mirror of
https://git.freebsd.org/ports.git
synced 2025-06-07 22:00:31 -04:00
bd221c2699
This is a patch make by Debian's own Noah Meyerhans that disables SSLv3, fixes or removes the tests that choke without SSLv3, and lets IO::Socket::SSL choose the best TLS level rather than forcing it at TLSv1. I can't think of a responsible reason to allow re-enabling it as an OPTION, so add a note to UPDATING warning people of the change and referencing the below PR. PORTREVISION bump. PR: 208225 Submitted by: Sascha Holzleiter Obtained from: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7199 MFH: 2016Q2
258 lines
8.9 KiB
Text
258 lines
8.9 KiB
Text
--- spamc/libspamc.c.orig
|
|
+++ spamc/libspamc.c
|
|
@@ -1187,7 +1187,7 @@ int message_filter(struct transport *tp,
|
|
unsigned int throwaway;
|
|
SSL_CTX *ctx = NULL;
|
|
SSL *ssl = NULL;
|
|
- SSL_METHOD *meth;
|
|
+ const SSL_METHOD *meth;
|
|
char zlib_on = 0;
|
|
unsigned char *zlib_buf = NULL;
|
|
int zlib_bufsiz = 0;
|
|
@@ -1213,11 +1213,7 @@ int message_filter(struct transport *tp,
|
|
if (flags & SPAMC_USE_SSL) {
|
|
#ifdef SPAMC_SSL
|
|
SSLeay_add_ssl_algorithms();
|
|
- if (flags & SPAMC_TLSV1) {
|
|
- meth = TLSv1_client_method();
|
|
- } else {
|
|
- meth = SSLv3_client_method(); /* default */
|
|
- }
|
|
+ meth = SSLv23_client_method();
|
|
SSL_load_error_strings();
|
|
ctx = SSL_CTX_new(meth);
|
|
#else
|
|
@@ -1596,7 +1592,7 @@ int message_tell(struct transport *tp, c
|
|
int failureval;
|
|
SSL_CTX *ctx = NULL;
|
|
SSL *ssl = NULL;
|
|
- SSL_METHOD *meth;
|
|
+ const SSL_METHOD *meth;
|
|
|
|
assert(tp != NULL);
|
|
assert(m != NULL);
|
|
@@ -1604,7 +1600,7 @@ int message_tell(struct transport *tp, c
|
|
if (flags & SPAMC_USE_SSL) {
|
|
#ifdef SPAMC_SSL
|
|
SSLeay_add_ssl_algorithms();
|
|
- meth = SSLv3_client_method();
|
|
+ meth = SSLv23_client_method();
|
|
SSL_load_error_strings();
|
|
ctx = SSL_CTX_new(meth);
|
|
#else
|
|
--- spamc/spamc.c.orig
|
|
+++ spamc/spamc.c
|
|
@@ -368,16 +368,11 @@ read_args(int argc, char **argv,
|
|
case 'S':
|
|
{
|
|
flags |= SPAMC_USE_SSL;
|
|
- if (!spamc_optarg || (strcmp(spamc_optarg,"sslv3") == 0)) {
|
|
- flags |= SPAMC_SSLV3;
|
|
- }
|
|
- else if (strcmp(spamc_optarg,"tlsv1") == 0) {
|
|
- flags |= SPAMC_TLSV1;
|
|
- }
|
|
- else {
|
|
- libspamc_log(flags, LOG_ERR, "Please specify a legal ssl version (%s)", spamc_optarg);
|
|
- ret = EX_USAGE;
|
|
- }
|
|
+ if(spamc_optarg) {
|
|
+ libspamc_log(flags, LOG_ERR,
|
|
+ "Explicit specification of an SSL/TLS version no longer supported.");
|
|
+ ret = EX_USAGE;
|
|
+ }
|
|
break;
