Bug 825865 - (sslsplit) Review Request: sslsplit - Transparent and scalable SSL/TLS interception
Review Request: sslsplit - Transparent and scalable SSL/TLS interception
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Patrick Uiterwijk
Fedora Extras Quality Assurance
:
Depends On:
Blocks: FE-SECLAB
  Show dependency treegraph
 
Reported: 2012-05-28 15:09 EDT by Paul Wouters
Modified: 2014-10-17 13:40 EDT (History)
6 users (show)

See Also:
Fixed In Version: sslsplit-0.4.8-3.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-09 18:48:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
puiterwijk: fedora‑review+
limburgher: fedora‑cvs+


Attachments (Terms of Use)
A proposed patch to replace the sed line (604 bytes, patch)
2012-07-27 07:47 EDT, Patrick Uiterwijk
no flags Details | Diff

  None (edit)
Description Paul Wouters 2012-05-28 15:09:18 EDT
Spec URL: ftp://ftp.nohats.ca/sslsplit/sslsplit.spec
SRPM URL: ftp://ftp.nohats.ca/sslsplit/sslsplit-0.4.4-1.fc17.src.rpm
Description: SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted
network connections. Connections are transparently intercepted through a
network address translation engine and redirected to SSLsplit. SSLsplit
terminates SSL/TLS and initiates a new SSL/TLS connection to the original
destination address, while logging all data transmitted. SSLsplit is
intended to be useful for network forensics and penetration testing.


Fedora Account System Username: pwouters
Comment 1 Fabian Affolter 2012-06-19 10:57:15 EDT
Just some quick comments:

- rpm is taking care of the compression of the man pages.
- You are mixing macro style (%{buildroot}) and variable style ($RPM_OPT_FLAGS)
- 'install -Dp -m 0755 ...' instead of just cp looks nicer ;-)
Comment 2 Michael Scherer 2012-07-08 10:03:49 EDT
Hi, could you document why make test is disabled ( I assume because it requires root access, but then I wonder why ecc test is disabled ).
Comment 3 Paul Wouters 2012-07-26 19:57:41 EDT
ecc is banned from Fedora/RHEL for legal (patent) reasons.

I'll dizup macro style and remove compression. Though i think install is a little overkill :)
Comment 4 Patrick Uiterwijk 2012-07-26 20:04:11 EDT
I will review this.
Comment 5 Paul Wouters 2012-07-26 20:22:28 EDT
Spec URL: ftp://ftp.nohats.ca/sslsplit/sslsplit.spec
SRPM URL: ftp://ftp.nohats.ca/sslsplit/sslsplit-0.4.4-2.fc17.src.rpm


* Fri Jul 27 2012 Paul Wouters <pwouters@redhat.com> - 0.4.4-2
- Fix missing buildrequire for check-devel
- Run make check
- No need to compress man pages
- No mixing of macro styles
Comment 6 Patrick Uiterwijk 2012-07-26 21:08:24 EDT
- When in a mock build, %check needs openssl, maybe that should be a BuildRequire?

- On a system with no IPv6 network, the tests fail:
Cannot resolve address '::1' port '10443': Name or service not known
Cannot resolve address '::1' port '10443': Name or service not known
Cannot resolve address '::1' port '10443': Name or service not known
...
97%: Checks: 105, Failures: 0, Errors: 3

- fedora-review output:

Package Review
==============

Key:
- = N/A
x = Pass
! = Fail
? = Not evaluated



==== C/C++ ====
[x]: MUST Header files in -devel subpackage, if present.
[x]: MUST Package does not contain any libtool archives (.la)
[x]: MUST Package does not contain kernel modules.
[x]: MUST Package contains no static executables.
[x]: MUST Rpath absent or only used for internal libs.


