Nifty, been a while since I used the LD_PRELOAD trick myself. This whole thing has been bothering me over the last couple days. Why are so few people having this issue? 18 or so posts on this, only 3 or so of us have done anything about this. I backed out libssl (and pinned it). Reco makes a LD_PRELOAD hack. Sven recompiles OpenSSL with patch removed.
Did this or will this patch get into Stretch Stable yet as a security patch? If yes, then won't there be hundreds if not thousands of people screaming about this? I am wondering why it's so few of us who seem to be affected? I suspect it's because 1) we're running Debian Testing and most of the Debian world runs Stable, 2) more and more people are turning to gmail and outlook.com instead of running their own mail servers and 3) the few remaining people who do go to the trouble of using Debian Testing as a mail server probably wouldn't care that much about getting TLS set up with imap/pop/smtp working at all. If this patch won't go to Stretch as a security fix, then the world is hidden from this until Buster comes out in about 2 years. But what's going to happen if there is some other security fix which is needed in Stretch's libssl1.1 (1.1.0f-3)? Will there be some fork of this library for Stretch without this patch? Or will at that time this patch get swept in with some other future security patch and the hit the wild with Stretch stable + security patches? By pinning this library at 1.1.0f-3 on my system, I feel somehow I've done the wrong thing. I started to think I should put in Reco's hack until these Windows 7 and Mac 10.11 users move to more modern releases or MS and Apple send out patches for their older stuff. Or maybe I should follow Stretch (and it's security fixes) for only this package instead of pinning it to this version. And by the way, this isn't just limited to mail clients. It's also affecting MTAs. I see a large number of mail servers connecting to my server that only do TLSv1 and TLSv1.1. When they can't do TLS, I think they just fall back to SMTP in the clear. So the problem isn't obvious to any user and mail in general is just less secure. In doing some reading about TLS and it's problems, there are problems with TLSv1 and I understand those were fixed in Debian's libssl1. TlSv1.1 had some problems but were more minor and the move to 1.2 seemed more about enhancing security versus some removing design flaws. Clearly the vendors like Microsoft and Apple did not think it critical to move away from TLSv1 and TLS1.1 and probably patched it like Debian. Hence they consider their versions of TLSv1 and TLSv1.1 safe enough. While I am totally sympathetic to getting the world onto TLSv1.2 and greater, this seems like a support disaster waiting to happen. What is the right way for an admin to handle this problem on Debian Testing?
