Ubuntu
irssi package

19disable_sslv2 patch breaks TLSv1.1

Bug #966793 reported by pi-rho
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Irssi
Confirmed
Undecided
Unassigned
irssi (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

According to OpenSSL library documentation[1], calling SSL_CTX_set_options with SSL_OP_NO_SSLv2 is sufficient to disable SSLv2. ORing that value with SSL_OP_ALL turns on a whole host of workarounds. These workarounds actually degrade the security of OpenSSL. A side-effect is that it breaks modern TLSv1.1.

With SSL_OP_ALL | SSL_OP_NO_SSLv2, connecting to a TLS v1.1 server using FIPS algorithms results in "unknown protocol" (Attached: irssi-r5136.patch)

With SSL_OP_NO_SSLv2, connecting to a TLSv1.1 server is successful (Attached: irssi-r5136-revised.patch)

Source package with revised patch applied: https://launchpad.net/~pi-rho/+archive/security/+files/irssi_0.8.15-4ubuntu3~ppa2~p.dsc

Also, reported upstream at: http://bugs.irssi.org/index.php?do=details&task_id=841

[1] OpenSSL Documentation, SSL_CTX_set_options: http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html

Tags: patch
Revision history for this message
pi-rho (pi-rho) wrote :
visibility: private → public
Revision history for this message
pi-rho (pi-rho) wrote :

Attached original patch (named 19disable_sslv2 in the Ubuntu source package, svn revision 5136 in the upstream vcs)

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "revised patch to disable SSLv2 without downgrading the security of OpenSSL" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Revision history for this message
Tyler Hicks (tyhicks) wrote : Bug is not a security issue

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

security vulnerability: yes → no
security vulnerability: yes → no
Revision history for this message
pi-rho (pi-rho) wrote :

Seems fair. Thanks for looking at it Tyler.

Revision history for this message
pi-rho (pi-rho) wrote :

Attached patch was accepted upstream in the irssi svn trunk as revision 5216.

Changed in irssi:
status: New → Confirmed
Changed in irssi (Ubuntu):
status: New → Confirmed
Revision history for this message
Rhonda D'Vine (rhonda) wrote :

I am currently packaging 0.8.16~rc1 - and it will fix the issue once it hits the pool. Thanks for bringing it up! :)

Changed in irssi (Ubuntu):
status: Confirmed → In Progress
Revision history for this message
Steve Langasek (vorlon) wrote :

Utopic now has irssi 0.8.16, so I believe this issue is resolved.

Changed in irssi (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.