130 lines
3.7 KiB
Diff
130 lines
3.7 KiB
Diff
---
|
|
mailx.1 | 5 +++++
|
|
openssl.c | 29 ++++++++++++++++++++++++++---
|
|
2 files changed, 31 insertions(+), 3 deletions(-)
|
|
|
|
Index: mailx.1
|
|
===================================================================
|
|
--- mailx.1.orig
|
|
+++ mailx.1
|
|
@@ -2723,6 +2723,8 @@ Only applicable if SSL/TLS support is bu
|
|
Accept SSLv2 connections.
|
|
These are normally not allowed
|
|
because this protocol version is insecure.
|
|
+.br
|
|
+.B WARNING: on modern systems SSLv2 as well as SSLv3 are unavailable!
|
|
.TP
|
|
.B stealthmua
|
|
Inhibits the generation of
|
|
@@ -3599,6 +3601,8 @@ Selects a SSL/TLS protocol version;
|
|
valid values are `ssl2', `ssl3', and `tls1'.
|
|
If unset, the method is selected automatically,
|
|
if possible.
|
|
+.br
|
|
+.B WARNING: Do not use this option. 'ssl2', 'ssl3' are no longer available and 'tls1' forces use of TLS 1.0
|
|
.TP
|
|
\fBssl-method-\fIuser\fB@\fIhost\fR
|
|
Overrides
|
|
@@ -3609,6 +3613,8 @@ for a specific account.
|
|
Gives the pathname to an entropy daemon socket,
|
|
see
|
|
.IR RAND_egd (3).
|
|
+.br
|
|
+.B WARNING: On Linux this API is unavailable.
|
|
.TP
|
|
.B ssl-rand-file
|
|
Gives the pathname to a file with entropy data,
|
|
@@ -3617,6 +3623,8 @@ see
|
|
If the file is a regular file writable by the invoking user,
|
|
new data is written to it after it has been loaded.
|
|
Only applicable if SSL/TLS support is built using OpenSSL.
|
|
+.br
|
|
+.B WARNING: On linux the CSPRNG is seeded automatically and this option has no effect.
|
|
.TP
|
|
.B ssl-verify
|
|
Sets the action to be performed if an error occurs
|
|
Index: openssl.c
|
|
===================================================================
|
|
--- openssl.c.orig
|
|
+++ openssl.c
|
|
@@ -135,10 +135,18 @@ ssl_rand_init(void)
|
|
{
|
|
char *cp;
|
|
int state = 0;
|
|
+
|
|
+ if(RAND_status())
|
|
+ return 1;
|
|
|
|
if ((cp = value("ssl-rand-egd")) != NULL) {
|
|
cp = expand(cp);
|
|
- if (RAND_egd(cp) == -1) {
|
|
+#ifndef OPENSSL_NO_EGD
|
|
+ if (RAND_egd(cp) == -1)
|
|
+#else
|
|
+ if (1)
|
|
+#endif
|
|
+ {
|
|
fprintf(stderr, catgets(catd, CATSET, 245,
|
|
"entropy daemon at \"%s\" not available\n"),
|
|
cp);
|
|
@@ -221,12 +229,13 @@ ssl_select_method(const char *uhp)
|
|
|
|
cp = ssl_method_string(uhp);
|
|
if (cp != NULL) {
|
|
+#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x1010006fL
|
|
#ifndef OPENSSL_NO_SSL2
|
|
if (equal(cp, "ssl2"))
|
|
method = SSLv2_client_method();
|
|
else
|
|
-#endif
|
|
- if (equal(cp, "ssl3"))
|
|
+#endif
|
|
+ if (equal(cp, "ssl3"))
|
|
method = SSLv3_client_method();
|
|
else if (equal(cp, "tls1"))
|
|
method = TLSv1_client_method();
|
|
@@ -235,8 +244,25 @@ ssl_select_method(const char *uhp)
|
|
"Invalid SSL method \"%s\"\n"), cp);
|
|
method = SSLv23_client_method();
|
|
}
|
|
+#else
|
|
+ method = NULL;
|
|
+ if (equal(cp, "tls"))
|
|
+ method = TLS_client_method();
|
|
+ else if (equal(cp, "dtls"))
|
|
+ method = DTLS_client_method();
|
|
+
|
|
+ if (!method) {
|
|
+ fprintf(stderr, catgets(catd, CATSET, 244,
|
|
+ "Invalid SSL method \"%s\"\n"), cp);
|
|
+ method = TLS_client_method();
|
|
+ }
|
|
+#endif
|
|
} else
|
|
+#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x1010006fL
|
|
method = SSLv23_client_method();
|
|
+#else
|
|
+ method = TLS_client_method();
|
|
+#endif
|
|
return method;
|
|
}
|
|
|
|
@@ -307,6 +333,8 @@ ssl_certificate(struct sock *sp, const c
|
|
"cannot load private key from file %s\n"),
|
|
key);
|
|
ac_free(keyvar);
|
|
+ if(SSL_CTX_check_private_key(sp->s_ctx) != 1)
|
|
+ fprintf(stderr, "certificate/key mismatch");
|
|
} else
|
|
fprintf(stderr, catgets(catd, CATSET, 239,
|
|
"cannot load certificate from file %s\n"),
|
|
@@ -383,7 +411,7 @@ ssl_open(const char *server, struct sock
|
|
/* available with OpenSSL 0.9.6 or later */
|
|
SSL_CTX_set_mode(sp->s_ctx, SSL_MODE_AUTO_RETRY);
|
|
#endif /* SSL_MODE_AUTO_RETRY */
|
|
- options = SSL_OP_ALL;
|
|
+ options = SSL_OP_ALL|SSL_OP_NO_TICKET;
|
|
if (value("ssl-v2-allow") == NULL)
|
|
options |= SSL_OP_NO_SSLv2;
|
|
SSL_CTX_set_options(sp->s_ctx, options);
|