Debian Bug report logs - #828557
sslsniff: FTBFS with openssl 1.1.0

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>

To: submit@bugs.debian.org

Subject: sslsniff: FTBFS with openssl 1.1.0

Date: Sun, 26 Jun 2016 12:24:13 +0200

Source: sslsniff
Version: 0.8-4.2
Severity: important
Control: block 827061 by -1

Hi,

OpenSSL 1.1.0 is about to released.  During a rebuild of all packages using
OpenSSL this package fail to build.  A log of that build can be found at:
https://breakpoint.cc/openssl-1.1-rebuild-2016-05-29/Attempted/sslsniff_0.8-4.2_amd64-20160529-1540

On https://wiki.openssl.org/index.php/1.1_API_Changes you can see various of the
reasons why it might fail.  There are also updated man pages at
https://www.openssl.org/docs/manmaster/ that should contain useful information.

There is a libssl-dev package available in experimental that contains a recent
snapshot, I suggest you try building against that to see if everything works.

If you have problems making things work, feel free to contact us.


Kurt

Message #18 received at 828557@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Kurt Roeckx <kurt@roeckx.be>, 828557@bugs.debian.org

Subject: Re: Bug#828557: sslsniff: FTBFS with openssl 1.1.0

Date: Tue, 22 Nov 2016 16:33:12 +0100

Control: severity -1 important
Control: unblock 827061 by -1
Control: tag -1 + help

On Sun, 26 Jun 2016, Kurt Roeckx wrote:
> OpenSSL this package fail to build.  A log of that build can be found at:
> https://breakpoint.cc/openssl-1.1-rebuild-2016-05-29/Attempted/sslsniff_0.8-4.2_amd64-20160529-1540

There is no upstream patch yet and upstream is rather MIA. So if anyone is
willing to provide a patch, it would be more than welcome.

https://github.com/moxie0/sslsniff/issues/27

In the mean time, I have uploaded a new package build-depending on
libssl1.0-dev (sslsniff_0.8-5.dsc), hence I'm downgrading this to
important and unblock the transition bug.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #33 received at 828557@bugs.debian.org (full text, mbox, reply):

From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

To: 828557@bugs.debian.org

Subject: sslsniff: FTBFS with openssl 1.1.0

Date: Thu, 12 Oct 2017 23:44:52 +0200

Hi,

this is a remainder about the openssl transition [0]. We really want to
remove libssl1.0-dev from unstable for Buster. I will raise the severity
of this bug to serious in a month. Please react before that happens.

[0] https://bugs.debian.org/871056#55

Sebastian

Message #42 received at 828557@bugs.debian.org (full text, mbox, reply):

From: Hilko Bengen <bengen@debian.org>

To: 828557@bugs.debian.org

Cc: pkg-security-team@lists.alioth.debian.org

Subject: Patch for sslsniff, request for review

Date: Sun, 17 Dec 2017 19:32:52 +0100

[Message part 1 (text/plain, inline)]

Control: tag -1 patch

Hi,

here's a patch that fixes the OpenSSL-1.1-related FTBFS for sslsniff.

I'd appreciate a review of the patch.

Cheers,
-Hilko

[Fix-OpenSSL-1.1-FTBFS.patch (text/x-diff, attachment)]

Message #49 received at 828557@bugs.debian.org (full text, mbox, reply):

From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

To: Hilko Bengen <bengen@debian.org>, 828557@bugs.debian.org

Cc: pkg-security-team@lists.alioth.debian.org

Subject: Re: Bug#828557: Patch for sslsniff, request for review

Date: Mon, 18 Dec 2017 21:25:54 +0100

On 2017-12-17 19:32:52 [+0100], Hilko Bengen wrote:
> Control: tag -1 patch
> 
> Hi,
> 
> here's a patch that fixes the OpenSSL-1.1-related FTBFS for sslsniff.
> 
> I'd appreciate a review of the patch.

