2017-08-07 22:31:20 |
Simon Déziel |
bug |
|
|
added bug |
2017-08-07 22:32:51 |
Simon Déziel |
attachment added |
|
TLSv1.0 see frame 14 https://bugs.launchpad.net/ubuntu/+source/ssmtp/+bug/1709193/+attachment/4928589/+files/submission.pcap |
|
2017-08-07 22:39:40 |
Simon Déziel |
attachment added |
|
Linked with OpenSSL TLSv1.2 see frame 11 https://bugs.launchpad.net/ubuntu/+source/ssmtp/+bug/1709193/+attachment/4928595/+files/submission-openssl.pcap |
|
2017-08-07 23:07:20 |
Simon Déziel |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857436 |
|
2017-08-10 00:13:47 |
Simon Déziel |
bug task added |
|
ssmtp |
|
2017-08-10 00:13:57 |
Simon Déziel |
bug task deleted |
ssmtp |
|
|
2017-08-10 00:14:22 |
Simon Déziel |
bug task added |
|
gnutls28 (Debian) |
|
2017-08-10 00:14:30 |
Simon Déziel |
ssmtp (Ubuntu): status |
New |
Invalid |
|
2017-08-10 00:14:42 |
Simon Déziel |
bug task added |
|
gnutls28 (Ubuntu) |
|
2017-08-10 00:14:58 |
Simon Déziel |
summary |
Unable to use TLSv1.1 or 1.2 |
Unable to use TLSv1.1 or 1.2 with OpenSSL compat layer |
|
2017-08-10 00:23:01 |
Simon Déziel |
attachment added |
|
lp1709193-16.04.debdiff https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1709193/+attachment/4929787/+files/lp1709193-16.04.debdiff |
|
2017-08-10 00:27:11 |
Ubuntu Foundations Team Bug Bot |
tags |
amd64 apport-bug xenial |
amd64 apport-bug patch xenial |
|
2017-08-10 00:27:17 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2017-08-10 00:40:53 |
Simon Déziel |
attachment added |
|
lp1709193-17.10.debdiff https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1709193/+attachment/4929799/+files/lp1709193-17.10.debdiff |
|
2017-08-10 15:45:49 |
Simon Déziel |
attachment added |
|
lp1709193-17.04.debdiff https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1709193/+attachment/4930181/+files/lp1709193-17.04.debdiff |
|
2017-08-10 15:46:01 |
Simon Déziel |
bug task added |
|
gnutls26 (Ubuntu) |
|
2017-08-10 15:46:17 |
Simon Déziel |
attachment added |
|
lp1709193-14.04.debdiff https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1709193/+attachment/4930182/+files/lp1709193-14.04.debdiff |
|
2017-08-10 18:05:05 |
Bug Watch Updater |
gnutls28 (Debian): status |
Unknown |
Fix Released |
|
2017-08-11 12:45:23 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Artful |
|
2017-08-11 12:45:23 |
Marc Deslauriers |
bug task added |
|
ssmtp (Ubuntu Artful) |
|
2017-08-11 12:45:23 |
Marc Deslauriers |
bug task added |
|
gnutls26 (Ubuntu Artful) |
|
2017-08-11 12:45:23 |
Marc Deslauriers |
bug task added |
|
gnutls28 (Ubuntu Artful) |
|
2017-08-11 12:45:23 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Trusty |
|
2017-08-11 12:45:23 |
Marc Deslauriers |
bug task added |
|
ssmtp (Ubuntu Trusty) |
|
2017-08-11 12:45:23 |
Marc Deslauriers |
bug task added |
|
gnutls26 (Ubuntu Trusty) |
|
2017-08-11 12:45:23 |
Marc Deslauriers |
bug task added |
|
gnutls28 (Ubuntu Trusty) |
|
2017-08-11 12:45:23 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Xenial |
|
2017-08-11 12:45:23 |
Marc Deslauriers |
bug task added |
|
ssmtp (Ubuntu Xenial) |
|
2017-08-11 12:45:23 |
Marc Deslauriers |
bug task added |
|
gnutls26 (Ubuntu Xenial) |
|
2017-08-11 12:45:23 |
Marc Deslauriers |
bug task added |
|
gnutls28 (Ubuntu Xenial) |
|
2017-08-11 12:45:23 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Zesty |
|
2017-08-11 12:45:23 |
Marc Deslauriers |
bug task added |
|
ssmtp (Ubuntu Zesty) |
|
2017-08-11 12:45:23 |
Marc Deslauriers |
bug task added |
|
gnutls26 (Ubuntu Zesty) |
|
2017-08-11 12:45:23 |
Marc Deslauriers |
bug task added |
|
gnutls28 (Ubuntu Zesty) |
|
2017-08-11 12:45:40 |
Marc Deslauriers |