|
|
}
|
|
#endif
|
|
--- spamd/spamd.raw.orig
|
|
+++ spamd/spamd.raw
|
|
@@ -409,7 +409,6 @@ GetOptions(
|
|
'sql-config!' => \$opt{'sql-config'},
|
|
'ssl' => \$opt{'ssl'},
|
|
'ssl-port=s' => \$opt{'ssl-port'},
|
|
- 'ssl-version=s' => \$opt{'ssl-version'},
|
|
'syslog-socket=s' => \$opt{'syslog-socket'},
|
|
'syslog|s=s' => \$opt{'syslog'},
|
|
'log-timestamp-fmt:s' => \$opt{'log-timestamp-fmt'},
|
|
@@ -744,11 +743,6 @@ if ( defined $ENV{'HOME'} ) {
|
|
|
|
# Do whitelist later in tmp dir. Side effect: this will be done as -u user.
|
|
|
|
-my $sslversion = $opt{'ssl-version'} || 'sslv3';
|
|
-if ($sslversion !~ /^(?:sslv3|tlsv1)$/) {
|
|
- die "spamd: invalid ssl-version: $opt{'ssl-version'}\n";
|
|
-}
|
|
-
|
|
$opt{'server-key'} ||= "$LOCAL_RULES_DIR/certs/server-key.pem";
|
|
$opt{'server-cert'} ||= "$LOCAL_RULES_DIR/certs/server-cert.pem";
|
|
|
|
@@ -899,9 +893,8 @@ sub compose_listen_info_string {
|
|
$socket_info->{ip_addr}, $socket_info->{port}));
|
|
|
|
} elsif ($socket->isa('IO::Socket::SSL')) {
|
|
- push(@listeninfo, sprintf("SSL [%s]:%s, ssl version %s",
|
|
- $socket_info->{ip_addr}, $socket_info->{port},
|
|
- $opt{'ssl-version'}||'sslv3'));
|
|
+ push(@listeninfo, sprintf("SSL [%r]:%s", $socket_info->{ip_addr},
|
|
+ $socket_info->{port}));
|
|
}
|
|
}
|
|
|
|
@@ -1072,7 +1065,6 @@ sub server_sock_setup_inet {
|
|
$sockopt{V6Only} = 1 if $io_socket_module_name eq 'IO::Socket::IP'
|
|
&& IO::Socket::IP->VERSION >= 0.09;
|
|
%sockopt = (%sockopt, (
|
|
- SSL_version => $sslversion,
|
|
SSL_verify_mode => 0x00,
|
|
SSL_key_file => $opt{'server-key'},
|
|
SSL_cert_file => $opt{'server-cert'},
|
|
@@ -1093,7 +1085,8 @@ sub server_sock_setup_inet {
|
|
if (!$server_inet) {
|
|
$diag = sprintf("could not create %s socket on [%s]:%s: %s",
|
|
$ssl ? 'IO::Socket::SSL' : $io_socket_module_name,
|
|
- $adr, $port, $!);
|
|
+ $adr, $port, $ssl && $IO::Socket::SSL::SSL_ERROR ?
|
|
+ "$!,$IO::Socket::SSL::SSL_ERROR" : $!);
|
|
push(@diag_fail, $diag);
|
|
} else {
|
|
$diag = sprintf("created %s socket on [%s]:%s",
|
|
@@ -3238,7 +3231,6 @@ Options:
|
|
-H [dir], --helper-home-dir[=dir] Specify a different HOME directory
|
|
--ssl Enable SSL on TCP connections
|
|
--ssl-port port Override --port setting for SSL connections
|
|
- --ssl-version sslversion Specify SSL protocol version to use
|
|
--server-key keyfile Specify an SSL keyfile
|
|
--server-cert certfile Specify an SSL certificate
|
|
--socketpath=path Listen on a given UNIX domain socket
|
|
@@ -3727,14 +3719,6 @@ Optionally specifies the port number for
|
|
SSL connections (default: whatever --port uses). See B<--ssl> for
|
|
more details.
|
|
|
|
-=item B<--ssl-version>=I<sslversion>
|
|
-
|
|
-Specify the SSL protocol version to use, one of B<sslv3> or B<tlsv1>.
|
|
-The default, B<sslv3>, is the most flexible, accepting a SSLv3 or
|
|
-higher hello handshake, then negotiating use of SSLv3 or TLSv1
|
|
-protocol if the client can accept it. Specifying B<--ssl-version>
|
|
-implies B<--ssl>.
|
|
-
|
|
=item B<--server-key> I<keyfile>
|
|
|
|
Specify the SSL key file to use for SSL connections.
|
|
--- spamc/spamc.pod.orig
|
|
+++ spamc/spamc.pod
|
|
@@ -177,12 +177,10 @@ The default is 1 time (ie. one attempt a
|
|
Sleep for I<sleep> seconds between failed spamd filtering attempts.
|
|
The default is 1 second.
|
|
|
|
-=item B<-S>, B<--ssl>, B<--ssl>=I<sslversion>
|
|
+=item B<-S>, B<--ssl>, B<--ssl>
|
|
|
|
If spamc was built with support for SSL, encrypt data to and from the
|
|
spamd process with SSL; spamd must support SSL as well.
|
|
-I<sslversion> specifies the SSL protocol version to use, either
|
|
-C<sslv3>, or C<tlsv1>. The default, is C<sslv3>.
