Bug#871431: libexosip2: please switch to SSLv23_… or TLS_…_method

Sebastian Andrzej Siewior sebastian at breakpoint.cc
Mon Aug 7 21:59:26 UTC 2017 

Package: libexosip2
Version: 4.1.0-2.1
Severity: important
User: pkg-openssl-devel at lists.alioth.debian.org
Usertags: TLS1.0_1.1_removal

Your packages uses a function which requests a TLS1.0 and/or TLS1.1 only
connection. Since openssl 1.1.0f-4 (currently in unstable) this means
won't work because it provides TLS1.2. See also [0].
Please switch to
	SSLv23_method() | SSLv23_server_method() | SSLv23_client_method()

or the recommended openssl 1.1+ functions:
	TLS_method() | TLS_server_method() | TLS_client_method()

as per man-page [1].
The code I identified and probably needs to be replaced:
libexosip2-4.1.0/src/eXtl_tls.c:
|initialize_client_ctx (struct eXosip_t * excontext, const char *certif_client_local_cn_name, eXosip_tls_ctx_t * client_ctx, int transport)
| {
||  if (transport == IPPROTO_UDP) {
| #if !(OPENSSL_VERSION_NUMBER < 0x00908000L)
|     meth = DTLSv1_client_method ();
| #endif
|   }
|   else if (transport == IPPROTO_TCP) {
|     meth = TLSv1_client_method ();
|   }
|   else {
|     return NULL;
|   }
|| SSL_CTX *
| initialize_server_ctx (struct eXosip_t * excontext, const char *certif_local_cn_name, eXosip_tls_ctx_t * srv_ctx, int transport)
| {
||   if (transport == IPPROTO_UDP) {
|     OSIP_TRACE (osip_trace (__FILE__, __LINE__, OSIP_INFO3, NULL, "DTLS-UDP server method\n"));
| #if !(OPENSSL_VERSION_NUMBER < 0x00908000L)
|     meth = DTLSv1_server_method ();
| #endif
|   }
|   else if (transport == IPPROTO_TCP) {
|     OSIP_TRACE (osip_trace (__FILE__, __LINE__, OSIP_INFO3, NULL, "TLS server method\n"));
|     meth = TLSv1_server_method ();
|   }
|   else {
|     return NULL;
|   }

An example for replacing a TLSv1 only connection with any possible
version would look like this:

-  ctx = SSL_CTX_new(TLSv1_client_method());
+  ctx = SSL_CTX_new(SSLv23_client_method());

If you want to use the openssl 1.1 function you need extra version
checks:

-  ctx = SSL_CTX_new(TLSv1_client_method());
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
+    !defined(LIBRESSL_VERSION_NUMBER)  && !defined(OPENSSL_IS_BORINGSSL)
+    ctx = SSL_CTX_new (TLS_client_method ());
+#else
+    ctx = SSL_CTX_new (SSLv23_client_method ());
+#endif

Note that that openssl is usually configured (at build time) to not
allow SSLv2 and SSLv3 connections. However if upstream wants to be sure
to have it disable you can add this:

+#ifdef OPENSSL_NO_SSL3
+    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
+#endif
+
+#ifdef OPENSSL_NO_SSL2
+    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+#endif

to make sure it is not used for a connection even if the currently
install libssl library is supporting it.

[0] https://lists.debian.org/msgid-search/20170807014238.mf64rdvgpdkpaiwa@roeckx.be
[1] https://manpages.debian.org/stretch/libssl-doc/SSLv23_method.3ssl.en.html

Sebastian

More information about the Pkg-voip-maintainers mailing list