1091544 – Do not force SSLv3, also allow TLSv1_X

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1091544 - Do not force SSLv3, also allow TLSv1_X

Summary: Do not force SSLv3, also allow TLSv1_X

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	xchat
Sub Component:
Version:	20
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Christopher Aillon (sabbatical, not receiving bugmail)
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-04-25 20:11 UTC by Michele Baldessari
Modified:	2015-05-05 20:31 UTC (History)
CC List:	7 users (show)
Fixed In Version:	xchat-2.8.8-22.fc20
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-11-10 06:10:19 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Simple fix (927 bytes, patch) 2014-04-25 20:11 UTC, Michele Baldessari	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
GNOME Bugzilla	738870	0	None	None	None	Never
Red Hat Bugzilla	1198317	0	urgent	CLOSED	xchat only supports SSLv3	2022-05-16 11:32:56 UTC

Internal Links: 1198317

Description Michele Baldessari 2014-04-25 20:11:00 UTC

Created attachment 889894 [details]
Simple fix

Description of problem:
I noticed that after the heartbleed saga, a couple of IRC server would simply
timeout when connecting to the SSL port. Turns out they required TLSv_1.2. Instead of forcing SSLv3 also support later versions via the SSLv23_method (https://www.openssl.org/docs/ssl/SSL_CTX_new.html)

I am attaching a patch to let the libraries do the negotiation. Tested on a few servers and I can connect correctly on servers that do not enforce any SSL versions and on those that require TLS 1.2.

Comment 1 Wil Cooley 2014-10-15 19:49:36 UTC

Now with POODLE, networks are starting to disallow SSLv3, so this patch allowing TLS is becoming more and more critical.

Here is a similar report for Ubuntu:

https://bugs.launchpad.net/ubuntu/+source/xchat-gnome/+bug/1381484/

Although given the current level of activity with upstream X-Chat, I might be better off finding a new IRC client...

Comment 2 Fedora Update System 2014-10-29 12:19:16 UTC

xchat-2.8.8-20.fc19,xchat-gnome-0.26.2-13.git40c5bf988.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/xchat-2.8.8-20.fc19,xchat-gnome-0.26.2-13.git40c5bf988.fc19

Comment 3 Fedora Update System 2014-10-29 12:21:45 UTC

xchat-gnome-0.26.2-17.git40c5bf988.fc21,xchat-2.8.8-26.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/xchat-gnome-0.26.2-17.git40c5bf988.fc21,xchat-2.8.8-26.fc21

Comment 4 Fedora Update System 2014-10-29 12:27:08 UTC

xchat-2.8.8-22.fc20,xchat-gnome-0.26.2-15.git40c5bf988.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/xchat-2.8.8-22.fc20,xchat-gnome-0.26.2-15.git40c5bf988.fc20

Comment 5 Debarshi Ray 2014-10-29 12:34:27 UTC

(In reply to Wil Cooley from comment #1)
> Although given the current level of activity with upstream X-Chat, I might
> be better off finding a new IRC client...

Indeed. For existing xchat users, hexchat is a good alternative.

Comment 6 Fedora Update System 2014-10-31 01:24:59 UTC

Package xchat-gnome-0.26.2-17.git40c5bf988.fc21, xchat-2.8.8-26.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing xchat-gnome-0.26.2-17.git40c5bf988.fc21 xchat-2.8.8-26.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-13903/xchat-gnome-0.26.2-17.git40c5bf988.fc21,xchat-2.8.8-26.fc21
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2014-11-10 06:10:19 UTC

xchat-gnome-0.26.2-17.git40c5bf988.fc21, xchat-2.8.8-26.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2014-11-12 02:43:41 UTC

xchat-2.8.8-20.fc19, xchat-gnome-0.26.2-13.git40c5bf988.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2014-11-12 02:44:31 UTC

xchat-2.8.8-22.fc20, xchat-gnome-0.26.2-15.git40c5bf988.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Patrick Griffis 2015-01-27 05:01:55 UTC

Tad late to this bug, but I am curious why XChat is still being maintained by Fedora. Upstream is clearly dead and has been superseded by HexChat which gets security fixes upstream.

Note You need to log in before you can comment on or make changes to this bug.