Opened 4 months ago

Last modified 3 months ago

#13005 new Bug report

Consider disabling tls1.0 and tls1.1 tests.

Reported by: Phil Wyett Owned by:
Priority: normal Component: libfilezilla
Keywords: Cc: locutusofborg@…
Component version: Operating system type: Linux
Operating system version:

Description (last modified by Phil Wyett)

Consider disabling tls1.0 and tls1.1 tests.

From Ubuntu/Debian,

Package: libfilezilla
Version: 0.45.0-3
Severity: normal
Tags: patch

Hello,
In Ubuntu, the attached patch was applied to achieve the following:

Basically the TLS1.0 and TLS1.1 are considered now insecure, and are blocked in Ubuntu.
I think Debian will eventually follow, making the package FTBFS during tests.

  • Merge from Debian unstable. Remaining changes:
    • Disable tls1.0 and tls1.1 tests, deprecated

Thanks for considering the patch.

*** /tmp/tmpqjb1gyi1/libfilezilla_0.45.0-3ubuntu1.debdiff
diff -Nru libfilezilla-0.45.0/debian/patches/disable-ssl-tests.patch libfilezilla-0.45.0/debian/patches/disable-ssl-tests.patch
--- libfilezilla-0.45.0/debian/patches/disable-ssl-tests.patch	1970-01-01 01:00:00.000000000 +0100
+++ libfilezilla-0.45.0/debian/patches/disable-ssl-tests.patch	2023-11-07 10:24:01.000000000 +0100
@@ -0,0 +1,17 @@
+Description:
+   * Disable tls1.0 and tls1.1 tests, deprecated
+Author: Gianfranco Costamagna <locutusofborg@debian.org>
+Last-Update: 2023-11-07
+
+--- libfilezilla-0.45.0.orig/tests/socket.cpp
++++ libfilezilla-0.45.0/tests/socket.cpp
+@@ -430,7 +430,7 @@ void socket_test::test_tls_resumption()
+ 	// Test all posssible combinations of TLS <= 1.2 and either side supporting tickets
+ 	for (size_t i = 0; i < 4; ++i) {
+ 		do_test_tls_resumption(fz::tls_ver::v1_2, i & 0x1, i & 0x2);
+-		do_test_tls_resumption(fz::tls_ver::v1_1, i & 0x1, i & 0x2);
+-		do_test_tls_resumption(fz::tls_ver::v1_0, i & 0x1, i & 0x2);
++		//do_test_tls_resumption(fz::tls_ver::v1_1, i & 0x1, i & 0x2);
++		//do_test_tls_resumption(fz::tls_ver::v1_0, i & 0x1, i & 0x2);
+ 	}
+ }
diff -Nru libfilezilla-0.45.0/debian/patches/series libfilezilla-0.45.0/debian/patches/series
--- libfilezilla-0.45.0/debian/patches/series	2021-05-05 00:04:10.000000000 +0200
+++ libfilezilla-0.45.0/debian/patches/series	2023-11-09 04:19:21.000000000 +0100
@@ -0,0 +1 @@
+disable-ssl-tests.patch

Change History (5)

comment:1 by Phil Wyett, 4 months ago

Description: modified (diff)

comment:2 by Tim Kosse, 4 months ago

Cc: locutusofborg@… added

comment:3 by Tim Kosse, 4 months ago

Status: newmoreinfo

Disabling the tests in this manner is a bad idea. These tests for an important security feature for FTP over TLS would get unconditionally disabled, even if the underlying TLS library (GnuTLS in this case) still supports TLS 1.0/1.1

The proper way is to run the tests conditionally at runtime: Detect whether the loaded GnuTLS supports TLS 1.0/1.1 and only skip the tests if the library does not support it.

Note that TLS session resumption is a very difficult feature to implement correctly with subtly different semantics across TLS versions. The unit tests are thus vital to ensure that it works correctly across all supported TLS versions.

Please update the patch accordingly.

comment:4 by Gianfranco, 4 months ago

Status: moreinfonew

Hello Tim, how to do that? I'm missing the gnutls function to detect the available tls functionalities...
fz::tls_layer::list_tls_ciphers("") looks not doing the proper job

comment:5 by Gianfranco, 3 months ago

# some OS such as Ubuntu drop tls1.0 and tls1.1 via /etc/gnutls/config setting
# http://launchpadlibrarian.net/694703700/gnutls28_3.8.1-4ubuntu2_3.8.1-4ubuntu3.diff.gz
# http://launchpadlibrarian.net/698244635/gnutls28_3.8.1-4ubuntu3_3.8.1-4ubuntu4.diff.gz
# This makes testsuite fail, so for now the best way to deal with it, is probably
# to just ignore the conf file for our tests
export GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null

This is something that works as workaround.

Note: See TracTickets for help on using tickets.