Bug 1198317

Summary: xchat only supports SSLv3
Product: Red Hat Enterprise Linux 7 Reporter: Sean E. Millichamp <sean>
Component: xchatAssignee: Debarshi Ray <debarshir>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: high Docs Contact:
Priority: urgent    
Version: 7.0CC: arubin, debarshir, lersek, lmiksik, mcepl, mclasen, tingping, tpelka, vrutkovs
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 07:31:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Fedora patch (added in dist-git commit 0d239d37) none

Description Sean E. Millichamp 2015-03-03 19:21:24 UTC 
Description of problem:

xchat uses OpenSSL's SSLv3_client_method() call which results in support only for connecting to SSLv3 capable IRC servers for encrypted connections. Some  IRC services are beginning to disable SSLv3 support in light of the recent vulnerabilities.

Version-Release number of selected component (if applicable):

xchat-2.8.8-22.el7.x86_64

Attempting to connect to such a service results in:

Connection failed. Error: (336130315) error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Additional info:

Upstream reported bug: http://sourceforge.net/p/xchat/bugs/1598/
Comment 1 Laszlo Ersek 2015-05-05 20:29:46 UTC 
Fedora has fixed this bug in last October / November; please simply pick up the patch from there. Linking the Fedora bug.

I'm also bumping the priority, because this bug prevents RHEL-7 xchat from connecting to OFTC IRC servers, where a lot of open source development happens.

As explained by the OFTC admins, the OFTC IRC servers have recently been upgraded to the new Debian release (Jessie).

The SSL server config in that release apparently rejects all SSLv3 cipher suites, but xchat's ClientHello (as in RHEL-7) advertizes only such ciphersuites.

http://fpaste.org/218761/08553331/
http://fpaste.org/218763/14308554/
https://www.openssl.org/docs/ssl/SSL_CTX_new.html

Thanks!
Comment 2 Laszlo Ersek 2015-05-05 20:35:31 UTC 
Created attachment 1022315 [details]
Fedora patch (added in dist-git commit 0d239d37)
Comment 3 Laszlo Ersek 2015-05-05 20:43:13 UTC 
Upstream bug: http://sourceforge.net/p/xchat/bugs/1598/
Comment 5 Patrick Griffis 2015-05-06 00:56:33 UTC 
(In reply to Laszlo Ersek from comment #3)
> Upstream bug: http://sourceforge.net/p/xchat/bugs/1598/

Note that upstream is dead and should likely be replaced by HexChat at some point.
Comment 6 Laszlo Ersek 2015-05-06 07:22:03 UTC 
I agree that upstream seems dead -- the most recent upstream release on xchat.org, 2.8.9, is from 2010 -- but as long as xchat is part of a RHEL major release, the package needs to get at least some (minimally: security) support.

(Which I guess sort of answers your question in bug 1091544 comment 10 as well.)

Hexchat is not in RHEL yet. If an xchat -> hexchat switch would be worthwhile, then the current maintainer of the RHEL xchat package should probably champion that cause with PM.

Personally for me, in order to upgrade from the RHEL7 xchat package to the *EPEL7* hexchat package (ie. within the same RHEL major release), I would require hexchat to import my xchat settings without manual intervention (either on first startup, or by me running a specialized one-off config conversion tool). RHEL7 xchat keeps its config stuff under ~/.config/xchat2, whereas that of hexchat lives under ~/.config/hexchat [1]. Painless upgrades (no regressions) are part of what make RHEL enterprise level & suitable for production environments, and I certainly depend on those qualities with my RHEL7 Workstation installation on my laptop.

[1] https://hexchat.readthedocs.org/en/latest/settings.html#config-files

In any case, hexchat seems to me like a reasonable upgrade path -- thank you very much for your continued upstream development and Fedora maintenance!
Comment 8 Debarshi Ray 2015-05-13 17:04:48 UTC 
*** Bug 1221262 has been marked as a duplicate of this bug. ***
Comment 10 Debarshi Ray 2015-05-18 12:33:36 UTC 
I built xchat-2.8.8-23.el7:
https://brewweb.devel.redhat.com/taskinfo?taskID=9184968
Comment 12 Laszlo Ersek 2015-05-18 13:28:49 UTC 
(In reply to Debarshi Ray from comment #10)
> I built xchat-2.8.8-23.el7:
> https://brewweb.devel.redhat.com/taskinfo?taskID=9184968

Works well for me, thank you.
Comment 18 errata-xmlrpc 2015-11-19 07:31:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2215.html