diff options
| author | manu <manu@pkgsrc.org> | 2015-09-23 08:32:15 +0000 |
|---|---|---|
| committer | manu <manu@pkgsrc.org> | 2015-09-23 08:32:15 +0000 |
| commit | d17a79cbe1f7eaf9f60e4fca3e76bfea7cfe963c (patch) | |
| tree | e0fb6aed6d45fdf1b7afdd62c35d45490df9b378 /mail/imapproxy/patches/patch-src_main.c | |
| parent | 8ccef4ce1fd0f97244e41d604816ef11a29cd120 (diff) | |
| download | pkgsrc-d17a79cbe1f7eaf9f60e4fca3e76bfea7cfe963c.tar.gz | |
TLSv1.2 support for mail/imapproxy
The change is from upstream with minor tweaks: use SSLv23_client_method()
that negociate highest possible protocol instead of TLSv1_client_method()
that can only do TLSv1.0. Insecure SSLv2 and SSLv3 are disabled through
SSL_CTX_set_options().
Approved by Thomas Klausner <wiz@NetBSD.org> on behalf of pksrc-pmc
Diffstat (limited to 'mail/imapproxy/patches/patch-src_main.c')
| -rw-r--r-- | mail/imapproxy/patches/patch-src_main.c | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/mail/imapproxy/patches/patch-src_main.c b/mail/imapproxy/patches/patch-src_main.c new file mode 100644 index 00000000000..ffcd1c27114 --- /dev/null +++ b/mail/imapproxy/patches/patch-src_main.c @@ -0,0 +1,37 @@ +$NetBSD: patch-src_main.c,v 1.1 2015/09/23 08:32:15 manu Exp $ + +From upstream: +Negotiate highest TLS protocol possible, with TLSv1.0 being the minium. + +--- src/main.c.orig 2015-09-23 09:44:41.000000000 +0200 ++++ src/main.c 2015-09-23 09:49:30.000000000 +0200 +@@ -479,17 +479,24 @@ + RAND_write_file( f_randfile ); + } + + SSL_load_error_strings(); +- tls_ctx = SSL_CTX_new( TLSv1_client_method() ); ++ ++ /* ++ * Despite its name, SSLv23_client_method() negociates highest ++ * version possible, which includes TLSv1.0, TLSv1.1, and TLSv1.2. ++ * SSLv2 and SSLv3 are disabled using SSL_OP_NO_SSLv2 and ++ * SSL_OP_NO_SSLv3 below. ++ */ ++ tls_ctx = SSL_CTX_new( SSLv23_client_method() ); + if ( tls_ctx == NULL ) +- { ++ { + syslog(LOG_ERR, "%s: Failed to create new SSL_CTX. Exiting.", fn); + exit( 1 ); + } +- +- /* Work around all known bugs */ +- SSL_CTX_set_options( tls_ctx, SSL_OP_ALL ); ++ ++ /* Work around all known bugs, disable SSLv2 and SSLv3 */ ++ SSL_CTX_set_options( tls_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 ); + + if ( ! SSL_CTX_load_verify_locations( tls_ctx, + PC_Struct.tls_ca_file, + PC_Struct.tls_ca_path ) || |