1198317 – xchat only supports SSLv3

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1198317 - xchat only supports SSLv3

Summary: xchat only supports SSLv3

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	xchat
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Debarshi Ray
QA Contact:	Desktop QE
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1221262 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-03-03 19:21 UTC by Sean E. Millichamp
Modified:	2019-09-23 19:14 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-19 07:31:45 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Fedora patch (added in dist-git commit 0d239d37) (1.24 KB, patch) 2015-05-05 20:35 UTC, Laszlo Ersek	no flags	Details \| Diff
View All

Links
System	ID	Priority	Status	Summary	Last Updated
GNOME Bugzilla	738870	Normal	RESOLVED	Do not force SSLv3, also allow TLSv1_X	2020-11-30 15:18:50 UTC
Red Hat Bugzilla	1091544	unspecified	CLOSED	Do not force SSLv3, also allow TLSv1_X	2022-05-16 11:32:56 UTC
Red Hat Product Errata	RHBA-2015:2215	normal	SHIPPED_LIVE	gnome utilities bug fix and enhancement update	2015-11-19 08:26:52 UTC

Internal Links: 1091544

Description Sean E. Millichamp 2015-03-03 19:21:24 UTC

Description of problem:

xchat uses OpenSSL's SSLv3_client_method() call which results in support only for connecting to SSLv3 capable IRC servers for encrypted connections. Some  IRC services are beginning to disable SSLv3 support in light of the recent vulnerabilities.

Version-Release number of selected component (if applicable):

xchat-2.8.8-22.el7.x86_64

Attempting to connect to such a service results in:

Connection failed. Error: (336130315) error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Additional info:

Upstream reported bug: http://sourceforge.net/p/xchat/bugs/1598/

Comment 1 Laszlo Ersek 2015-05-05 20:29:46 UTC

Fedora has fixed this bug in last October / November; please simply pick up the patch from there. Linking the Fedora bug.

I'm also bumping the priority, because this bug prevents RHEL-7 xchat from connecting to OFTC IRC servers, where a lot of open source development happens.

As explained by the OFTC admins, the OFTC IRC servers have recently been upgraded to the new Debian release (Jessie).

The SSL server config in that release apparently rejects all SSLv3 cipher suites, but xchat's ClientHello (as in RHEL-7) advertizes only such ciphersuites.

http://fpaste.org/218761/08553331/
http://fpaste.org/218763/14308554/
https://www.openssl.org/docs/ssl/SSL_CTX_new.html

Thanks!

Comment 2 Laszlo Ersek 2015-05-05 20:35:31 UTC

Created attachment 1022315 [details]
Fedora patch (added in dist-git commit 0d239d37)

Comment 3 Laszlo Ersek 2015-05-05 20:43:13 UTC

Upstream bug: http://sourceforge.net/p/xchat/bugs/1598/

Comment 5 Patrick Griffis 2015-05-06 00:56:33 UTC

(In reply to Laszlo Ersek from comment #3)
> Upstream bug: http://sourceforge.net/p/xchat/bugs/1598/

Note that upstream is dead and should likely be replaced by HexChat at some point.

Comment 6 Laszlo Ersek 2015-05-06 07:22:03 UTC

I agree that upstream seems dead -- the most recent upstream release on xchat.org, 2.8.9, is from 2010 -- but as long as xchat is part of a RHEL major release, the package needs to get at least some (minimally: security) support.

(Which I guess sort of answers your question in bug 1091544 comment 10 as well.)

Hexchat is not in RHEL yet. If an xchat -> hexchat switch would be worthwhile, then the current maintainer of the RHEL xchat package should probably champion that cause with PM.

Personally for me, in order to upgrade from the RHEL7 xchat package to the *EPEL7* hexchat package (ie. within the same RHEL major release), I would require hexchat to import my xchat settings without manual intervention (either on first startup, or by me running a specialized one-off config conversion tool). RHEL7 xchat keeps its config stuff under ~/.config/xchat2, whereas that of hexchat lives under ~/.config/hexchat [1]. Painless upgrades (no regressions) are part of what make RHEL enterprise level & suitable for production environments, and I certainly depend on those qualities with my RHEL7 Workstation installation on my laptop.

[1] https://hexchat.readthedocs.org/en/latest/settings.html#config-files

In any case, hexchat seems to me like a reasonable upgrade path -- thank you very much for your continued upstream development and Fedora maintenance!

Comment 8 Debarshi Ray 2015-05-13 17:04:48 UTC

*** Bug 1221262 has been marked as a duplicate of this bug. ***

Comment 10 Debarshi Ray 2015-05-18 12:33:36 UTC

I built xchat-2.8.8-23.el7:
https://brewweb.devel.redhat.com/taskinfo?taskID=9184968

Comment 12 Laszlo Ersek 2015-05-18 13:28:49 UTC

(In reply to Debarshi Ray from comment #10)
> I built xchat-2.8.8-23.el7:
> https://brewweb.devel.redhat.com/taskinfo?taskID=9184968

Works well for me, thank you.

Comment 18 errata-xmlrpc 2015-11-19 07:31:45 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2215.html

Note You need to log in before you can comment on or make changes to this bug.