19disable_sslv2 patch breaks TLSv1.1

Bug #966793 reported by pi-rho on 2012-03-28
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Irssi
Confirmed
Undecided
Unassigned
irssi (Ubuntu)
Undecided
Unassigned

Bug Description

According to OpenSSL library documentation[1], calling SSL_CTX_set_options with SSL_OP_NO_SSLv2 is sufficient to disable SSLv2. ORing that value with SSL_OP_ALL turns on a whole host of workarounds. These workarounds actually degrade the security of OpenSSL. A side-effect is that it breaks modern TLSv1.1.

With SSL_OP_ALL | SSL_OP_NO_SSLv2, connecting to a TLS v1.1 server using FIPS algorithms results in "unknown protocol" (Attached: irssi-r5136.patch)

With SSL_OP_NO_SSLv2, connecting to a TLSv1.1 server is successful (Attached: irssi-r5136-revised.patch)

Source package with revised patch applied: https://launchpad.net/~pi-rho/+archive/security/+files/irssi_0.8.15-4ubuntu3~ppa2~p.dsc

Also, reported upstream at: http://bugs.irssi.org/index.php?do=details&task_id=841

[1] OpenSSL Documentation, SSL_CTX_set_options: http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html

pi-rho (pi-rho) wrote :
visibility: private → public
pi-rho (pi-rho) wrote :

Attached original patch (named 19disable_sslv2 in the Ubuntu source package, svn revision 5136 in the upstream vcs)

The attachment "revised patch to disable SSLv2 without downgrading the security of OpenSSL" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

security vulnerability: yes → no
security vulnerability: yes → no
pi-rho (pi-rho) wrote :

Seems fair. Thanks for looking at it Tyler.

pi-rho (pi-rho) wrote :

Attached patch was accepted upstream in the irssi svn trunk as revision 5216.

Changed in irssi:
status: New → Confirmed
Changed in irssi (Ubuntu):
status: New → Confirmed
Rhonda D'Vine (rhonda) wrote :

I am currently packaging 0.8.16~rc1 - and it will fix the issue once it hits the pool. Thanks for bringing it up! :)

Changed in irssi (Ubuntu):
status: Confirmed → In Progress
Steve Langasek (vorlon) wrote :

Utopic now has irssi 0.8.16, so I believe this issue is resolved.

Changed in irssi (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers