diff -Nru resiprocate-1.9.7/debian/changelog resiprocate-1.9.7/debian/changelog --- resiprocate-1.9.7/debian/changelog 2014-05-31 12:51:11.000000000 +0200 +++ resiprocate-1.9.7/debian/changelog 2014-12-10 07:28:30.000000000 +0100 @@ -1,3 +1,10 @@ +resiprocate (1:1.9.7-4) unstable; urgency=medium + + * Use SSLv23_method instead of TLSv1_method and + avoid TLS 1.2 when acting as client. (Closes: #772632) + + -- Daniel Pocock Tue, 09 Dec 2014 11:34:48 +0100 + resiprocate (1.9.7-1) unstable; urgency=medium * New upstream release. diff -Nru resiprocate-1.9.7/debian/patches/0001-use-SSLv23_method.patch resiprocate-1.9.7/debian/patches/0001-use-SSLv23_method.patch --- resiprocate-1.9.7/debian/patches/0001-use-SSLv23_method.patch 1970-01-01 01:00:00.000000000 +0100 +++ resiprocate-1.9.7/debian/patches/0001-use-SSLv23_method.patch 2014-12-09 11:30:51.000000000 +0100 @@ -0,0 +1,50 @@ +diff --git a/repro/ReproRunner.cxx b/repro/ReproRunner.cxx +index 929392b..a2f09de 100644 +--- a/repro/ReproRunner.cxx ++++ b/repro/ReproRunner.cxx +@@ -1338,6 +1338,7 @@ ReproRunner::addTransports(bool& allTransportsSpecifyRecordRoute) + wsCookieContextFactory.reset(new BasicWsCookieContextFactory(infoCookieName, extraCookieName, macCookieName)); + } + ++ SecurityTypes::SSLType defaultSSLType = SecurityTypes::SSLv23; + try + { + // Check if advanced transport settings are provided +@@ -1448,7 +1449,7 @@ ReproRunner::addTransports(bool& allTransportsSpecifyRecordRoute) + ipAddr, // interface to bind to + tlsDomain, + Data::Empty, // private key passphrase - not currently used +- SecurityTypes::TLSv1, // sslType ++ defaultSSLType, // sslType + 0, // transport flags + tlsCertificate, tlsPrivateKey, + cvm, // tls client verification mode +@@ -1576,8 +1577,8 @@ ReproRunner::addTransports(bool& allTransportsSpecifyRecordRoute) + } + if (tlsPort) + { +- if (mUseV4) mSipStack->addTransport(TLS, tlsPort, V4, StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP); +- if (mUseV6) mSipStack->addTransport(TLS, tlsPort, V6, StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP); ++ if (mUseV4) mSipStack->addTransport(TLS, tlsPort, V4, StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP); ++ if (mUseV6) mSipStack->addTransport(TLS, tlsPort, V6, StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP); + } + if (wsPort) + { +@@ -1586,13 +1587,13 @@ ReproRunner::addTransports(bool& allTransportsSpecifyRecordRoute) + } + if (wssPort) + { +- if (mUseV4) mSipStack->addTransport(WSS, wssPort, V4, StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP, basicWsConnectionValidator, wsCookieContextFactory); +- if (mUseV6) mSipStack->addTransport(WSS, wssPort, V6, StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP, basicWsConnectionValidator, wsCookieContextFactory); ++ if (mUseV4) mSipStack->addTransport(WSS, wssPort, V4, StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP, basicWsConnectionValidator, wsCookieContextFactory); ++ if (mUseV6) mSipStack->addTransport(WSS, wssPort, V6, StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP, basicWsConnectionValidator, wsCookieContextFactory); + } + if (dtlsPort) + { +- if (mUseV4) mSipStack->addTransport(DTLS, dtlsPort, V4, StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, tlsCertificate, tlsPrivateKey); +- if (mUseV6) mSipStack->addTransport(DTLS, dtlsPort, V6, StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, tlsCertificate, tlsPrivateKey); ++ if (mUseV4) mSipStack->addTransport(DTLS, dtlsPort, V4, StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, tlsCertificate, tlsPrivateKey); ++ if (mUseV6) mSipStack->addTransport(DTLS, dtlsPort, V6, StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, tlsCertificate, tlsPrivateKey); + } + } + } diff -Nru resiprocate-1.9.7/debian/patches/0002-client-avoid-TLSv1_2.patch resiprocate-1.9.7/debian/patches/0002-client-avoid-TLSv1_2.patch --- resiprocate-1.9.7/debian/patches/0002-client-avoid-TLSv1_2.patch 1970-01-01 01:00:00.000000000 +0100 +++ resiprocate-1.9.7/debian/patches/0002-client-avoid-TLSv1_2.patch 2014-12-09 11:33:41.000000000 +0100 @@ -0,0 +1,16 @@ +diff --git a/resip/stack/ssl/TlsConnection.cxx b/resip/stack/ssl/TlsConnection.cxx +index c3537aa..145d089 100644 +--- a/resip/stack/ssl/TlsConnection.cxx ++++ b/resip/stack/ssl/TlsConnection.cxx +@@ -122,6 +122,11 @@ TlsConnection::TlsConnection( Transport* transport, const Tuple& tuple, + } + SSL_set_verify(mSsl, verify_mode, 0); + } ++ else ++ { ++ // some TLS v1.2 servers have been troublesome ++ SSL_set_options(mSsl, SSL_OP_NO_TLSv1_2); ++ } + + mBio = BIO_new_socket((int)fd,0/*close flag*/); + assert( mBio ); diff -Nru resiprocate-1.9.7/debian/patches/series resiprocate-1.9.7/debian/patches/series --- resiprocate-1.9.7/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ resiprocate-1.9.7/debian/patches/series 2014-12-09 11:33:48.000000000 +0100 @@ -0,0 +1,2 @@ +0001-use-SSLv23_method.patch +0002-client-avoid-TLSv1_2.patch