diff options
| author | manu <manu@pkgsrc.org> | 2015-09-23 08:32:15 +0000 |
|---|---|---|
| committer | manu <manu@pkgsrc.org> | 2015-09-23 08:32:15 +0000 |
| commit | d17a79cbe1f7eaf9f60e4fca3e76bfea7cfe963c (patch) | |
| tree | e0fb6aed6d45fdf1b7afdd62c35d45490df9b378 /mail/imapproxy | |
| parent | 8ccef4ce1fd0f97244e41d604816ef11a29cd120 (diff) | |
| download | pkgsrc-d17a79cbe1f7eaf9f60e4fca3e76bfea7cfe963c.tar.gz | |
TLSv1.2 support for mail/imapproxy
The change is from upstream with minor tweaks: use SSLv23_client_method()
that negociate highest possible protocol instead of TLSv1_client_method()
that can only do TLSv1.0. Insecure SSLv2 and SSLv3 are disabled through
SSL_CTX_set_options().
Approved by Thomas Klausner <wiz@NetBSD.org> on behalf of pksrc-pmc
Diffstat (limited to 'mail/imapproxy')
| -rw-r--r-- | mail/imapproxy/Makefile | 4 | ||||
| -rw-r--r-- | mail/imapproxy/distinfo | 3 | ||||
| -rw-r--r-- | mail/imapproxy/patches/patch-src_main.c | 37 |
3 files changed, 41 insertions, 3 deletions
diff --git a/mail/imapproxy/Makefile b/mail/imapproxy/Makefile index 476854b053f..51bc9913b4d 100644 --- a/mail/imapproxy/Makefile +++ b/mail/imapproxy/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.15 2015/01/18 15:57:10 wiedi Exp $ +# $NetBSD: Makefile,v 1.16 2015/09/23 08:32:15 manu Exp $ # DISTNAME= up-imapproxy-1.2.7 PKGNAME= imapproxy-1.2.7 -PKGREVISION= 3 +PKGREVISION= 4 CATEGORIES= mail MASTER_SITES= http://www.imapproxy.org/downloads/ diff --git a/mail/imapproxy/distinfo b/mail/imapproxy/distinfo index 0dc8816784e..d07d4c43b45 100644 --- a/mail/imapproxy/distinfo +++ b/mail/imapproxy/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.7 2013/04/15 15:41:55 manu Exp $ +$NetBSD: distinfo,v 1.8 2015/09/23 08:32:15 manu Exp $ SHA1 (up-imapproxy-1.2.7.tar.gz) = 1e09730c19cbde3590093b5b4c4599ab69bfced7 RMD160 (up-imapproxy-1.2.7.tar.gz) = 32eddc89fb35c49334eedc3135ede0fc1241e831 @@ -10,3 +10,4 @@ SHA1 (patch-bc) = c3daf40715af721a0c4ff1b1071a892c94b59ce5 SHA1 (patch-include_imapproxy.h) = 9e2326ece220e48c3baa2949b13d21448405e741 SHA1 (patch-src_config.c) = 84ac9bde7cf64add665adb0f4d658ef856a91ae0 SHA1 (patch-src_imapcommon.c) = 250b9d6edb9e0b475f673af8ca9bef235ddab796 +SHA1 (patch-src_main.c) = ab3acd0a77f1848a3aa5cdf9dc0ab7389d94903c diff --git a/mail/imapproxy/patches/patch-src_main.c b/mail/imapproxy/patches/patch-src_main.c new file mode 100644 index 00000000000..ffcd1c27114 --- /dev/null +++ b/mail/imapproxy/patches/patch-src_main.c @@ -0,0 +1,37 @@ +$NetBSD: patch-src_main.c,v 1.1 2015/09/23 08:32:15 manu Exp $ + +From upstream: +Negotiate highest TLS protocol possible, with TLSv1.0 being the minium. + +--- src/main.c.orig 2015-09-23 09:44:41.000000000 +0200 ++++ src/main.c 2015-09-23 09:49:30.000000000 +0200 +@@ -479,17 +479,24 @@ + RAND_write_file( f_randfile ); + } + + SSL_load_error_strings(); +- tls_ctx = SSL_CTX_new( TLSv1_client_method() ); ++ ++ /* ++ * Despite its name, SSLv23_client_method() negociates highest ++ * version possible, which includes TLSv1.0, TLSv1.1, and TLSv1.2. ++ * SSLv2 and SSLv3 are disabled using SSL_OP_NO_SSLv2 and ++ * SSL_OP_NO_SSLv3 below. ++ */ ++ tls_ctx = SSL_CTX_new( SSLv23_client_method() ); + if ( tls_ctx == NULL ) +- { ++ { + syslog(LOG_ERR, "%s: Failed to create new SSL_CTX. Exiting.", fn); + exit( 1 ); + } +- +- /* Work around all known bugs */ +- SSL_CTX_set_options( tls_ctx, SSL_OP_ALL ); ++ ++ /* Work around all known bugs, disable SSLv2 and SSLv3 */ ++ SSL_CTX_set_options( tls_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 ); + + if ( ! SSL_CTX_load_verify_locations( tls_ctx, + PC_Struct.tls_ca_file, + PC_Struct.tls_ca_path ) || |