Accepting request 645956 from home:elvigia:branches:server:mail

- Updates to mailx-12.5-openssl-1.1.0f.patch
   * If the openssl RNG is already
  seeded (on linux it always is) skip snake-oil reeseeding from
  file. Update man page accordingly.
   * Update man page with information that ssl2 and ssl3 are
     not only deprecated but currently unavailable and that
     tls1 forces TLS 1.0 but not later versions.
   * RAND_EGD is also unavailable, not just unused.
   * set SSL_OP_NO_TICKET, many servers accept session
     tickets, but almost never rotate them properly, TLS 1.3
     session tickets are not affected by this flag.
   * When using client certificates, check if the cert and key
     match each other.

OBS-URL: https://build.opensuse.org/request/show/645956
OBS-URL: https://build.opensuse.org/package/show/server:mail/mailx?expand=0&rev=60

mailx-12.5-openssl-1.1.0f.patch

@@ -3,30 +3,57 @@
  openssl.c |   29 ++++++++++++++++++++++++++---
  2 files changed, 31 insertions(+), 3 deletions(-)
 
---- mailx.1
+Index: mailx.1
-+++ mailx.1	2017-06-13 10:10:21.024015088 +0000
+===================================================================
+--- mailx.1.orig
++++ mailx.1
 @@ -2723,6 +2723,8 @@ Only applicable if SSL/TLS support is bu
  Accept SSLv2 connections.
  These are normally not allowed
  because this protocol version is insecure.
 +.br
-+.B WARNING: on modern systems SSLv2 as well as SSLv3 are deprecated!
++.B WARNING: on modern systems SSLv2 as well as SSLv3 are unavailable!
  .TP
  .B stealthmua
  Inhibits the generation of
-@@ -3609,6 +3611,9 @@ for a specific account.
+@@ -3599,6 +3601,8 @@ Selects a SSL/TLS protocol version;
+ valid values are `ssl2', `ssl3', and `tls1'.
+ If unset, the method is selected automatically,
+ if possible.
++.br
++.B WARNING: Do not use this option. 'ssl2', 'ssl3' are no longer available and 'tls1' forces use of TLS 1.0
+ .TP
+ \fBssl-method-\fIuser\fB@\fIhost\fR
+ Overrides
+@@ -3609,6 +3613,8 @@ for a specific account.
  Gives the pathname to an entropy daemon socket,
  see
  .IR RAND_egd (3).
 +.br
-+.B WARNING: On Linux this API is ignored, use the string option
++.B WARNING: On Linux this API is unavailable.
-+.B ssl-rand-file.
  .TP
  .B ssl-rand-file
  Gives the pathname to a file with entropy data,
---- openssl.c
+@@ -3617,6 +3623,8 @@ see
-+++ openssl.c	2017-06-13 10:05:15.133697760 +0000
+ If the file is a regular file writable by the invoking user,
-@@ -138,7 +138,12 @@ ssl_rand_init(void)
+ new data is written to it after it has been loaded.
+ Only applicable if SSL/TLS support is built using OpenSSL.
++.br
++.B WARNING: On linux the CSPRNG is seeded automatically and this option has no effect.
+ .TP
+ .B ssl-verify
+ Sets the action to be performed if an error occurs
+Index: openssl.c
+===================================================================
+--- openssl.c.orig
++++ openssl.c
+@@ -135,10 +135,18 @@ ssl_rand_init(void)
+ {
+ 	char *cp;
+ 	int state = 0;
++	
++	if(RAND_status())
++		return 1;
  
  	if ((cp = value("ssl-rand-egd")) != NULL) {
  		cp = expand(cp);
@@ -40,7 +67,7 @@
  			fprintf(stderr, catgets(catd, CATSET, 245,
  				"entropy daemon at \"%s\" not available\n"),
  					cp);
-@@ -221,12 +226,13 @@ ssl_select_method(const char *uhp)
+@@ -221,12 +229,13 @@ ssl_select_method(const char *uhp)
  
  	cp = ssl_method_string(uhp);
  	if (cp != NULL) {
@@ -56,7 +83,7 @@
  			method = SSLv3_client_method();
  		else if (equal(cp, "tls1"))
  			method = TLSv1_client_method();
-@@ -235,8 +241,25 @@ ssl_select_method(const char *uhp)
+@@ -235,8 +244,25 @@ ssl_select_method(const char *uhp)
  					"Invalid SSL method \"%s\"\n"), cp);
  			method = SSLv23_client_method();
  		}
@@ -82,3 +109,21 @@
  	return method;
  }
  
+@@ -307,6 +333,8 @@ ssl_certificate(struct sock *sp, const c
+ 				"cannot load private key from file %s\n"),
+ 						key);
+ 			ac_free(keyvar);
++			if(SSL_CTX_check_private_key(sp->s_ctx) != 1)
++				fprintf(stderr, "certificate/key mismatch");
+ 		} else
+ 			fprintf(stderr, catgets(catd, CATSET, 239,
+ 				"cannot load certificate from file %s\n"),
+@@ -383,7 +411,7 @@ ssl_open(const char *server, struct sock
+ 	/* available with OpenSSL 0.9.6 or later */
+ 	SSL_CTX_set_mode(sp->s_ctx, SSL_MODE_AUTO_RETRY);
+ #endif	/* SSL_MODE_AUTO_RETRY */
+-	options = SSL_OP_ALL;
++	options = SSL_OP_ALL|SSL_OP_NO_TICKET;
+ 	if (value("ssl-v2-allow") == NULL)
+ 		options |= SSL_OP_NO_SSLv2;
+ 	SSL_CTX_set_options(sp->s_ctx, options);

mailx.changes

@@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Wed Oct 31 18:30:32 UTC 2018 - Cristian Rodríguez <crrodriguez@opensuse.org>
+
+- Updates to mailx-12.5-openssl-1.1.0f.patch
+   * If the openssl RNG is already
+  seeded (on linux it always is) skip snake-oil reeseeding from
+  file. Update man page accordingly.
+   * Update man page with information that ssl2 and ssl3 are
+     not only deprecated but currently unavailable and that
+     tls1 forces TLS 1.0 but not later versions.
+   * RAND_EGD is also unavailable, not just unused.
+   * set SSL_OP_NO_TICKET, many servers accept session
+     tickets, but almost never rotate them properly, TLS 1.3
+     session tickets are not affected by this flag.
+   * When using client certificates, check if the cert and key
+     match each other.
+
 -------------------------------------------------------------------
 Sun Jun 10 23:54:07 UTC 2018 - jengelh@inai.de
 

mailx.spec

@@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
@@ -20,7 +20,6 @@ Name:           mailx
 BuildRequires:  groff
 BuildRequires:  krb5-devel
 BuildRequires:  man
-BuildRequires:  openssl-devel
 BuildRequires:  pcre
 BuildRequires:  pkg-config
 BuildRequires:  postfix