[Twisted-Python] TLS broken with twisted.words.protocols.jabber

I would like to propose that #3463 (http://twistedmatrix.com/trac/ticket/3463) be additionally committed to the 8.1 branch and any other branches that still get point releases. It is a pretty critical workaround which fixes the fact that recent OpenSSL libraries cannot connect to Java based services. This means that most of the packaged versions of Twisted cannot talk to Google Talk or any Tigase or Openfire XMPP servers. Since packagers are often reluctant to upgrade very far in a particular distribution, I would like to get bug fix releases out for Twisted 8.1, etc, so that we have some hope that this problem will go away as soon as possible. jack.

On Fri, Nov 21, 2008 at 01:20:59PM -0500, Itamar Shtull-Trauring wrote:
Because it is actually a bug in Java, not in OpenSSL. It is just that recent OpenSSL versions enable a feature (Session Tickets) that is standards-wise backwards compatible. Arguably, distributions could choose to not enable the feature by default, but that doesn't have my preference. This change adds a option to choose if the feature is used, and disables it by default because there is no further support in our SSL code for it and it immediately helps fix a problem that I don't think will be resolved server-side any time soon. -- Groetjes, ralphm

On 21 Nov, 08:00 pm, twisted@ralphm.ik.nu wrote:
If the "fix" for Twisted is to just disable this feature by default, then it should remain disabled by default for everybody. Including it in the build so that people who want it can enable it is fine, but leaving it on by default for other libraries besides Twisted seems wrong. In other words, this really has nothing to do with Twisted, and everything to do with the fact that Debian should not be screwing around with OpenSSL. Have they already forgotten what happened last time?

On 22 Nov, 09:05 am, mithrandi@mithrandi.net wrote:
Hrm. I gleaned this from looking at some diffs to makefiles that were added to the debian package. My understanding was that the feature was disabled by default, though. Hardy, for example, already has a 'g' version of openssl as well, and the feature is not enabled there. My understanding is that upstream added the feature, but left it disabled by default, then debian turned it on in their build configuration.
That particular line was a little funny though.
I'll admit to lack of familiarity with OpenSSL, and this functionality in particular, so maybe I'm just confused.
Equally possible that I'm confused, though. I'm not 100% sure where the makefile that I'm loooking at diffs to came from.

* glyph@divmod.com <glyph@divmod.com> [2008-11-23 03:25:37 -0000]:
I guess maybe this is the problem, then: openssl (0.9.8g-7) unstable; urgency=low * Upload to unstable. -- Kurt Roeckx <kurt@roeckx.be> Wed, 13 Feb 2008 22:22:29 +0000 [...] openssl (0.9.8g-5) experimental; urgency=low * Enable tlsext. This changes the ABI, but should hopefully not cause any problems. (Closes: #462596) -- Kurt Roeckx <kurt@roeckx.be> Sat, 09 Feb 2008 13:32:49 +0100 #462596 is "openssl: Please include support for tls extensions / server name indication", which provides this motivation: Apache will probably start to support server name indication (SNI) in one of the next 2.2.x releases. To use it, TLS extension support needs to be compiled into openssl. This has been added to openssl 0.9.8f but is not activated by default.
Teehee :) -- mithrandi, i Ainil en-Balandor, a faer Ambar

* Tristan Seligmann <mithrandi@mithrandi.net> [2008-11-23 05:44:18 +0200]:
I guess maybe this is the problem, then:
I also noticed this:
[...]
Tee hee.
[...]
So it seems that openssl is sending something different while I can't see a reason why it should be sending something different.
I guess he figured it out in the end, though. -- mithrandi, i Ainil en-Balandor, a faer Ambar

Nothing to do with Twisted, yet this means that all my users attempt to use my code will likely fail unless they recompile their distro's openssl or upgrade to the next version (if it gets fixed upstream in a next verison). This essentially makes my code useless to many, not to mention a pain in the ass for myself. You've already committed the fix to 8.2 and trunk. All I'm asking is for a bugfix release for 8.1 and possibily 8.0. I don't understand why we are arguing about whether the fix is correct when the question is whether to backport it; it is already accepted and committed. jack.

On 22 Nov, 06:02 pm, jack@chesspark.com wrote:
Sorry, you seem to have misunderstood me. I'm not saying "let's not backport this fix". I'm saying that backporting the fix is a band-aid; the real issue is in the openssl package. Some effort should be devoted to fixing it there. Also, you could apply an equally band-aid solution to your own code immediately. It shouldn't interfere with the band-aid in Twisted.
This essentially makes my code useless to many, not to mention a pain in the ass for myself.
You're not the only one. The only reason that a zillion people haven't noticed this already is that pidgin uses nspr/nss to talk to gtalk, not openssl.
As far as I'm concerned this is entirely up to the discretion of the release manager, Christopher Armstrong. For my part I'm +0, unless doing a maintenance release will actually get Ubuntu to include the fixed 8.1 in an update, in which case I'm +1. And again, I'm not against it, but I don't see the point of backporting to 8.0; who will have both twisted 8.0 and a system affected by this issue?