==== Generic ====
[x]: EXTRA Rpmlint is run on all installed packages.
     Note: There are rpmlint messages (see attachment).
[x]: EXTRA Spec file according to URL is the same as in SRPM.
[x]: MUST Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
     Guidelines.
[x]: MUST Package successfully compiles and builds into binary rpms on at
     least one supported primary architecture.
[x]: MUST %build honors applicable compiler flags or justifies otherwise.
[x]: MUST All build dependencies are listed in BuildRequires, except for any
     that are listed in the exceptions section of Packaging Guidelines.
[x]: MUST Buildroot is not present
     Note: Unless packager wants to package for EPEL5 this is fine
[x]: MUST Package contains no bundled libraries.
[x]: MUST Changelog in prescribed format.
[x]: MUST Package has no %clean section with rm -rf %{buildroot} (or
     $RPM_BUILD_ROOT)
     Note: Clean would be needed if support for EPEL is required
[x]: MUST Sources contain only permissible code or content.
[x]: MUST Each %files section contains %defattr if rpm < 4.4
     Note: Note: defattr macros not found. They would be needed for EPEL5
[x]: MUST Macros in Summary, %description expandable at SRPM build time.
[-]: MUST Package contains desktop file if it is a GUI application.
[-]: MUST Development files must be in a -devel package
[x]: MUST Package requires other packages for directories it uses.
[x]: MUST Package uses nothing in %doc for runtime.
[x]: MUST Package is not known to require ExcludeArch.
[x]: MUST Permissions on files are set properly.
[x]: MUST Package does not contain duplicates in %files.
[x]: MUST Package complies to the Packaging Guidelines
[x]: MUST Spec file lacks Packager, Vendor, PreReq tags.
[x]: MUST Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
     Note: rm -rf would be needed if support for EPEL5 is required
[x]: MUST Large documentation files are in a -doc subpackage, if required.
[-]: MUST If (and only if) the source package includes the text of the
     license(s) in its own file, then that file, containing the text of the
     license(s) for the package is included in %doc.
[x]: MUST License field in the package spec file matches the actual license.
     Note: Checking patched sources after %prep for licenses. Licenses found:
     "BSD (2 clause)", "MIT/X11 (BSD like)" For detailed output of
[x]: MUST Package consistently uses macro is (instead of hard-coded directory
     names).
[x]: MUST Package is named using only allowed ascii characters.
[x]: MUST Package is named according to the Package Naming Guidelines.
[x]: MUST Package does not generate any conflict.
     Note: Package contains no Conflicts: tag(s)
[x]: MUST Package obeys FHS, except libexecdir and /usr/target.
[x]: MUST Package must own all directories that it creates.
[x]: MUST Package does not own files or directories owned by other packages.
[x]: MUST Package installs properly.
[x]: MUST Package is not relocatable.
[x]: MUST Requires correct, justified where necessary.
[x]: MUST Rpmlint is run on all rpms the build produces.
     Note: There are rpmlint messages (see attachment).
[x]: MUST Sources used to build the package match the upstream source, as
     provided in the spec URL.
[x]: MUST Spec file is legible and written in American English.
[x]: MUST Spec file name must match the spec package %{name}, in the format
     %{name}.spec.
[-]: MUST Package contains systemd file(s) if in need.
[x]: MUST File names are valid UTF-8.
[x]: MUST Useful -debuginfo package or justification otherwise.
[x]: SHOULD Reviewer should test that the package builds in mock.
[!]: SHOULD If the source package does not include license text(s) as a
     separate file from upstream, the packager SHOULD query upstream to
     include it.
[x]: SHOULD Dist tag is present.
[x]: SHOULD No file requires outside of /etc, /bin, /sbin, /usr/bin,
     /usr/sbin.
[x]: SHOULD Final provides and requires are sane (rpm -q --provides and rpm -q
     --requires).
[?]: SHOULD Package functions as described.
[x]: SHOULD Latest version is packaged.
[x]: SHOULD Package does not include license text files separate from
     upstream.
[x]: SHOULD SourceX / PatchY prefixed with %{name}.
[x]: SHOULD SourceX is a working URL.
[-]: SHOULD Description and summary sections in the package spec file contains
     translations for supported Non-English languages, if available.
[x]: SHOULD Package should compile and build into binary rpms on all supported
     architectures.
[!]: SHOULD %check is present and all tests pass.
     Note: The checks fail on a system without IPv6 support
[x]: SHOULD Packages should try to preserve timestamps of original installed
     files.
[x]: SHOULD Spec use %global instead of %define.

Rpmlint
-------
Checking: sslsplit-debuginfo-0.4.4-2.fc18.x86_64.rpm
          sslsplit-0.4.4-2.fc18.src.rpm
          sslsplit-0.4.4-2.fc18.x86_64.rpm
sslsplit.src: W: spelling-error Summary(en_US) scalable -> salable, callable, calculable
sslsplit.src: W: spelling-error %description -l en_US netfilter -> net filter, net-filter, filterer
sslsplit.x86_64: W: spelling-error Summary(en_US) scalable -> salable, callable, calculable
sslsplit.x86_64: W: spelling-error %description -l en_US netfilter -> net filter, net-filter, filterer
sslsplit.x86_64: E: non-standard-executable-perm /usr/bin/sslsplit 0775L
sslsplit.x86_64: W: manual-page-warning /usr/share/man/man1/sslsplit.1.gz 395: warning: macro `HS' not defined
3 packages and 0 specfiles checked; 1 errors, 5 warnings.


