mailx/mailx-12.5-openssl-1.1.0f.patch

130 lines
3.7 KiB
Diff

---
mailx.1 | 5 +++++
openssl.c | 29 ++++++++++++++++++++++++++---
2 files changed, 31 insertions(+), 3 deletions(-)
Index: mailx.1
===================================================================
--- mailx.1.orig
+++ mailx.1
@@ -2723,6 +2723,8 @@ Only applicable if SSL/TLS support is bu
Accept SSLv2 connections.
These are normally not allowed
because this protocol version is insecure.
+.br
+.B WARNING: on modern systems SSLv2 as well as SSLv3 are unavailable!
.TP
.B stealthmua
Inhibits the generation of
@@ -3599,6 +3601,8 @@ Selects a SSL/TLS protocol version;
valid values are `ssl2', `ssl3', and `tls1'.
If unset, the method is selected automatically,
if possible.
+.br
+.B WARNING: Do not use this option. 'ssl2', 'ssl3' are no longer available and 'tls1' forces use of TLS 1.0
.TP
\fBssl-method-\fIuser\fB@\fIhost\fR
Overrides
@@ -3609,6 +3613,8 @@ for a specific account.
Gives the pathname to an entropy daemon socket,
see
.IR RAND_egd (3).
+.br
+.B WARNING: On Linux this API is unavailable.
.TP
.B ssl-rand-file
Gives the pathname to a file with entropy data,
@@ -3617,6 +3623,8 @@ see
If the file is a regular file writable by the invoking user,
new data is written to it after it has been loaded.
Only applicable if SSL/TLS support is built using OpenSSL.
+.br
+.B WARNING: On linux the CSPRNG is seeded automatically and this option has no effect.
.TP
.B ssl-verify
Sets the action to be performed if an error occurs
Index: openssl.c
===================================================================
--- openssl.c.orig
+++ openssl.c
@@ -135,10 +135,18 @@ ssl_rand_init(void)
{
char *cp;
int state = 0;
+
+ if(RAND_status())
+ return 1;
if ((cp = value("ssl-rand-egd")) != NULL) {
cp = expand(cp);
- if (RAND_egd(cp) == -1) {
+#ifndef OPENSSL_NO_EGD
+ if (RAND_egd(cp) == -1)
+#else
+ if (1)
+#endif
+ {
fprintf(stderr, catgets(catd, CATSET, 245,
"entropy daemon at \"%s\" not available\n"),
cp);
@@ -221,12 +229,13 @@ ssl_select_method(const char *uhp)
cp = ssl_method_string(uhp);
if (cp != NULL) {
+#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x1010006fL
#ifndef OPENSSL_NO_SSL2
if (equal(cp, "ssl2"))
method = SSLv2_client_method();
else
-#endif
- if (equal(cp, "ssl3"))
+#endif
+ if (equal(cp, "ssl3"))
method = SSLv3_client_method();
else if (equal(cp, "tls1"))
method = TLSv1_client_method();
@@ -235,8 +244,25 @@ ssl_select_method(const char *uhp)
"Invalid SSL method \"%s\"\n"), cp);
method = SSLv23_client_method();
}
+#else
+ method = NULL;
+ if (equal(cp, "tls"))
+ method = TLS_client_method();
+ else if (equal(cp, "dtls"))
+ method = DTLS_client_method();
+
+ if (!method) {
+ fprintf(stderr, catgets(catd, CATSET, 244,
+ "Invalid SSL method \"%s\"\n"), cp);
+ method = TLS_client_method();
+ }
+#endif
} else
+#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x1010006fL
method = SSLv23_client_method();
+#else
+ method = TLS_client_method();
+#endif
return method;
}
@@ -307,6 +333,8 @@ ssl_certificate(struct sock *sp, const c
"cannot load private key from file %s\n"),
key);
ac_free(keyvar);
+ if(SSL_CTX_check_private_key(sp->s_ctx) != 1)
+ fprintf(stderr, "certificate/key mismatch");
} else
fprintf(stderr, catgets(catd, CATSET, 239,
"cannot load certificate from file %s\n"),
@@ -383,7 +411,7 @@ ssl_open(const char *server, struct sock
/* available with OpenSSL 0.9.6 or later */
SSL_CTX_set_mode(sp->s_ctx, SSL_MODE_AUTO_RETRY);
#endif /* SSL_MODE_AUTO_RETRY */
- options = SSL_OP_ALL;
+ options = SSL_OP_ALL|SSL_OP_NO_TICKET;
if (value("ssl-v2-allow") == NULL)
options |= SSL_OP_NO_SSLv2;
SSL_CTX_set_options(sp->s_ctx, options);