Skip Menu |

This queue is for tickets about the IO-Socket-SSL CPAN distribution.

Report information
The Basics
Id: 124401
Status: rejected
Priority: 0/
Queue: IO-Socket-SSL
People
Owner: Nobody in particular
Requestors: noamr [...] beyondsecurity.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Mon Feb 12 10:01:51 2018 noamr [...] beyondsecurity.com - Ticket created
Subject: Debian Wheezy drops OpenSSL TLSv1 and TLSv1.1
Date: Mon, 12 Feb 2018 17:00:57 +0200
To: bug-IO-Socket-SSL [...] rt.cpan.org
From: Noam Rathaus <noamr [...] beyondsecurity.com>
Debian Wheezy no longer includes OpenSSL with TLSv1 and TLSv1.1, making it impossible to go through the "make test": t/plain_upgrade_downgrade.t ....... ok t/protocol_version.t .............. 1/? # looks like OpenSSL was compiled without TLSv1_1 support # Failed test 'accept SSLv23:!TLSv1_2 with TLSv1' # at t/protocol_version.t line 135. # got: 'TLSv1_1' # expected: 'TLSv1' # Looks like you failed 1 test of 8. A possible workaround (which I used) is remove TLSv1 TLSv1_1 references from the package Not sure if this is a good overall solution -- Thanks, Noam Rathaus Beyond Security PGP Key ID: 2D24B275B1EB4475 (Exp 2018-03)
  Thu Feb 15 08:26:25 2018 Steffen_Ullrich [...] genua.de - Correspondence added
Am Mo 12. Feb 2018, 10:01:51, noamr@beyondsecurity.com schrieb: Show quoted text
> Debian Wheezy no longer includes OpenSSL with TLSv1 and TLSv1.1, making it > impossible to go through the "make test": > t/plain_upgrade_downgrade.t ....... ok > t/protocol_version.t .............. 1/? # looks like OpenSSL was compiled > without TLSv1_1 support > > # Failed test 'accept SSLv23:!TLSv1_2 with TLSv1' > # at t/protocol_version.t line 135. > # got: 'TLSv1_1' > # expected: 'TLSv1' > # Looks like you failed 1 test of 8. > > A possible workaround (which I used) is remove TLSv1 TLSv1_1 references > from the package > > Not sure if this is a good overall solution >
I cannot reproduce the problem. First, I cannot see that OpenSSL on Wheezy has disabled TLS 1.0 and TLS 1.1 but only that on some newer versions like buster the change is done. The change was reverted but if I install the relevant version 1.1.0f-5 of openssl, libssl1.1-dev and libssl-dev I get the following output: ok 1 - accept SSLv23 with any, got TLSv1_2 # looks like OpenSSL was compiled without SSLv3 support # looks like OpenSSL was compiled without TLSv1 support # failed to accept TLSv1 # failed to accept TLSv1_1 # looks like OpenSSL was compiled without TLSv1_1 support ok 2 - accept TLSv1_2 with TLSv1_2 ok 3 - accept SSLv23 with TLSv1_2 1..3 This means it correctly identifies that TLSv1 and TLSv1_1 are not available and adapts the test so that it still succeeds. Given that you did not specify a version of IO::Socket::SSL you use my guess is that you are using a version older than 2.050 because such an issue was fixed in 2.050.
  Thu Feb 15 08:26:26 2018 The RT System itself - Status changed from 'new' to 'open'
  Thu Feb 15 08:26:26 2018 Steffen_Ullrich [...] genua.de - Status changed from 'open' to 'rejected'
  Thu Feb 15 08:37:00 2018 noamr [...] beyondsecurity.com - Correspondence added
CC: behroozi [...] www.pls.uni.edu
Subject: Re: [rt.cpan.org #124401] Debian Wheezy drops OpenSSL TLSv1 and TLSv1.1
Date: Thu, 15 Feb 2018 13:36:30 +0000
To: bug-IO-Socket-SSL [...] rt.cpan.org
From: Noam Rathaus <noamr [...] beyondsecurity.com>
Hi I will check the version next week and tell you, I don’t have access to the machine at the moment On Thu, 15 Feb 2018 at 14:26, Steffen Ullrich via RT < bug-IO-Socket-SSL@rt.cpan.org> wrote: Show quoted text
> <URL: https://rt.cpan.org/Ticket/Display.html?id=124401 > > > Am Mo 12. Feb 2018, 10:01:51, noamr@beyondsecurity.com schrieb:
> > Debian Wheezy no longer includes OpenSSL with TLSv1 and TLSv1.1, making
> it
> > impossible to go through the "make test": > > t/plain_upgrade_downgrade.t ....... ok > > t/protocol_version.t .............. 1/? # looks like OpenSSL was compiled > > without TLSv1_1 support > > > > # Failed test 'accept SSLv23:!TLSv1_2 with TLSv1' > > # at t/protocol_version.t line 135. > > # got: 'TLSv1_1' > > # expected: 'TLSv1' > > # Looks like you failed 1 test of 8. > > > > A possible workaround (which I used) is remove TLSv1 TLSv1_1 references > > from the package > > > > Not sure if this is a good overall solution > >
> > I cannot reproduce the problem. > First, I cannot see that OpenSSL on Wheezy has disabled TLS 1.0 and TLS > 1.1 but only that on some newer versions like buster the change is done. > The change was reverted but if I install the relevant version 1.1.0f-5 of > openssl, libssl1.1-dev and libssl-dev I get the following output: > > ok 1 - accept SSLv23 with any, got TLSv1_2 > # looks like OpenSSL was compiled without SSLv3 support > # looks like OpenSSL was compiled without TLSv1 support > # failed to accept TLSv1 > # failed to accept TLSv1_1 > # looks like OpenSSL was compiled without TLSv1_1 support > ok 2 - accept TLSv1_2 with TLSv1_2 > ok 3 - accept SSLv23 with TLSv1_2 > 1..3 > > This means it correctly identifies that TLSv1 and TLSv1_1 are not > available and adapts the test so that it still succeeds. > > Given that you did not specify a version of IO::Socket::SSL you use my > guess is that you are using a version older than 2.050 because such an > issue was fixed in 2.050. > > > > --
Thanks, Noam Rathaus