Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#48426 - [luasec] SSLv23 and SSLv3 needs to be removed as of OpenSSL >= 1.0.2g (patch included)

Attached to Project: Community Packages
Opened by Pascal Ernster (hardfalcon) - Thursday, 03 March 2016, 04:58 GMT
Last edited by Sergej Pupykin (sergej) - Tuesday, 08 March 2016, 07:17 GMT
Task Type Bug Report
Category Packages: Testing
Status Closed
Assigned To Sergej Pupykin (sergej)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

Note: This refers to the new OpenSSL 1.0.2.g packages that are only in staging/community-staging so far.

Problem: The luasec packages will not work when OpenSSL >= 1.0.2g is used, because that version doesn't support SSLv2 and SSLv3 anymore in its default configuration (this also applies to the Archlinux packages).

While the luasec packages will happily compile, they' just crash when you try to use them, because the luasec modules try to use SSLv23 and SSLv3 symbols which do not exist anymore. Here is an example with lua5.1:

$ ./test1.lua
/usr/bin/lua5.1: error loading module 'ssl.core' from file '/usr/lib/lua/5.1/ssl.so':
/usr/lib/lua/5.1/ssl.so: undefined symbol: SSLv3_method
stack traceback:
[C]: ?
[C]: in function 'require'
/usr/share/lua/5.1/ssl.lua:7: in main chunk
[C]: in function 'require'
./test1.lua:6: in main chunk
[C]: ?

Note that these crashes occur even if you don't use SSLv2/SSLv3 at all in your lua code. Thus, calls to said SSLv23 and SSLv3 symbols need to be removed from the luasec code. This will of course break lua code using SSLv2/SSLv3, but at least code *only* using TLSv1/1.1/1.2 will work again. More precisely, this will make work prosody again.
   no-sslv3.patch (0.5 KiB)
This task depends upon

Closed by  Sergej Pupykin (sergej)
Tuesday, 08 March 2016, 07:17 GMT
Reason for closing:  Fixed
Comment by Sergej Pupykin (sergej) - Monday, 07 March 2016, 13:49 GMT
please try lua-sec-1:0.6-1
Comment by Pascal Ernster (hardfalcon) - Monday, 07 March 2016, 15:07 GMT
Just tried it, didn't fix the problem (prosody is unable to use SSL/TLS).

lua51-sec-1:0.5-5 with my patch applied works absolutely flawlessly (and has been working flawlessly for several days now).
Comment by Sergej Pupykin (sergej) - Monday, 07 March 2016, 22:55 GMT
lua51-sec-2:0.5.1-1 should work with protocol = "tlsv1_2"
Comment by Pascal Ernster (hardfalcon) - Tuesday, 08 March 2016, 04:48 GMT
I've never had my SSL/TLS protocol version set to anything other than TLS 1.2 in prosody.

lua51-sec-2:0.5.1-1 works, thanks. :-)

Loading...