Brian wrote:
> And again:
>> I have a patch for that at:
>> https://github.com/openssl/openssl/pull/4128
>>
>> I might upload this soon. The intention is still to ship Buster
>> with TLS 1.0 and 1.1 completly disabled.
> Couldn't be clearer. The maintainer does not plan to switch back to
> TLS1
On Fri 08 Sep 2017 at 09:33:59 +0200, Sven Hartge wrote:
> Michael Grant wrote:
>
> > If this patch won't go to Stretch as a security fix, then the world is
> > hidden from this until Buster comes out in about 2 years.
>
> Exactly. Read the discussion(s) in debian-devel about this. The last
> i
Hi.
On Fri, Sep 08, 2017 at 10:20:22AM +0100, Michael Grant wrote:
> > First, this LD_PRELOAD library does exactly one thing - it downgrades
> > default TLS version to TLS1.0. If your users have the trouble connecting
> > to your mailserver because their clients cannot do TLS1.2 and that's
> First, this LD_PRELOAD library does exactly one thing - it downgrades
> default TLS version to TLS1.0. If your users have the trouble connecting
> to your mailserver because their clients cannot do TLS1.2 and that's the
> only thing your mailserver advertizes - your users still won't be able
> to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Thu, Sep 07, 2017 at 05:23:11PM +0300, Reco wrote:
> Hi.
[...]
> So I got bored and wrote the thing today. A customary disclaimer
> follows:
Wow. That was quick. Although I'm probably not going to use it:
- hey, thanks a bunch!
- I'm sur
Reco wrote:
> On Thu, Sep 07, 2017 at 10:50:00PM +0100, Michael Grant wrote:
>> What is the right way for an admin to handle this problem on Debian
>> Testing?
> The only thing they told me back in the day was 'if you have to do a
> server - you use Debian stable'. This openssl incident and may
Michael Grant wrote:
> Nifty, been a while since I used the LD_PRELOAD trick myself.
> This whole thing has been bothering me over the last couple days. Why
> are so few people having this issue? 18 or so posts on this, only 3
> or so of us have done anything about this. I backed out libssl (
On Thu, Sep 07, 2017 at 10:50:00PM +0100, Michael Grant wrote:
> Nifty, been a while since I used the LD_PRELOAD trick myself.
>
> This whole thing has been bothering me over the last couple days. Why
> are so few people having this issue?
There are few that are running servers on Debian testing
Nifty, been a while since I used the LD_PRELOAD trick myself.
This whole thing has been bothering me over the last couple days. Why
are so few people having this issue? 18 or so posts on this, only 3
or so of us have done anything about this. I backed out libssl (and
pinned it). Reco makes a L
Hi.
On Wed, Sep 06, 2017 at 08:57:53PM +0200, to...@tuxteam.de wrote:
> > On Wed, Sep 06, 2017 at 09:57:09AM +0200, to...@tuxteam.de wrote:
>
> [...]
>
> > > Isn't there any LD_PRELOAD trick one could play? [...]
>
> > There'll be once someone writes it. Maybe I'll do it this weekend.
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wed, Sep 06, 2017 at 06:01:18PM +0300, Reco wrote:
> Hi.
>
> On Wed, Sep 06, 2017 at 09:57:09AM +0200, to...@tuxteam.de wrote:
[...]
> > Isn't there any LD_PRELOAD trick one could play? [...]
> There'll be once someone writes it. Maybe I'l
Hi.
On Wed, Sep 06, 2017 at 09:57:09AM +0200, to...@tuxteam.de wrote:
> On Tue, Sep 05, 2017 at 11:40:46PM +0200, Sven Hartge wrote:
> > Michael Grant wrote:
> >
> > > Is there something I can set on Debian side to force this newer
> > > openssl to accept older 1.x connections?
> >
> >
Michael Grant wrote:
> I downloaded libssl1.1_1.1.0f-3_amd64.deb
> and did:
> dpkg -i libssl1.1_1.1.0f-3_amd64.deb
> restarted sendmail and dovecot and everyone can now connect.
