.0]             1.5.56
ii  libarchive-zip-perl               1.39-1
ii  libc6                             2.19-18
ii  libcgi-fast-perl                  1:2.04-1
ii  libcgi-pm-perl                    4.09-1
ii  libdbd-mysql-perl                 4.028-2+b1
ii  libdbd-pg-perl                    3.4.2-1
ii  libdbd-sqlite3-perl               1.44-1
ii  libdbd-sybase-perl                1.14-1+b2
ii  libdbi-perl                       1.631-3+b1
ii  libfcgi-perl                      0.77-1+b1
ii  libfile-copy-recursive-perl       0.38-1
ii  libhtml-format-perl               2.11-1
ii  libhtml-stripscripts-parser-perl  1.03-1
ii  libhtml-tree-perl                 5.03-1
ii  libintl-perl                      1.23-1
ii  libio-stringy-perl                2.110-5
ii  libmailtools-perl                 2.13-1
ii  libmime-charset-perl              1.011.1-1
ii  libmime-encwords-perl             1.014.3-1
ii  libmime-lite-html-perl            1.24-1
ii  libmime-tools-perl                5.505-1
ii  libmsgcat-perl                    1.03-6+b1
ii  libnet-ldap-perl                  1:0.6400+dfsg-2
ii  libnet-netmask-perl               1.9021-1
ii  libregexp-common-perl             2013031301-1
ii  libsoap-lite-perl                 1.11-1
ii  libtemplate-perl                  2.24-1.2+b1
ii  libterm-progressbar-perl          2.16-1
ii  libunicode-linebreak-perl         0.0.20140601-2
ii  libxml-libxml-perl                2.0116+dfsg-1+b1
ii  lsb-base                          4.1+Debian13+nmu1
ii  mhonarc                           2.6.19-1
ii  perl                              5.20.2-3
ii  perl-modules                      5.20.2-3
ii  postfix [mail-transport-agent]    2.11.3-1
ii  rsyslog [system-log-daemon]       8.4.2-1
ii  sqlite3                           3.8.7.1-1

Versions of packages sympa recommends:
ii  apache2-suexec                            2.4.10-10
ii  apache2-suexec-pristine [apache2-suexec]  2.4.10-10
ii  doc-base                                  0.10.6
ii  libapache2-mod-fcgid                      1:2.3.9-1+b1
ii  libcrypt-ciphersaber-perl                 0.61-4
ii  libfile-nfslock-perl                      1.24-1
ii  libio-socket-ssl-perl                     2.002-2
ii  libmail-dkim-perl                         0.40-1
ii  locales                                   2.19-18
ii  logrotate                                 3.8.7-1+b1
ii  postgresql                                9.4+165

Versions of packages sympa suggests:
ii  apache2 [httpd-cgi]             2.4.10-10
ii  apache2-mpm-worker [httpd-cgi]  2.4.10-10
pn  libauthcas-perl                 <none>
pn  libdbd-oracle-perl              <none>
pn  libtext-wrap-perl               <none>
ii  openssl                         1.0.1k-3

-- Configuration Files:
/etc/sympa/auth.conf [Errno 13] Permission denied: u'/etc/sympa/auth.conf'
/etc/sympa/sympa.conf-smime.in [Errno 13] Permission denied: u'/etc/sympa/sympa.conf-smime.in'
/etc/sympa/topics.conf [Errno 13] Permission denied: u'/etc/sympa/topics.conf'

-- debconf information excluded



More information about the Pkg-sympa-devel mailing list