Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package ruby-httpclient ruby-httpclient currently in Jessie FTBFS due to failing tests because of a deprecated default SSL configuration (#768673). The bug is fixed with 2.3.3-3.1 uploaded in unstable earlier today, thanks to Tomasz Buchert, who imported some fixes from upstream for a sane default configuration. Please find in attachment the debdiff between the two versions. Thanks in advance. Best wishes, Cédric unblock ruby-httpclient/2.3.3-3.1 -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16-2-amd64 (SMP w/8 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru ruby-httpclient-2.3.3/debian/changelog ruby-httpclient-2.3.3/debian/changelog --- ruby-httpclient-2.3.3/debian/changelog 2014-06-27 03:03:36.000000000 +0200 +++ ruby-httpclient-2.3.3/debian/changelog 2014-11-27 11:33:03.000000000 +0100 @@ -1,3 +1,12 @@ +ruby-httpclient (2.3.3-3.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix default SSL configuration (Closes: #768673) + The patch 0003-fix-ssl-config.patch extracted from upstream code is + added to set the default SSL configuration to auto instead of SSLv3. + + -- Tomasz Buchert <tomasz.buch...@inria.fr> Wed, 26 Nov 2014 18:59:26 +0100 + ruby-httpclient (2.3.3-3) unstable; urgency=medium * fix-port-allocation-in-tests.patch: fix port allocation for servers diff -Nru ruby-httpclient-2.3.3/debian/patches/0003-fix-ssl-config.patch ruby-httpclient-2.3.3/debian/patches/0003-fix-ssl-config.patch --- ruby-httpclient-2.3.3/debian/patches/0003-fix-ssl-config.patch 1970-01-01 01:00:00.000000000 +0100 +++ ruby-httpclient-2.3.3/debian/patches/0003-fix-ssl-config.patch 2014-11-27 11:16:13.000000000 +0100 @@ -0,0 +1,64 @@ +Description: Change default SSL configuration + The POODLE attack (https://en.wikipedia.org/wiki/POODLE) deprecated the use + of SSLv3 protocol. We change the default configuration to autodetection + and try to explicitly disable SSLv2 and SSLv3, preferring TLS protocol suites + instead. + This patch is a minimal adaptation of a commit in the project's upstream: + https://github.com/nahi/httpclient/commit/90d5c791c941c72521784dc4ea8eed60987800da + +--- a/lib/httpclient/ssl_config.rb ++++ b/lib/httpclient/ssl_config.rb +@@ -34,7 +34,13 @@ + class SSLConfig + include OpenSSL if SSLEnabled + +- # String name of OpenSSL's SSL version method name: SSLv2, SSLv23 or SSLv3 ++ # Which TLS protocol version (also called method) will be used. Defaults ++ # to :auto which means that OpenSSL decides (In my tests this resulted ++ # with always the highest available protocol being used). ++ # String name of OpenSSL's SSL version method name: TLSv1_2, TLSv1_1, TLSv1, ++ # SSLv2, SSLv23, SSLv3 or :auto (and nil) to allow version negotiation (default). ++ # See {OpenSSL::SSL::SSLContext::METHODS} for a list of available versions ++ # in your specific Ruby environment. + attr_reader :ssl_version + # OpenSSL::X509::Certificate:: certificate for SSL client authenticateion. + # nil by default. (no client authenticateion) +@@ -83,8 +89,13 @@ + @verify_callback = nil + @dest = nil + @timeout = nil +- @ssl_version = "SSLv3" +- @options = defined?(SSL::OP_ALL) ? SSL::OP_ALL | SSL::OP_NO_SSLv2 : nil ++ @ssl_version = :auto ++ # Follow ruby-ossl's definition ++ @options = OpenSSL::SSL::OP_ALL ++ @options &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS) ++ @options |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION) ++ @options |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2) ++ @options |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3) + # OpenSSL 0.9.8 default: "ALL:!ADH:!LOW:!EXP:!MD5:+SSLv2:@STRENGTH" + @ciphers = "ALL:!aNULL:!eNULL:!SSLv2" # OpenSSL >1.0.0 default + @cacerts_loaded = false +@@ -283,7 +294,7 @@ + ctx.timeout = @timeout + ctx.options = @options + ctx.ciphers = @ciphers +- ctx.ssl_version = @ssl_version ++ ctx.ssl_version = @ssl_version unless @ssl_version == :auto + end + + # post connection check proc for ruby < 1.8.5. +--- a/test/test_ssl.rb ++++ b/test/test_ssl.rb +@@ -33,7 +33,10 @@ + assert_equal(OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT, cfg.verify_mode) + assert_nil(cfg.verify_callback) + assert_nil(cfg.timeout) +- assert_equal(OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_SSLv2, cfg.options) ++ expected_options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3 ++ expected_options &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS) ++ expected_options |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION) ++ assert_equal(expected_options, cfg.options) + assert_equal("ALL:!aNULL:!eNULL:!SSLv2", cfg.ciphers) + assert_instance_of(OpenSSL::X509::Store, cfg.cert_store) + end diff -Nru ruby-httpclient-2.3.3/debian/patches/series ruby-httpclient-2.3.3/debian/patches/series --- ruby-httpclient-2.3.3/debian/patches/series 2014-06-27 00:41:13.000000000 +0200 +++ ruby-httpclient-2.3.3/debian/patches/series 2014-11-27 11:16:13.000000000 +0100 @@ -1,2 +1,3 @@ 0001-Remove-Hash-element-order-dependency.patch fix-port-allocation-in-tests.patch +0003-fix-ssl-config.patch
signature.asc
Description: Digital signature