gnutls26 (Ubuntu Trusty): status |
New |
Confirmed |
|
2017-08-11 12:45:50 |
Marc Deslauriers |
gnutls26 (Ubuntu Xenial): status |
New |
Invalid |
|
2017-08-11 12:45:59 |
Marc Deslauriers |
gnutls26 (Ubuntu Zesty): status |
New |
Invalid |
|
2017-08-11 12:46:20 |
Marc Deslauriers |
gnutls26 (Ubuntu Artful): status |
New |
Invalid |
|
2017-08-11 12:46:32 |
Marc Deslauriers |
ssmtp (Ubuntu Trusty): status |
New |
Invalid |
|
2017-08-11 12:46:42 |
Marc Deslauriers |
ssmtp (Ubuntu Xenial): status |
New |
Invalid |
|
2017-08-11 12:46:50 |
Marc Deslauriers |
bug task deleted |
ssmtp (Ubuntu) |
|
|
2017-08-11 12:47:02 |
Marc Deslauriers |
ssmtp (Ubuntu Zesty): status |
New |
Invalid |
|
2017-08-11 12:48:07 |
Marc Deslauriers |
gnutls28 (Ubuntu Trusty): status |
New |
Won't Fix |
|
2017-08-11 12:48:18 |
Marc Deslauriers |
gnutls28 (Ubuntu Xenial): status |
New |
Confirmed |
|
2017-08-11 12:48:27 |
Marc Deslauriers |
gnutls28 (Ubuntu Zesty): status |
New |
Confirmed |
|
2017-08-11 12:48:36 |
Marc Deslauriers |
gnutls28 (Ubuntu Artful): status |
New |
Confirmed |
|
2017-08-11 15:04:29 |
Marc Deslauriers |
gnutls28 (Ubuntu Artful): status |
Confirmed |
Fix Committed |
|
2017-08-11 15:48:07 |
Marc Deslauriers |
gnutls26 (Ubuntu Trusty): status |
Confirmed |
In Progress |
|
2017-08-11 15:48:15 |
Marc Deslauriers |
gnutls28 (Ubuntu Xenial): status |
Confirmed |
In Progress |
|
2017-08-11 15:48:25 |
Marc Deslauriers |
gnutls28 (Ubuntu Zesty): status |
Confirmed |
In Progress |
|
2017-08-11 15:48:36 |
Marc Deslauriers |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2017-08-11 16:25:21 |
Simon Déziel |
description |
sSMTP is limited to using TLSv1.0 and the "old" ciphers that come with it. Here's a packet capture when ssmtp connects to smtp.sdeziel.info:587 that offers TLSv1.0 and higher:
$ tshark -ta -Vr submission.pcap | sed -n '/^Frame 14:/,/^Frame 15:/ p' | grep -E '^[[:space:]]+(Version|Cipher|Handshake Protocol)'
Version: TLS 1.0 (0x0301)
Handshake Protocol: Client Hello
Version: TLS 1.0 (0x0301)
Cipher Suites Length: 30
Cipher Suites (15 suites)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)
Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
I would expect ssmtp to use TLSv1.2 and a recent cipher like the openssl s_client is able to do:
$ echo | openssl s_client -connect smtp.sdeziel.info:587 -starttls smtp 2>/dev/null | grep -E '^[[:space:]]+(Protocol|Cipher)'
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Additional information:
$ lsb_release -rd
Description: Ubuntu 16.04.3 LTS
Release: 16.04
$ apt-cache policy ssmtp libgnutls-openssl27
ssmtp:
Installed: 2.64-8ubuntu1
Candidate: 2.64-8ubuntu1
Version table:
*** 2.64-8ubuntu1 500
500 http://archive.ubuntu.com/ubuntu xenial/universe amd64 Packages
100 /var/lib/dpkg/status
libgnutls-openssl27:
Installed: 3.4.10-4ubuntu1.3
Candidate: 3.4.10-4ubuntu1.3
Version table:
*** 3.4.10-4ubuntu1.3 500
500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
100 /var/lib/dpkg/status
3.4.10-4ubuntu1 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: ssmtp 2.64-8ubuntu1 [modified: etc/ssmtp/revaliases]
ProcVersionSignature: Ubuntu 4.4.0-89.112-generic 4.4.76
Uname: Linux 4.4.0-89-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.10
Architecture: amd64
Date: Mon Aug 7 18:13:33 2017
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: ssmtp
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.ssmtp.revaliases: [modified]
mtime.conffile..etc.ssmtp.revaliases: 2017-08-05T13:44:06.274302 |
[Impact]
Applications using GnuTLS OpenSSL compat layer [1] are be unable to use modern TLS versions (1.1 and 1.2) when relying on the SSLv23_{client,server}_method functions.