Rpmlint (installed packages)
----------------------------
# rpmlint sslsplit
sslsplit.x86_64: I: enchant-dictionary-not-found en_US
sslsplit.x86_64: E: non-standard-executable-perm /usr/bin/sslsplit 0775L
sslsplit.x86_64: W: manual-page-warning /usr/share/man/man1/sslsplit.1.gz 395: warning: macro `HS' not defined
1 packages and 0 specfiles checked; 1 errors, 1 warnings.
# echo 'rpmlint-done:'

Requires
--------
sslsplit-debuginfo-0.4.4-2.fc18.x86_64.rpm (rpmlib, GLIBC filtered):
    

sslsplit-0.4.4-2.fc18.x86_64.rpm (rpmlib, GLIBC filtered):
    
    iproute  
    iptables  
    libc.so.6()(64bit)  
    libcrypto.so.10()(64bit)  
    libcrypto.so.10(OPENSSL_1.0.1)(64bit)  
    libcrypto.so.10(libcrypto.so.10)(64bit)  
    libevent-2.0.so.5()(64bit)  
    libevent_openssl-2.0.so.5()(64bit)  
    libevent_pthreads-2.0.so.5()(64bit)  
    libpthread.so.0()(64bit)  
    libssl.so.10()(64bit)  
    libssl.so.10(libssl.so.10)(64bit)  
    rtld(GNU_HASH)  

Provides
--------
sslsplit-debuginfo-0.4.4-2.fc18.x86_64.rpm:
    
    sslsplit-debuginfo = 0.4.4-2.fc18
    sslsplit-debuginfo(x86-64) = 0.4.4-2.fc18

sslsplit-0.4.4-2.fc18.x86_64.rpm:
    
    sslsplit = 0.4.4-2.fc18
    sslsplit(x86-64) = 0.4.4-2.fc18

MD5-sum check
-------------
http://mirror.roe.ch/rel/sslsplit/sslsplit-0.4.4.tar.bz2 :
  MD5SUM this package     : db3a32e0d3bf69ac3f4d95ce540dbc75
  MD5SUM upstream package : db3a32e0d3bf69ac3f4d95ce540dbc75


Generated by fedora-review 0.2.0 (53cc903) last change: 2012-07-09
Comment 7 Patrick Uiterwijk 2012-07-26 21:11:28 EDT
Please note: fedora-review was done on an SRPM where I removed the call to make check, since my system does not has IPv6 connectivity.
Comment 8 Patrick Uiterwijk 2012-07-27 07:26:03 EDT
I just noticed I forgot one very important thing, which I think is really dangerous:
- Sed lines in the spec file.
If the upstream sources change, this could break quite easily without anyone noticing. I would suggest using a patch file, since they just fail to apply (and thus fail to build the RPM) if there is something changed, so the maintainer will take a look at the build logs.
Comment 9 Michael Scherer 2012-07-27 07:40:23 EDT
True, and a proper patch could be sent upstream ( with, for example, autodetection of the supported ciphers, or a switch somewhere ). But on the other hand, i think we cannot blame anyone for not wanting to touch to makefile :)
Comment 10 Patrick Uiterwijk 2012-07-27 07:47:11 EDT
Created attachment 600749 [details]
A proposed patch to replace the sed line

I created this patch by just applying the sed line to a local directory.
My suggestion would be to use something like this.
Comment 11 Paul Wouters 2012-07-28 17:38:51 EDT
The sed lines usually fix a problem, so it won't silently cause something to break. It will generally explode building if failed. I like it because I don't have to create a trivial patchlet. Also it will never be submitted upstream, as it removes ECC functionality, which is our own legal "problem", not upstream's.

openssl is already a buildrequire, mock builds work fine for me.

Fixed binary permissions from 775 to 755

I'm not sure I understand the ipv6 problem. On a stock Fedora install it seems to work even if no ipv6 is there. it builds/tests for me on a system that does not have ipv6 enabled in /etc/sysconfig/network. 

Spec URL: ftp://ftp.nohats.ca/sslsplit/sslsplit.spec
SRPM URL: ftp://ftp.nohats.ca/sslsplit/sslsplit-0.4.4-3.fc17.src.rpm
Comment 12 Patrick Uiterwijk 2012-07-28 20:20:35 EDT
I cannot reproduce the 'openssl missing' bug anymore, I guess that was a temporary hickup of my mock root.


About the IPv6 problem: I guess that's because this is a system that is configured to use IPv6, but has not received an IPv6 address.
I just tried it again, and still cannot finish the tests, and thus not build the RPM, both with and without mock.

