Allow setting TLSv1.3 as minimum TLS version

OBS-URL: https://build.opensuse.org/package/show/server:mail/dovecot23?expand=0&rev=69
2020-04-29 21:26:47 +00:00 · 2020-04-29 21:26:47 +00:00 · c112b436c3
commit c112b436c3
parent 21a5cd0499
3 changed files with 54 additions and 0 deletions
--- a/allow-tls1.3-only.patch
+++ b/allow-tls1.3-only.patch
@ -0,0 +1,43 @@
 Index: dovecot-2.3.10/src/config/old-set-parser.c
 ===================================================================
 --- dovecot-2.3.10.orig/src/config/old-set-parser.c
 +++ dovecot-2.3.10/src/config/old-set-parser.c
@@ -171,7 +171,7 @@ static int ssl_protocols_to_min_protocol
 					 const char **error_r)
 {
 	static const char *protocol_versions[] = {
 -		"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2",
 +		"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3",
 	};
 	/* Array where -1 = disable, 0 = not found, 1 = enable */
 	int protos[N_ELEMENTS(protocol_versions)];
 Index: dovecot-2.3.10/src/lib-ssl-iostream/iostream-openssl-common.c
 ===================================================================
 --- dovecot-2.3.10.orig/src/lib-ssl-iostream/iostream-openssl-common.c
 +++ dovecot-2.3.10/src/lib-ssl-iostream/iostream-openssl-common.c
@@ -9,6 +9,16 @@
 #include <openssl/err.h>
 #include <arpa/inet.h>
 +/*
 + * SSL_TXT_TLSV1_3 is not defined in the openssl headers up to 1.1.1g.
 + * Define it here as no other part of the code uses those defines.
 + *
 + * https://github.com/openssl/openssl/pull/6720
 + */
 +#ifndef SSL_TXT_TLSV1_3
 +#define SSL_TXT_TLSV1_3 "TLSv1.3"
 +#endif
 +
 /* openssl_min_protocol_to_options() scans this array for name and returns
    version and opt. opt is used with SSL_set_options() and version is used with
    SSL_set_min_proto_version(). Using either method should enable the same
@@ -23,6 +33,8 @@ static const struct {
 	{ SSL_TXT_TLSV1_1, TLS1_1_VERSION, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 },
 	{ SSL_TXT_TLSV1_2, TLS1_2_VERSION,
 		SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 },
 +	{ SSL_TXT_TLSV1_3, TLS1_3_VERSION,
 +		SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 },
 };
 int openssl_min_protocol_to_options(const char *min_protocol, long *opt_r,
 				    int *version_r)
--- a/dovecot23.changes
+++ b/dovecot23.changes
@ -1,3 +1,11 @@
 -------------------------------------------------------------------
 Wed Apr 29 21:25:30 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>
 - add allow-tls1.3-only.patch:
  Allow setting TLSv1.3 as minimum TLS version 
  https://github.com/dovecot/core/pull/126
 -------------------------------------------------------------------
 Fri Mar  6 11:14:00 UTC 2020 - Arjen de Korte <suse+build@de-korte.org>
--- a/dovecot23.spec
+++ b/dovecot23.spec
@ -143,6 +143,8 @@ Source11:       http://pigeonhole.dovecot.org/releases/%{dovecot_branch}/%{dovec
 Source12:       dovecot23.keyring
 Patch:          dovecot-2.3.0-dont_use_etc_ssl_certs.patch
 Patch1:         dovecot-2.3.0-better_ssl_defaults.patch
 #               https://github.com/dovecot/core/pull/126
 Patch2:         allow-tls1.3-only.patch
 Summary:        IMAP and POP3 Server Written Primarily with Security in Mind
 License:        BSD-3-Clause AND LGPL-2.1-or-later AND MIT
 Group:          Productivity/Networking/Email/Servers
@ -322,6 +324,7 @@ dovecot tree.
 %setup -q -n %{pkg_name}-%{dovecot_version} -a 1
 %patch -p1
 %patch1 -p1
 %patch2 -p1
 gzip -9v ChangeLog
 # Fix plugins dir.
 sed -i 's|#mail_plugin_dir = /usr/lib/dovecot|mail_plugin_dir = %{_libdir}/dovecot/modules|' doc/example-config/conf.d/10-mail.conf