On 21 Nov, 08:00 pm, twisted@ralphm.ik.nu wrote:

On Fri, Nov 21, 2008 at 01:20:59PM -0500, Itamar Shtull-Trauring wrote:

...

On Thu, 2008-11-20 at 17:00 -0700, Jack Moffitt wrote:

...

I would like to propose that #3463 (http://twistedmatrix.com/trac/ticket/3463) be additionally committed to the 8.1 branch and any other branches that still get point releases. It is a pretty critical workaround which fixes the fact that recent OpenSSL libraries cannot connect to Java based services.

Why not request relevant distros to do an openssl bugfix and backport? It'd help more people than just twisted users.

Because it is actually a bug in Java, not in OpenSSL. It is just that recent OpenSSL versions enable a feature (Session Tickets) that is standards-wise backwards compatible. Arguably, distributions could choose to not enable the feature by default, but that doesn't have my preference.

This change adds a option to choose if the feature is used, and disables it by default because there is no further support in our SSL code for it and it immediately helps fix a problem that I don't think will be resolved server-side any time soon.

If the "fix" for Twisted is to just disable this feature by default, then it should remain disabled by default for everybody. Including it in the build so that people who want it can enable it is fine, but leaving it on by default for other libraries besides Twisted seems wrong. In other words, this really has nothing to do with Twisted, and everything to do with the fact that Debian should not be screwing around with OpenSSL. Have they already forgotten what happened last time?

On 22 Nov, 09:05 am, mithrandi@mithrandi.net wrote:

* glyph@divmod.com <glyph@divmod.com> [2008-11-22 02:57:41 -0000]:

...

In other words, this really has nothing to do with Twisted, and everything to do with the fact that Debian should not be screwing around with OpenSSL. Have they already forgotten what happened last time?

Isn't this an upstream change?

Hrm. I gleaned this from looking at some diffs to makefiles that were added to the debian package. My understanding was that the feature was disabled by default, though. Hardy, for example, already has a 'g' version of openssl as well, and the feature is not enabled there. My understanding is that upstream added the feature, but left it disabled by default, then debian turned it on in their build configuration.

...

OpenSSL CHANGES (...) This work was sponsored by Google. [Steve Henson]

That particular line was a little funny though.

I'll admit to lack of familiarity with OpenSSL, and this functionality in particular, so maybe I'm just confused.

Equally possible that I'm confused, though. I'm not 100% sure where the makefile that I'm loooking at diffs to came from.

* Tristan Seligmann <mithrandi@mithrandi.net> [2008-11-23 05:44:18 +0200]:

I guess maybe this is the problem, then:

I also noticed this:

openssl (0.9.8g-8) unstable; urgency=high

* Don't add extentions to ssl v3 connections. It breaks with some other software. (Closes: #471681)

-- Kurt Roeckx <kurt@roeckx.be> Sun, 23 Mar 2008 17:50:04 +0000

#471681 libssl0.9.8: XChat cannot connect to irc.mozilla.org:6697

When libssl0.9.8 0.9.8g-7 is installed xchat 2.8.2-1 (custom build with a ping timeout patch) and 2.8.4-2 fail to connect to irc.mozilla.org/6697 using SSL with the following message:

* Connection failed. Error: (336151568) error:14094410:SSL * routines:SSL3_READ_BYTES:sslv3 alert handshake failure

[...]

I can reproduce your problem. It's the change between 0.9.8g-4 and 0.9.8g-5 that causes the problem that we didn't expect to break anything.

Tee hee.

[...]

So it seems that openssl is sending something different while I can't see a reason why it should be sending something different.

I guess he figured it out in the end, though. -- mithrandi, i Ainil en-Balandor, a faer Ambar

On 22 Nov, 06:02 pm, jack@chesspark.com wrote:

...

In other words, this really has nothing to do with Twisted, and everything to do with the fact that Debian should not be screwing around with OpenSSL. Have they already forgotten what happened last time?

Nothing to do with Twisted, yet this means that all my users attempt to use my code will likely fail unless they recompile their distro's openssl or upgrade to the next version (if it gets fixed upstream in a next verison).

Sorry, you seem to have misunderstood me. I'm not saying "let's not backport this fix". I'm saying that backporting the fix is a band-aid; the real issue is in the openssl package. Some effort should be devoted to fixing it there. Also, you could apply an equally band-aid solution to your own code immediately. It shouldn't interfere with the band-aid in Twisted.

This essentially makes my code useless to many, not to mention a pain in the ass for myself.

You're not the only one. The only reason that a zillion people haven't noticed this already is that pidgin uses nspr/nss to talk to gtalk, not openssl.

You've already committed the fix to 8.2 and trunk. All I'm asking is for a bugfix release for 8.1 and possibily 8.0. I don't understand why we are arguing about whether the fix is correct when the question is whether to backport it; it is already accepted and committed.

As far as I'm concerned this is entirely up to the discretion of the release manager, Christopher Armstrong. For my part I'm +0, unless doing a maintenance release will actually get Ubuntu to include the fixed 8.1 in an update, in which case I'm +1. And again, I'm not against it, but I don't see the point of backporting to 8.0; who will have both twisted 8.0 and a system affected by this issue?

