Package: libnet-ssleay-perl
Version: 1.48-1
Severity: normal
While troubleshooting problems using the Net::SSLeay::OP_NO_TLSv1_1 constant
in a perl app, I came to realize that Net::SSLeay, as packaged in
libnet-ssleay-perl 1.48-1, does not return the proper constant value for
OP_NO_TLSv1_1.
I don't believe this is a bug in the openssl package, but it probably matters
that I have the debian openssl 1.0.1c-1 package installed.
Here are the relevant (correct) constants from /usr/include/openssl/ssl.h:
ssl.h:#define SSL_OP_NO_SSLv2 0x01000000L
ssl.h:#define SSL_OP_NO_SSLv3 0x02000000L
ssl.h:#define SSL_OP_NO_TLSv1 0x04000000L
ssl.h:#define SSL_OP_NO_TLSv1_2 0x08000000L
ssl.h:#define SSL_OP_NO_TLSv1_1 0x10000000L
Here is a quick-and-dirty perl script to dump Net::SSLeay's version of
these constants:
###########
jetmore@lappy-vm2:~$ cat t.pl
#!/usr/bin/perl
use Net::SSLeay;
foreach my $const (qw(OP_NO_SSLv2 OP_NO_SSLv3 OP_NO_TLSv1 OP_NO_TLSv1_1
OP_NO_TLSv1_2)) {
printf("%13s %010x\n", $const, &{"Net::SSLeay::$const"}());
}
###########
Here is the output of the above program when run with the most recent debian
libnet-ssleay-perl (1.48-1):
###########
jetmore@lappy-vm2:~$ perl t.pl
OP_NO_SSLv2 0001000000
OP_NO_SSLv3 0002000000
OP_NO_TLSv1 0004000000
OP_NO_TLSv1_1 0000000400
OP_NO_TLSv1_2 0008000000
###########
As you can see, the value for OP_NO_TLSv1_1 is wrong. This is a real problem,
all of the other constants perform as expected in real TLS connections, TLSv1_1
does not.
I do not believe this is a problem in upstream. I downloaded Net-SSLeay-1.48
from
CPAN and compiled locally and it prints the correct TLSv1_1 constant:
###########
jetmore@lappy-vm2:~$ PERL5LIB=/home/jetmore/dev/lib/perl perl t.pl
OP_NO_SSLv2 0001000000
OP_NO_SSLv3 0002000000
OP_NO_TLSv1 0004000000
OP_NO_TLSv1_1 0010000000
OP_NO_TLSv1_2 0008000000
###########
These constants are pulled into SSLeay.so at build time I believe. It feels
like
libnet-ssleay-perl just needs to be rebuilt with the latest headers to correct
the
problem. Seems likely to be related to this change from openssl-1.0.1b-1
(http://packages.debian.org/changelogs/pool/main/o/openssl/openssl_1.0.1c-1/changelog#version1.0.1b-1):
- Remaps SSL_OP_NO_TLSv1_1, so applications linked to 1.0.0
can talk to servers supporting TLS 1.1 but not TLS 1.2
Thanks
--john
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 3.2.0-2-486
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libnet-ssleay-perl depends on:
ii libc6 2.13-32
ii libssl1.0.0 1.0.1c-1
ii perl 5.14.2-11
ii perl-base [perlapi-5.14.2] 5.14.2-11
libnet-ssleay-perl recommends no packages.
Versions of packages libnet-ssleay-perl suggests:
ii perl [libmime-base64-perl] 5.14.2-11
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