|
|
|
|
=item B<-t> I<timeout>, B<--timeout>=I<timeout>
|
|
|
|
--- t/spamd_ssl_tls.t.orig
|
|
+++ t/spamd_ssl_tls.t
|
|
@@ -1,28 +0,0 @@
|
|
-#!/usr/bin/perl
|
|
-
|
|
-use lib '.'; use lib 't';
|
|
-use SATest; sa_t_init("spamd_ssl_tls");
|
|
-use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9);
|
|
-
|
|
-exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE);
|
|
-
|
|
-# ---------------------------------------------------------------------------
|
|
-
|
|
-%patterns = (
|
|
-
|
|
-q{ Return-Path: sb55sb55@yahoo.com}, 'firstline',
|
|
-q{ Subject: There yours for FREE!}, 'subj',
|
|
-q{ X-Spam-Status: Yes, score=}, 'status',
|
|
-q{ X-Spam-Flag: YES}, 'flag',
|
|
-q{ X-Spam-Level: **********}, 'stars',
|
|
-q{ TEST_ENDSNUMS}, 'endsinnums',
|
|
-q{ TEST_NOREALNAME}, 'noreal',
|
|
-q{ This must be the very last line}, 'lastline',
|
|
-
|
|
-
|
|
-);
|
|
-
|
|
-ok (sdrun ("-L --ssl --ssl-version=tlsv1 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert",
|
|
- "--ssl=tlsv1 < data/spam/001",
|
|
- \&patterns_run_cb));
|
|
-ok_all_patterns();
|
|
--- t/spamd_ssl_v3.t.orig
|
|
+++ t/spamd_ssl_v3.t
|
|
@@ -1,28 +0,0 @@
|
|
-#!/usr/bin/perl
|
|
-
|
|
-use lib '.'; use lib 't';
|
|
-use SATest; sa_t_init("spamd_sslv3");
|
|
-use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9);
|
|
-
|
|
-exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE);
|
|
-
|
|
-# ---------------------------------------------------------------------------
|
|
-
|
|
-%patterns = (
|
|
-
|
|
-q{ Return-Path: sb55sb55@yahoo.com}, 'firstline',
|
|
-q{ Subject: There yours for FREE!}, 'subj',
|
|
-q{ X-Spam-Status: Yes, score=}, 'status',
|
|
-q{ X-Spam-Flag: YES}, 'flag',
|
|
-q{ X-Spam-Level: **********}, 'stars',
|
|
-q{ TEST_ENDSNUMS}, 'endsinnums',
|
|
-q{ TEST_NOREALNAME}, 'noreal',
|
|
-q{ This must be the very last line}, 'lastline',
|
|
-
|
|
-
|
|
-);
|
|
-
|
|
-ok (sdrun ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert",
|
|
- "--ssl=sslv3 < data/spam/001",
|
|
- \&patterns_run_cb));
|
|
-ok_all_patterns();
|
|
--- t/spamd_ssl_accept_fail.t.orig
|
|
+++ t/spamd_ssl_accept_fail.t
|
|
@@ -23,9 +23,9 @@ q{ This must be the very last line}, 'la
|
|
|
|
);
|
|
|
|
-ok (start_spamd ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert"));
|
|
+ok (start_spamd ("-L --ssl --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert"));
|
|
ok (spamcrun ("< data/spam/001", \&patterns_run_cb));
|
|
-ok (spamcrun ("--ssl=sslv3 < data/spam/001", \&patterns_run_cb));
|
|
+ok (spamcrun ("--ssl < data/spam/001", \&patterns_run_cb));
|
|
ok (stop_spamd ());
|
|
|
|
ok_all_patterns();
|
|
--- t/spamd_ssl.t.orig
|
|
+++ t/spamd_ssl.t
|
|
@@ -2,10 +2,7 @@
|
|
|
|
use lib '.'; use lib 't';
|
|
use SATest; sa_t_init("spamd_ssl");
|
|
-use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9),
|
|
- onfail => sub {
|
|
- warn "\n\nNote: This may not be a SpamAssassin bug, as some platforms require that you" .
|
|
- "\nspecify a protocol in spamc --ssl option, and possibly in spamd --ssl-version.\n\n" };
|
|
+use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9);
|
|
|
|
exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE);
|
|
|
|
--- MANIFEST.orig
|
|
+++ MANIFEST
|
|
@@ -513,8 +513,6 @@ t/spamd_report_ifspam.t
|
|
t/spamd_sql_prefs.t
|
|
t/spamd_ssl.t
|
|
t/spamd_ssl_accept_fail.t
|
|
-t/spamd_ssl_tls.t
|
|
-t/spamd_ssl_v3.t
|
|
t/spamd_stop.t
|
|
t/spamd_symbols.t
|
|
t/spamd_syslog.t
|