rants, tirades, ruminations
progress, progress, and more progress posted Tue, 12 Jan 2010 17:14:02 UTC
I've been banging my head against a few walls lately, all related to the inevitable, yet sometimes annoying march of progress.
The first problem to rear its ugly head was based on a somewhat recent change in the netbase package of Debian. Specifically, the sysctl net.ipv6.bindv6only was finally enabled to bring Debian up to snuff in relation to most other modern operating systems. This is all well and good, since IPv6 is fairly solid at this point I imagine. The problem is, a few outlying programs weren't quite prepared for the change. In my case, several Java interpreters (Sun and OpenJDK, or sun-java6-jre and openjdk-6-jre in Debian) and murmurd from the Mumble project (mumble-server in Debian).
I reported the murmurd problem on both SourceForge and the Debian bug tracker. The problem had actually already been fixed by the developers, it just hadn't made it into a release yet. That was all fixed though with Mumble 1.2.1. Along the way, I learned a lot more about IPV6_V6ONLY and RFC 3493 than I ever wanted.
Java required a workaround, since things haven't been fixed yet on any release for the Sun or OpenJDK interpreters. All that was needed was -Djava.net.preferIPv4Stack=true added to my command line and voila, everything is happy again.
The other serious problem was that thanks to a recent SSL/TLS protocol vulnerability (CVE-2009-3555), several more things broke. The first problem was with stuff at work. I had been using the SSLCipherSuite option in a lot of our virtual host directives in Apache. The problem with that seemed to be that it always forced a renegotiation of the cipher being used, which would subsequently cause the session to die with "
Re-negotiation handshake failed: Not accepted by client!?". Simply removing the SSLCipherSuite directive seemed to make all the clients happy again, but it's a lingering issue I'm sure, as is the whole mess in general since the protocol itself is having to be extended to fix this fundamental design flaw.
Along these same lines, I also ran into an issue trying to connect to my useful, yet often cantankerous Darwin Calendar Server. Everything was working just fine using iceowl to talk to my server's instance of DCS. And then, it wasn't. I'm fairly certain at this point that it's all related to changes made in Debian's version of the OpenSSL libraries, again, working around the aforementioned vulnerability. But the ultimate reality was, I couldn't connect with my calendar client any longer.
Once I pieced together that it was a problem with TLS1/SSL2, I simply configured my client to only allow SSL3. This works fine now with the self-signed, expired certificate which ships in the DCS source tree. I still can't manage to get things working with my perfectly valid GoDaddy certificate, but I'm happy with a working, encrypted, remote connection for the time being. My post to the user list describing the one change necessary to get Sunbird/iceowl working is here.