On 21 Nov, 08:00 pm, twisted@ralphm.ik.nu wrote:

On Fri, Nov 21, 2008 at 01:20:59PM -0500, Itamar Shtull-Trauring wrote:

...

On Thu, 2008-11-20 at 17:00 -0700, Jack Moffitt wrote:

...

I would like to propose that #3463 (http://twistedmatrix.com/trac/ticket/3463) be additionally committed to the 8.1 branch and any other branches that still get point releases. It is a pretty critical workaround which fixes the fact that recent OpenSSL libraries cannot connect to Java based services.

Why not request relevant distros to do an openssl bugfix and backport? It'd help more people than just twisted users.

Because it is actually a bug in Java, not in OpenSSL. It is just that recent OpenSSL versions enable a feature (Session Tickets) that is standards-wise backwards compatible. Arguably, distributions could choose to not enable the feature by default, but that doesn't have my preference.

This change adds a option to choose if the feature is used, and disables it by default because there is no further support in our SSL code for it and it immediately helps fix a problem that I don't think will be resolved server-side any time soon.

If the "fix" for Twisted is to just disable this feature by default, then it should remain disabled by default for everybody. Including it in the build so that people who want it can enable it is fine, but leaving it on by default for other libraries besides Twisted seems wrong. In other words, this really has nothing to do with Twisted, and everything to do with the fact that Debian should not be screwing around with OpenSSL. Have they already forgotten what happened last time?

On 22 Nov, 09:05 am, mithrandi@mithrandi.net wrote:

* glyph@divmod.com <glyph@divmod.com> [2008-11-22 02:57:41 -0000]:

...

In other words, this really has nothing to do with Twisted, and everything to do with the fact that Debian should not be screwing around with OpenSSL. Have they already forgotten what happened last time?

Isn't this an upstream change?

Hrm. I gleaned this from looking at some diffs to makefiles that were added to the debian package. My understanding was that the feature was disabled by default, though. Hardy, for example, already has a 'g' version of openssl as well, and the feature is not enabled there. My understanding is that upstream added the feature, but left it disabled by default, then debian turned it on in their build configuration.

...

OpenSSL CHANGES (...) This work was sponsored by Google. [Steve Henson]

That particular line was a little funny though.

I'll admit to lack of familiarity with OpenSSL, and this functionality in particular, so maybe I'm just confused.

Equally possible that I'm confused, though. I'm not 100% sure where the makefile that I'm loooking at diffs to came from.

* Tristan Seligmann <mithrandi@mithrandi.net> [2008-11-23 05:44:18 +0200]:

I guess maybe this is the problem, then:

I also noticed this:

openssl (0.9.8g-8) unstable; urgency=high

* Don't add extentions to ssl v3 connections. It breaks with some other software. (Closes: #471681)

-- Kurt Roeckx <kurt@roeckx.be> Sun, 23 Mar 2008 17:50:04 +0000

#471681 libssl0.9.8: XChat cannot connect to irc.mozilla.org:6697

When libssl0.9.8 0.9.8g-7 is installed xchat 2.8.2-1 (custom build with a ping timeout patch) and 2.8.4-2 fail to connect to irc.mozilla.org/6697 using SSL with the following message:

* Connection failed. Error: (336151568) error:14094410:SSL * routines:SSL3_READ_BYTES:sslv3 alert handshake failure

[...]

I can reproduce your problem. It's the change between 0.9.8g-4 and 0.9.8g-5 that causes the problem that we didn't expect to break anything.

Tee hee.

[...]

So it seems that openssl is sending something different while I can't see a reason why it should be sending something different.

I guess he figured it out in the end, though. -- mithrandi, i Ainil en-Balandor, a faer Ambar

On 22 Nov, 06:02 pm, jack@chesspark.com wrote:

...

In other words, this really has nothing to do with Twisted, and everything to do with the fact that Debian should not be screwing around with OpenSSL. Have they already forgotten what happened last time?

Nothing to do with Twisted, yet this means that all my users attempt to use my code will likely fail unless they recompile their distro's openssl or upgrade to the next version (if it gets fixed upstream in a next verison).

Sorry, you seem to have misunderstood me. I'm not saying "let's not backport this fix". I'm saying that backporting the fix is a band-aid; the real issue is in the openssl package. Some effort should be devoted to fixing it there. Also, you could apply an equally band-aid solution to your own code immediately. It shouldn't interfere with the band-aid in Twisted.

This essentially makes my code useless to many, not to mention a pain in the ass for myself.

You're not the only one. The only reason that a zillion people haven't noticed this already is that pidgin uses nspr/nss to talk to gtalk, not openssl.

You've already committed the fix to 8.2 and trunk. All I'm asking is for a bugfix release for 8.1 and possibily 8.0. I don't understand why we are arguing about whether the fix is correct when the question is whether to backport it; it is already accepted and committed.

As far as I'm concerned this is entirely up to the discretion of the release manager, Christopher Armstrong. For my part I'm +0, unless doing a maintenance release will actually get Ubuntu to include the fixed 8.1 in an update, in which case I'm +1. And again, I'm not against it, but I don't see the point of backporting to 8.0; who will have both twisted 8.0 and a system affected by this issue?