It is not back compatible with openssl 1.0.2

>Index: sslsniff/SessionCache.cpp
>===================================================================
>--- sslsniff.orig/SessionCache.cpp
>+++ sslsniff/SessionCache.cpp
>@@ -47,7 +47,9 @@ void SessionCache::removeSessionId(unsig
> }
> 
> int SessionCache::setNewSessionId(SSL *s, SSL_SESSION *session) {
>-  return setNewSessionId(s, session, session->session_id, session->session_id_length);
>+  unsigned int id_length;
>+  const unsigned char *id = SSL_SESSION_get_id(session, &id_length);
>+  return setNewSessionId(s, session, (unsigned char*)id, id_length);
> }
> 
> int SessionCache::setNewSessionId(SSL *s, SSL_SESSION *session, 
>@@ -117,8 +119,8 @@ SSL_SESSION * SessionCache::getSessionId
> 
> // Trampoline Functions.  Yay C.
> 
>-SSL_SESSION * SessionCache::getSessionIdTramp(SSL *s, unsigned char *id, int idLength, int *ref) {
>-  return SessionCache::getInstance()->getSessionId(s, id, idLength, ref);
>+SSL_SESSION * SessionCache::getSessionIdTramp(SSL *s, const unsigned char *id, int idLength, int *ref) {
>+  return SessionCache::getInstance()->getSessionId(s, (unsigned char*)id, idLength, ref);

since you propage that `const' to getSessionIdTramp(), you could propage it
further and drop that cast.

> }
> 
> int SessionCache::setNewSessionIdTramp(SSL *s, SSL_SESSION *session) {
>Index: sslsniff/SessionCache.hpp
>===================================================================
>--- sslsniff.orig/SessionCache.hpp
>+++ sslsniff/SessionCache.hpp
>@@ -49,7 +49,7 @@ class SessionCache {
> 
> public:
>   static SessionCache* getInstance();
>-  static SSL_SESSION * getSessionIdTramp(SSL *s, unsigned char *id, int idLength, int *ref);
>+  static SSL_SESSION * getSessionIdTramp(SSL *s, const unsigned char *id, int idLength, int *ref);
>   static int setNewSessionIdTramp(SSL *s, SSL_SESSION *session);
> 
>   int setNewSessionId(SSL *s, SSL_SESSION *session);
>Index: sslsniff/certificate/Certificate.hpp
>===================================================================
>--- sslsniff.orig/certificate/Certificate.hpp
>+++ sslsniff/certificate/Certificate.hpp
>@@ -92,7 +92,7 @@ private:
>   }
> 
>   void parseCommonName(X509 *cert) {
>-    std::string distinguishedName(cert->name);
>+    std::string distinguishedName(X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0));

X509_NAME_oneline() allocates memory which you leak.

>     std::string::size_type cnIndex = distinguishedName.find("CN=");

That part grabs the hostname from the CN= part of the subject. I haven't
look *why* this is done but usually one wants to check the "subject
alternative name" extension and the content may conttain an asterisk.

>     if (cnIndex == std::string::npos) throw BadCertificateException();
>Index: sslsniff/certificate/TargetedCertificateManager.cpp
>===================================================================
>--- sslsniff.orig/certificate/TargetedCertificateManager.cpp
>+++ sslsniff/certificate/TargetedCertificateManager.cpp
>@@ -117,6 +117,6 @@ void TargetedCertificateManager::dump()
>   std::list<Certificate*>::iterator i;
> 
>   for(i=certificates.begin(); i != certificates.end(); ++i) 
>-    std::cout << "Certificate: " << (*i)->getCert()->name << std::endl;
>+    std::cout << "Certificate: " << X509_NAME_oneline(X509_get_subject_name((*i)->getCert()), NULL, 0) << std::endl;

also a leak.

> 
> }

> Cheers,
> -Hilko

Sebastian

Message #54 received at 828557@bugs.debian.org (full text, mbox, reply):

From: Hilko Bengen <bengen@debian.org>

To: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

Cc: 828557@bugs.debian.org, pkg-security-team@lists.alioth.debian.org

Subject: Re: Bug#828557: Patch for sslsniff, request for review

Date: Mon, 18 Dec 2017 22:34:14 +0100

[Message part 1 (text/plain, inline)]

* Sebastian Andrzej Siewior:

> It is not back compatible with openssl 1.0.2

Aware of that. Chose to ignore backwards compatibility for now.

I took care of the const issue and eliminated the leaks using a
stack-allocated buffer. New patch attached.