There is an industry-wide push to use modern TLS versions, see [2] and [3] for example.
The proposed fix changes the compat layer to use GnuTLS' "NORMAL" priority [4] instead of hard-coding which protocol versions and ciphers to enable.
[Test Case]
1) Setup a mail submission server that uses StartTLS
2) Setup sSMTP (uses GnuTLS OpenSSL compat layer) to relay
through the mail relay using StartTLS
3) Send an email while capturing with tcpdump/tshark
4) Inspect the submission connection (TCP/587) and look for the protocol
version negotiated by the client.
Without the fix, you should see TLSv1.0. With the fix, it should be TLSv1.2.
Please see the original issue description for more details.
[Regression Potential]
Regression risk should be low since it's a backport of a simple fix that landed in Debian in April 2017.
[References]
1: $ apt-cache rdepends libgnutls-openssl27
libgnutls-openssl27
Reverse Depends:
libgnutls-dev
libgnutls-dev
zoneminder
yaskkserv
tf5
ssmtp
snowdrop
sngrep
slrnpull
slrn
sipsak
macopix-gtk2
gnss-sdr
gkrellm
freewheeling
boinctui
iputils-ping
2: https://lists.debian.org/debian-devel-announce/2017/08/msg00004.html
3: https://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls
4: https://gnutls.org/manual/html_node/Priority-Strings.html
[Original issue description]
sSMTP is limited to using TLSv1.0 and the "old" ciphers that come with it. Here's a packet capture when ssmtp connects to smtp.sdeziel.info:587 that offers TLSv1.0 and higher:
$ tshark -ta -Vr submission.pcap | sed -n '/^Frame 14:/,/^Frame 15:/ p' | grep -E '^[[:space:]]+(Version|Cipher|Handshake Protocol)'
Version: TLS 1.0 (0x0301)
Handshake Protocol: Client Hello
Version: TLS 1.0 (0x0301)
Cipher Suites Length: 30
Cipher Suites (15 suites)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)
Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
I would expect ssmtp to use TLSv1.2 and a recent cipher like the openssl s_client is able to do:
$ echo | openssl s_client -connect smtp.sdeziel.info:587 -starttls smtp 2>/dev/null | grep -E '^[[:space:]]+(Protocol|Cipher)'
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Additional information:
$ lsb_release -rd
Description: Ubuntu 16.04.3 LTS
Release: 16.04
$ apt-cache policy ssmtp libgnutls-openssl27
ssmtp:
Installed: 2.64-8ubuntu1
Candidate: 2.64-8ubuntu1
Version table:
*** 2.64-8ubuntu1 500
500 http://archive.ubuntu.com/ubuntu xenial/universe amd64 Packages
100 /var/lib/dpkg/status
libgnutls-openssl27:
Installed: 3.4.10-4ubuntu1.3
Candidate: 3.4.10-4ubuntu1.3
Version table:
*** 3.4.10-4ubuntu1.3 500
500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
100 /var/lib/dpkg/status
3.4.10-4ubuntu1 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: ssmtp 2.64-8ubuntu1 [modified: etc/ssmtp/revaliases]
ProcVersionSignature: Ubuntu 4.4.0-89.112-generic 4.4.76
Uname: Linux 4.4.0-89-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.10
Architecture: amd64
Date: Mon Aug 7 18:13:33 2017
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: ssmtp
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.ssmtp.revaliases: [modified]
mtime.conffile..etc.ssmtp.revaliases: 2017-08-05T13:44:06.274302 |
|
2017-08-12 20:44:01 |
Launchpad Janitor |
gnutls28 (Ubuntu Artful): status |
Fix Committed |
Fix Released |
|
2017-08-17 22:29:22 |
Brian Murray |
gnutls28 (Ubuntu Zesty): status |
In Progress |
Fix Committed |
|
2017-08-17 22:29:26 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2017-08-17 22:29:28 |
Brian Murray |
tags |
amd64 apport-bug patch xenial |
amd64 apport-bug patch verification-needed verification-needed-zesty xenial |
|
2017-08-17 22:30:38 |
Brian Murray |
gnutls28 (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
2017-08-17 22:30:45 |
Brian Murray |
tags |
amd64 apport-bug patch verification-needed verification-needed-zesty xenial |
amd64 apport-bug patch verification-needed verification-needed-xenial verification-needed-zesty xenial |
