Bug#675424: libnet-ssleay-perl: Incorrect constant value for OP_NO_TLSv1_1

John Jetmore jj33 at pobox.com
Fri Jun 1 04:19:45 UTC 2012 

Package: libnet-ssleay-perl
Version: 1.48-1
Severity: normal

While troubleshooting problems using the Net::SSLeay::OP_NO_TLSv1_1 constant
in a perl app, I came to realize that Net::SSLeay, as packaged in
libnet-ssleay-perl 1.48-1, does not return the proper constant value for
OP_NO_TLSv1_1.

I don't believe this is a bug in the openssl package, but it probably matters
that I have the debian openssl 1.0.1c-1 package installed.

Here are the relevant (correct) constants from /usr/include/openssl/ssl.h:
ssl.h:#define SSL_OP_NO_SSLv2                                   0x01000000L
ssl.h:#define SSL_OP_NO_SSLv3                                   0x02000000L
ssl.h:#define SSL_OP_NO_TLSv1                                   0x04000000L
ssl.h:#define SSL_OP_NO_TLSv1_2                                 0x08000000L
ssl.h:#define SSL_OP_NO_TLSv1_1                                 0x10000000L

Here is a quick-and-dirty perl script to dump Net::SSLeay's version of
these constants:
###########
jetmore at lappy-vm2:~$ cat t.pl
#!/usr/bin/perl

use Net::SSLeay;

foreach my $const (qw(OP_NO_SSLv2 OP_NO_SSLv3 OP_NO_TLSv1 OP_NO_TLSv1_1 OP_NO_TLSv1_2)) {
  printf("%13s %010x\n", $const, &{"Net::SSLeay::$const"}());
}
###########

Here is the output of the above program when run with the most recent debian
libnet-ssleay-perl (1.48-1):
###########
jetmore at lappy-vm2:~$ perl t.pl
  OP_NO_SSLv2 0001000000
  OP_NO_SSLv3 0002000000
  OP_NO_TLSv1 0004000000
OP_NO_TLSv1_1 0000000400
OP_NO_TLSv1_2 0008000000
###########

As you can see, the value for OP_NO_TLSv1_1 is wrong.  This is a real problem,
all of the other constants perform as expected in real TLS connections, TLSv1_1
does not.

I do not believe this is a problem in upstream.  I downloaded Net-SSLeay-1.48 from
CPAN and compiled locally and it prints the correct TLSv1_1 constant:
###########
jetmore at lappy-vm2:~$ PERL5LIB=/home/jetmore/dev/lib/perl perl t.pl
  OP_NO_SSLv2 0001000000
  OP_NO_SSLv3 0002000000
  OP_NO_TLSv1 0004000000
OP_NO_TLSv1_1 0010000000
OP_NO_TLSv1_2 0008000000
###########

These constants are pulled into SSLeay.so at build time I believe.  It feels like
libnet-ssleay-perl just needs to be rebuilt with the latest headers to correct the
problem.  Seems likely to be related to this change from openssl-1.0.1b-1
(http://packages.debian.org/changelogs/pool/main/o/openssl/openssl_1.0.1c-1/changelog#version1.0.1b-1):
     - Remaps SSL_OP_NO_TLSv1_1, so applications linked to 1.0.0
       can talk to servers supporting TLS 1.1 but not TLS 1.2

Thanks
--john

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-2-486
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libnet-ssleay-perl depends on:
ii  libc6                       2.13-32
ii  libssl1.0.0                 1.0.1c-1
ii  perl                        5.14.2-11
ii  perl-base [perlapi-5.14.2]  5.14.2-11

libnet-ssleay-perl recommends no packages.

Versions of packages libnet-ssleay-perl suggests:
ii  perl [libmime-base64-perl]  5.14.2-11

-- no debconf information

More information about the pkg-perl-maintainers mailing list