The error lines:
Cannot resolve address '::1' port '10443': Name or service not known
Cannot resolve address '::1' port '10443': Name or service not known
Cannot resolve address '::1' port '10443': Name or service not known
...
97%: Checks: 105, Failures: 0, Errors: 3
opts.t.c:96:E:proxyspec_parse:proxyspec_parse_02:0: (after this point) Early exit with return value 1
opts.t.c:298:E:proxyspec_parse:proxyspec_parse_13:0: (after this point) Early exit with return value 1
opts.t.c:331:E:proxyspec_parse:proxyspec_parse_14:0: (after this point) Early exit with return value 1


The "Name or service not known" gets verified by "ping ::1": "ping: unknown host ::1"
Comment 13 Paul Wouters 2012-07-29 12:35:32 EDT
I'm still confused about this error. I'll have a closer look. btw, dont use ping but ping6

[paul@bofh ~]$ ping6 ::1
PING ::1(::1) 56 data bytes
64 bytes from ::1: icmp_seq=1 ttl=64 time=0.020 ms
64 bytes from ::1: icmp_seq=2 ttl=64 time=0.044 ms
Comment 14 Patrick Uiterwijk 2012-07-29 15:26:21 EDT
I can reproduce this even with a completely new, both Minimal and Graphical Desktop, installation of F17.

The only commands ever executed on this VM after installation are:
sudo yum install -y ccache mock wget
wget ftp://ftp.nohats.ca/sslsplit/sslsplit-0.4.4-3.fc17.src.rpm
mock sslsplit-0.4.4-3.fc17.src.rpm

And when I read the /var/lib/mock/fedora-17-x86_64/result/build.log, I get the exact same errors.
Again, this is a system that has no IPv6 connectivity whatsoever, the only IPv6 address it has is the fe80:... address.
Comment 15 Patrick Uiterwijk 2012-07-29 15:44:23 EDT
Make check also fails if the building machine has no connection to the internet, as it tries to test itself by reaching the website of the creator.
This is a problem on Koji, as the builders appear to have no connectivity to the outside world, so any Koji build will fail currently.
This also make the building dependent on the website of the author, which may or may not be desirable (what would happen if the author would cancel his domain name somewhere in the future?).

Proof: https://koji.fedoraproject.org/koji/taskinfo?taskID=4340467

I would suggest either removing the tests connecting to the internet, and making the IPv6 tests conditional on connectivity, or just disabling make check completely for the moment.
Comment 16 Paul Wouters 2012-07-30 00:29:19 EDT
Spec URL: ftp://ftp.nohats.ca/sslsplit/sslsplit.spec
SRPM URL: ftp://ftp.nohats.ca/sslsplit/sslsplit-0.4.4-4.fc17.src.rpm

Totally missed that. Commented make test section with a comment.
Comment 17 Patrick Uiterwijk 2012-07-30 01:47:35 EDT
Since this version successfully builds, even in Koji, and I see no other problems anymore as it seems to be working correctly, I declare this package to be

APPROVED
Comment 18 Paul Wouters 2012-07-30 02:00:12 EDT
New Package SCM Request
=======================
Package Name: sslsplit
Short Description: Transparent and scalable SSL/TLS interception
Owners: pwouters
Branches: f17 el6
InitialCC:
Comment 19 Jon Ciesla 2012-07-30 05:40:29 EDT
Patrick, please re-set review-flag to +.
Comment 20 Patrick Uiterwijk 2012-07-30 05:53:01 EDT
Done, although I don't know why it wasn't, as I had left it on +.
 I have also raised the CVS flag again.
Comment 21 Jon Ciesla 2012-07-30 05:59:56 EDT
Git done (by process-git-requests).

Thanks, I think it's a Bugzilla issue, and there's already a Trac on it if
I'm not mistaken.
Comment 22 Fedora Update System 2012-07-30 13:34:54 EDT
sslsplit-0.4.4-4.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/sslsplit-0.4.4-4.fc17
Comment 23 Paul Wouters 2012-07-30 13:35:54 EDT
note EL branch cannot build because we actually require libevent >= 2.0 and EL only has 1.x
Comment 24 Fedora Update System 2012-07-30 18:23:27 EDT
sslsplit-0.4.4-4.fc17 has been pushed to the Fedora 17 testing repository.
Comment 25 Fedora Update System 2012-08-09 18:48:49 EDT
sslsplit-0.4.4-4.fc17 has been pushed to the Fedora 17 stable repository.
Comment 26 Paul Wouters 2014-09-30 14:54:37 EDT
Package Change Request
======================
Package Name: sslsplit
New Branches: epel7
Owners: pwouters
InitialCC:
Comment 27 Jon Ciesla 2014-09-30 15:54:21 EDT
Git done (by process-git-requests).
Comment 28 Fedora Update System 2014-09-30 16:31:31 EDT
sslsplit-0.4.8-3.el7 has been submitted as an update for Fedora EPEL 7.
https://admin.fedoraproject.org/updates/sslsplit-0.4.8-3.el7
Comment 29 Fedora Update System 2014-10-17 13:40:15 EDT
sslsplit-0.4.8-3.el7 has been pushed to the Fedora EPEL 7 stable repository.

Note You need to log in before you can comment on or make changes to this bug.