|
2017-08-17 22:32:07 |
Brian Murray |
gnutls26 (Ubuntu Trusty): status |
In Progress |
Fix Committed |
|
2017-08-17 22:32:14 |
Brian Murray |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2017-08-17 22:32:16 |
Brian Murray |
tags |
amd64 apport-bug patch verification-needed verification-needed-xenial verification-needed-zesty xenial |
amd64 apport-bug patch verification-needed verification-needed-trusty verification-needed-xenial verification-needed-zesty xenial |
|
2017-08-18 14:50:26 |
Simon Déziel |
tags |
amd64 apport-bug patch verification-needed verification-needed-trusty verification-needed-xenial verification-needed-zesty xenial |
amd64 apport-bug patch verification-done-xenial verification-needed verification-needed-trusty verification-needed-zesty xenial |
|
2017-08-18 18:34:40 |
Simon Déziel |
tags |
amd64 apport-bug patch verification-done-xenial verification-needed verification-needed-trusty verification-needed-zesty xenial |
amd64 apport-bug patch verification-done-zesty verification-needed verification-needed-trusty verification-needed-xenial xenial |
|
2017-08-18 18:36:31 |
Simon Déziel |
tags |
amd64 apport-bug patch verification-done-zesty verification-needed verification-needed-trusty verification-needed-xenial xenial |
amd64 apport-bug patch verification-done-xenial verification-done-zesty verification-failed-trusty verification-needed xenial |
|
2017-08-21 18:41:38 |
Simon Déziel |
attachment added |
|
lp1709193-14.04-version2.debdiff https://bugs.launchpad.net/debian/+source/gnutls28/+bug/1709193/+attachment/4936464/+files/lp1709193-14.04-version2.debdiff |
|
2017-09-06 09:49:03 |
Launchpad Janitor |
gnutls28 (Ubuntu Zesty): status |
Fix Committed |
Fix Released |
|
2017-09-06 09:49:09 |
Andy Whitcroft |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2017-09-06 10:31:14 |
Andy Whitcroft |
bug |
|
|
added subscriber Ubuntu Security Team |
2017-09-07 22:23:54 |
Julian Andres Klode |
bug |
|
|
added subscriber Julian Andres Klode |
2017-09-09 04:48:16 |
Mathew Hodson |
bug task deleted |
ssmtp (Ubuntu Trusty) |
|
|
2017-09-09 04:48:24 |
Mathew Hodson |
bug task deleted |
ssmtp (Ubuntu Xenial) |
|
|
2017-09-09 04:48:31 |
Mathew Hodson |
bug task deleted |
ssmtp (Ubuntu Zesty) |
|
|
2017-09-09 04:48:38 |
Mathew Hodson |
bug task deleted |
ssmtp (Ubuntu Artful) |
|
|
2017-09-09 04:50:23 |
Mathew Hodson |
bug task deleted |
gnutls26 (Ubuntu Xenial) |
|
|
2017-09-09 04:50:30 |
Mathew Hodson |
bug task deleted |
gnutls26 (Ubuntu Zesty) |
|
|
2017-09-09 04:50:41 |
Mathew Hodson |
bug task deleted |
gnutls26 (Ubuntu Artful) |
|
|
2017-09-09 04:50:53 |
Mathew Hodson |
bug task deleted |
gnutls26 (Ubuntu) |
|
|
2017-09-09 04:52:32 |
Mathew Hodson |
gnutls26 (Ubuntu Trusty): importance |
Undecided |
Medium |
|
2017-09-09 04:52:37 |
Mathew Hodson |
gnutls28 (Ubuntu Trusty): importance |
Undecided |
Medium |
|
2017-09-09 04:52:39 |
Mathew Hodson |
gnutls28 (Ubuntu Xenial): importance |
Undecided |
Medium |
|
2017-09-09 04:52:43 |
Mathew Hodson |
gnutls28 (Ubuntu Zesty): importance |
Undecided |
Medium |
|
2017-09-09 04:52:46 |
Mathew Hodson |
gnutls28 (Ubuntu Artful): importance |
Undecided |
Medium |
|
2017-10-11 17:24:01 |
Simon Déziel |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878253 |
|
2017-10-26 17:36:40 |
Launchpad Janitor |
gnutls28 (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2017-12-01 20:53:55 |
Mathew Hodson |
bug watch removed |
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878253 |
|
|
2019-03-15 09:09:32 |
Timo Aaltonen |
gnutls26 (Ubuntu Trusty): status |
Fix Committed |
Won't Fix |
|
2019-03-19 02:01:05 |
Mathew Hodson |
tags |
amd64 apport-bug patch verification-done-xenial verification-done-zesty verification-failed-trusty verification-needed xenial |
amd64 apport-bug patch verification-done-xenial verification-done-zesty verification-failed-trusty xenial |
|