Be sure to either pin or hold the package at that version:
"apt-mark hold libssl" or the next "apt dist-upgrade" wi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, Sep 05, 2017 at 11:40:46PM +0200, Sven Hartge wrote:
> Michael Grant wrote:
>
> > Is there something I can set on Debian side to force this newer
> > openssl to accept older 1.x connections?
>
> No, you can't.
>
> Kurt Roeckx, the DD mainta
Michael Grant wrote:
...
> I was surprised that this problem affected fairly recent MacOS and
> Windows Outlook users. I was also surprised that not many people had
> reported this and as I continued to google around for this, I found
> only this chain of posts! And this has been in the wild now
On 5 September 2017 at 22:40, Sven Hartge wrote:
> Michael Grant wrote:
>
>> Is there something I can set on Debian side to force this newer
>> openssl to accept older 1.x connections?
>
> No, you can't.
>
> Kurt Roeckx, the DD maintaining OpenSSL, patched it in such a way that a
> program needs
On 5 September 2017 at 20:29, Michael Grant wrote:
> On 5 September 2017 at 19:15, Gene Heskett wrote:
>> On Tuesday 05 September 2017 13:40:00 Michael Grant wrote:
>>
>>> I upgraded openssl today in my server running testing. It installed
>>> version 1.1.0f-5. To my surprise, my mac clients ca
Michael Grant wrote:
> Is there something I can set on Debian side to force this newer
> openssl to accept older 1.x connections?
No, you can't.
Kurt Roeckx, the DD maintaining OpenSSL, patched it in such a way that a
program needs to call a special function of OpenSSL to override the
default m
On 5 September 2017 at 19:15, Gene Heskett wrote:
> On Tuesday 05 September 2017 13:40:00 Michael Grant wrote:
>
>> I upgraded openssl today in my server running testing. It installed
>> version 1.1.0f-5. To my surprise, my mac clients can no longer send
>> and receive email!
>>
> As that is a s
On Tuesday 05 September 2017 13:40:00 Michael Grant wrote:
> I upgraded openssl today in my server running testing. It installed
> version 1.1.0f-5. To my surprise, my mac clients can no longer send
> and receive email!
>
As that is a security related upgrade, I would next push the Mac people
t
I upgraded openssl today in my server running testing. It installed
version 1.1.0f-5. To my surprise, my mac clients can no longer send
and receive email!
How do I roll back to the previous version of openssl?
"apt-cache showpkg openssl" only shows version 1.1.0f-5.
apt install openssl=1.1.0f-
Stephan Seitz wrote:
> On Mo, Aug 14, 2017 at 08:02:40 -0400, songbird wrote:
>> may break your getting of mail process.
>>(i'm using getmail).
>>
>> luckily downgrading the two packages restores
>>things to working again.
>>
>> no time right now for me to find the magic
>>words to fiddle with
Sven Hartge writes:
> Kamil Jońca wrote:
>> Stephan Seitz writes:
>
[...]
>
>> It is also break lot of other thigs: for example: my radius server
>> start to refuse to authenticate win8 and win8 clients and android
>> tablets.
>
> Windows 8, too? It would be nice if you could add this to the th
Kamil Jońca wrote:
> Stephan Seitz writes:
>> As announced the new version of openssl has disabled TLSv1 and
>> TLSv1.1 leaving only TLSv1.2. So if you have an old server without
>> TLSv1.2, you can’t connect anymore.
> It is also break lot of other thigs: for example: my radius server
> start
Stephan Seitz writes:
> On Mo, Aug 14, 2017 at 08:02:40 -0400, songbird wrote:
>> may break your getting of mail process.
>>(i'm using getmail).
>>
>> luckily downgrading the two packages restores
>>things to working again.
>>
>> no time right now for me to find the magic
>>words to fiddle wit
On Mo, Aug 14, 2017 at 08:02:40 -0400, songbird wrote:
may break your getting of mail process.
(i'm using getmail).
luckily downgrading the two packages restores
things to working again.
no time right now for me to find the magic
words to fiddle with to allow this to go
through.
As announc
fyi,
may break your getting of mail process.
(i'm using getmail).
luckily downgrading the two packages restores
things to working again.
no time right now for me to find the magic
words to fiddle with to allow this to go
through.
songbird
27 matches
Mail list logo
