Opened 12 months ago
Last modified 12 months ago
#13005 new Bug report
Consider disabling tls1.0 and tls1.1 tests.
| Reported by: | Phil Wyett | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | libfilezilla |
| Keywords: | Cc: | locutusofborg@… | |
| Component version: | Operating system type: | Linux | |
| Operating system version: |
Description (last modified by )
Consider disabling tls1.0 and tls1.1 tests.
From Ubuntu/Debian,
Package: libfilezilla
Version: 0.45.0-3
Severity: normal
Tags: patch
Hello,
In Ubuntu, the attached patch was applied to achieve the following:
Basically the TLS1.0 and TLS1.1 are considered now insecure, and are blocked in Ubuntu.
I think Debian will eventually follow, making the package FTBFS during tests.
- Merge from Debian unstable. Remaining changes:
- Disable tls1.0 and tls1.1 tests, deprecated
Thanks for considering the patch.
*** /tmp/tmpqjb1gyi1/libfilezilla_0.45.0-3ubuntu1.debdiff
diff -Nru libfilezilla-0.45.0/debian/patches/disable-ssl-tests.patch libfilezilla-0.45.0/debian/patches/disable-ssl-tests.patch
--- libfilezilla-0.45.0/debian/patches/disable-ssl-tests.patch 1970-01-01 01:00:00.000000000 +0100
+++ libfilezilla-0.45.0/debian/patches/disable-ssl-tests.patch 2023-11-07 10:24:01.000000000 +0100
@@ -0,0 +1,17 @@
+Description:
+ * Disable tls1.0 and tls1.1 tests, deprecated
+Author: Gianfranco Costamagna <locutusofborg@debian.org>
+Last-Update: 2023-11-07
+
+--- libfilezilla-0.45.0.orig/tests/socket.cpp
++++ libfilezilla-0.45.0/tests/socket.cpp
+@@ -430,7 +430,7 @@ void socket_test::test_tls_resumption()
+ // Test all posssible combinations of TLS <= 1.2 and either side supporting tickets
+ for (size_t i = 0; i < 4; ++i) {
+ do_test_tls_resumption(fz::tls_ver::v1_2, i & 0x1, i & 0x2);
+- do_test_tls_resumption(fz::tls_ver::v1_1, i & 0x1, i & 0x2);
+- do_test_tls_resumption(fz::tls_ver::v1_0, i & 0x1, i & 0x2);
++ //do_test_tls_resumption(fz::tls_ver::v1_1, i & 0x1, i & 0x2);
++ //do_test_tls_resumption(fz::tls_ver::v1_0, i & 0x1, i & 0x2);
+ }
+ }
diff -Nru libfilezilla-0.45.0/debian/patches/series libfilezilla-0.45.0/debian/patches/series
--- libfilezilla-0.45.0/debian/patches/series 2021-05-05 00:04:10.000000000 +0200
+++ libfilezilla-0.45.0/debian/patches/series 2023-11-09 04:19:21.000000000 +0100
@@ -0,0 +1 @@
+disable-ssl-tests.patch
Change History (5)
comment:1 by , 12 months ago
| Description: | modified (diff) |
|---|
comment:2 by , 12 months ago
| Cc: | added |
|---|
comment:3 by , 12 months ago
| Status: | new → moreinfo |
|---|
comment:4 by , 12 months ago
| Status: | moreinfo → new |
|---|
Hello Tim, how to do that? I'm missing the gnutls function to detect the available tls functionalities...
fz::tls_layer::list_tls_ciphers("") looks not doing the proper job
comment:5 by , 12 months ago
# some OS such as Ubuntu drop tls1.0 and tls1.1 via /etc/gnutls/config setting
# http://launchpadlibrarian.net/694703700/gnutls28_3.8.1-4ubuntu2_3.8.1-4ubuntu3.diff.gz
# http://launchpadlibrarian.net/698244635/gnutls28_3.8.1-4ubuntu3_3.8.1-4ubuntu4.diff.gz
# This makes testsuite fail, so for now the best way to deal with it, is probably
# to just ignore the conf file for our tests
export GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
This is something that works as workaround.
Disabling the tests in this manner is a bad idea. These tests for an important security feature for FTP over TLS would get unconditionally disabled, even if the underlying TLS library (GnuTLS in this case) still supports TLS 1.0/1.1
The proper way is to run the tests conditionally at runtime: Detect whether the loaded GnuTLS supports TLS 1.0/1.1 and only skip the tests if the library does not support it.
Note that TLS session resumption is a very difficult feature to implement correctly with subtly different semantics across TLS versions. The unit tests are thus vital to ensure that it works correctly across all supported TLS versions.
Please update the patch accordingly.