Cheers,
-Hilko

[Fix-OpenSSL-1.1-FTBFS.patch (text/x-diff, attachment)]

Message #57 received at 828557-submitter@bugs.debian.org (full text, mbox, reply):

From: hertzog@debian.org

To: 828557-submitter@bugs.debian.org

Subject: Bug #828557 in sslsniff marked as pending

Date: Thu, 22 Feb 2018 09:53:36 +0000

Control: tag -1 pending

Hello,

Bug #828557 in sslsniff reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:

https://salsa.debian.org/pkg-security-team/sslsniff/commit/08422d74f47a3399a29ee18c6de71324ad24fdbd

------------------------------------------------------------------------
Add patch to build against openssl 1.1. Closes: #828557 Thanks to Hilko Bengen <bengen@debian.org> for the patch.

------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

Message #64 received at 828557-close@bugs.debian.org (full text, mbox, reply):

From: Raphaël Hertzog <hertzog@debian.org>

To: 828557-close@bugs.debian.org

Subject: Bug#828557: fixed in sslsniff 0.8-7

Date: Thu, 22 Feb 2018 10:06:22 +0000

Source: sslsniff
Source-Version: 0.8-7

We believe that the bug you reported is fixed in the latest version of
sslsniff, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 828557@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphaël Hertzog <hertzog@debian.org> (supplier of updated sslsniff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 22 Feb 2018 10:40:16 +0100
Source: sslsniff
Binary: sslsniff
Architecture: source
Version: 0.8-7
Distribution: unstable
Urgency: medium
Maintainer: Debian Security Tools Packaging Team <pkg-security-team@lists.alioth.debian.org>
Changed-By: Raphaël Hertzog <hertzog@debian.org>
Description:
 sslsniff   - SSL/TLS man-in-the-middle attack tool
Closes: 828557
Changes:
 sslsniff (0.8-7) unstable; urgency=medium
 .
   * Add patch to build against openssl 1.1. Closes: #828557
     Thanks to Hilko Bengen <bengen@debian.org> for the patch.
   * Update Build-Depends to build against openssl 1.1.
   * Switch to debhelper compat level 11.
   * Change priority to optional.
   * Bump Standards-Version to 4.1.3.
   * Update Vcs-* fields for move to salsa.debian.org.
Checksums-Sha1:
 daa864d5ef4a09c574de57eb27fe604811c48083 1759 sslsniff_0.8-7.dsc
 88338144f159519941ce54c8ce21a44ef1781aea 7032 sslsniff_0.8-7.debian.tar.xz
 f8bfa295a630206241cc04f574b0b96c499082a7 5445 sslsniff_0.8-7_source.buildinfo
Checksums-Sha256:
 92a4fd1952ba36053d987514a334bc2d0f5c29cacc94e77dd6b9022ed419003f 1759 sslsniff_0.8-7.dsc
 378884a1e42f4b3d610b10d30eacce87bed38a824e34f2ee47e475dda18b485b 7032 sslsniff_0.8-7.debian.tar.xz
 1a522746ee470e4f48d0d580fb08f7798c3edaac69928375425aeb64115bbcd4 5445 sslsniff_0.8-7_source.buildinfo
Files:
 122fdc465b48d1c624b8f98794d797dc 1759 admin optional sslsniff_0.8-7.dsc
 a16f9a4faee30e8f0bc2d910d3a2a0cf 7032 admin optional sslsniff_0.8-7.debian.tar.xz
 16d435fa754450d58aa1d1051dd15c96 5445 admin optional sslsniff_0.8-7_source.buildinfo

-----BEGIN PGP SIGNATURE-----
Comment: Signed by Raphael Hertzog

iQEzBAEBCgAdFiEE1823g1EQnhJ1LsbSA4gdq+vCmrkFAlqOkwEACgkQA4gdq+vC
mrlyDggAsFFuJl39tdT0LJbM0bejZEnXjGk2Tnrjiu1QRgk/Nm+53PxQSmlHFVRh
BYAYwUHNJsjEaJoPh8OI/01LaAf/XJJYjzzMjtREWx8JjYaArUjopsWiuFZNAsx1
ZLDiCWOHXrbzs9mhXCmmPFCHW5aLLs2x9YppUlm3NvJQ4B01n0sWbR6/XfMh/Jz6
PO7mC8F9q8lUGl+YeMEwMkZ9BWKKErgRWZrosbQ9616fOCLab05CvdzE5CiLoUXX
Rz/pqNA61jYNDY4Fd1Lb/aK04mfvdzwf4hGWO5EenOXTY0MmUHVLsg2Hm5g5XKvK
G3p6uCAEuUbL4VHH69QIs3lZXy/Riw==
=QtG+
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.