On Fri, Nov 21, 2008 at 01:20:59PM -0500, Itamar Shtull-Trauring wrote:
Because it is actually a bug in Java, not in OpenSSL. It is just that recent OpenSSL versions enable a feature (Session Tickets) that is standards-wise backwards compatible. Arguably, distributions could choose to not enable the feature by default, but that doesn't have my preference. This change adds a option to choose if the feature is used, and disables it by default because there is no further support in our SSL code for it and it immediately helps fix a problem that I don't think will be resolved server-side any time soon. -- Groetjes, ralphm

On 21 Nov, 08:00 pm, twisted@ralphm.ik.nu wrote:
If the "fix" for Twisted is to just disable this feature by default, then it should remain disabled by default for everybody. Including it in the build so that people who want it can enable it is fine, but leaving it on by default for other libraries besides Twisted seems wrong. In other words, this really has nothing to do with Twisted, and everything to do with the fact that Debian should not be screwing around with OpenSSL. Have they already forgotten what happened last time?

On 22 Nov, 09:05 am, mithrandi@mithrandi.net wrote:
Hrm. I gleaned this from looking at some diffs to makefiles that were added to the debian package. My understanding was that the feature was disabled by default, though. Hardy, for example, already has a 'g' version of openssl as well, and the feature is not enabled there. My understanding is that upstream added the feature, but left it disabled by default, then debian turned it on in their build configuration.
That particular line was a little funny though.
I'll admit to lack of familiarity with OpenSSL, and this functionality in particular, so maybe I'm just confused.
Equally possible that I'm confused, though. I'm not 100% sure where the makefile that I'm loooking at diffs to came from.

* glyph@divmod.com <glyph@divmod.com> [2008-11-23 03:25:37 -0000]:
I guess maybe this is the problem, then: openssl (0.9.8g-7) unstable; urgency=low * Upload to unstable. -- Kurt Roeckx <kurt@roeckx.be> Wed, 13 Feb 2008 22:22:29 +0000 [...] openssl (0.9.8g-5) experimental; urgency=low * Enable tlsext. This changes the ABI, but should hopefully not cause any problems. (Closes: #462596) -- Kurt Roeckx <kurt@roeckx.be> Sat, 09 Feb 2008 13:32:49 +0100 #462596 is "openssl: Please include support for tls extensions / server name indication", which provides this motivation: Apache will probably start to support server name indication (SNI) in one of the next 2.2.x releases. To use it, TLS extension support needs to be compiled into openssl. This has been added to openssl 0.9.8f but is not activated by default.
Teehee :) -- mithrandi, i Ainil en-Balandor, a faer Ambar

* Tristan Seligmann <mithrandi@mithrandi.net> [2008-11-23 05:44:18 +0200]:
I guess maybe this is the problem, then:
I also noticed this:
[...]
Tee hee.
[...]
So it seems that openssl is sending something different while I can't see a reason why it should be sending something different.
I guess he figured it out in the end, though. -- mithrandi, i Ainil en-Balandor, a faer Ambar

Nothing to do with Twisted, yet this means that all my users attempt to use my code will likely fail unless they recompile their distro's openssl or upgrade to the next version (if it gets fixed upstream in a next verison). This essentially makes my code useless to many, not to mention a pain in the ass for myself. You've already committed the fix to 8.2 and trunk. All I'm asking is for a bugfix release for 8.1 and possibily 8.0. I don't understand why we are arguing about whether the fix is correct when the question is whether to backport it; it is already accepted and committed. jack.

On 22 Nov, 06:02 pm, jack@chesspark.com wrote:
Sorry, you seem to have misunderstood me. I'm not saying "let's not backport this fix". I'm saying that backporting the fix is a band-aid; the real issue is in the openssl package. Some effort should be devoted to fixing it there. Also, you could apply an equally band-aid solution to your own code immediately. It shouldn't interfere with the band-aid in Twisted.
This essentially makes my code useless to many, not to mention a pain in the ass for myself.
You're not the only one. The only reason that a zillion people haven't noticed this already is that pidgin uses nspr/nss to talk to gtalk, not openssl.
As far as I'm concerned this is entirely up to the discretion of the release manager, Christopher Armstrong. For my part I'm +0, unless doing a maintenance release will actually get Ubuntu to include the fixed 8.1 in an update, in which case I'm +1. And again, I'm not against it, but I don't see the point of backporting to 8.0; who will have both twisted 8.0 and a system affected by this issue?
participants (5)
-
glyph@divmod.com
-
Itamar Shtull-Trauring
-
Jack Moffitt
-
Ralph Meijer
-
Tristan Seligmann