SHA256
1
0
forked from pool/dovecot23

Allow setting TLSv1.3 as minimum TLS version

OBS-URL: https://build.opensuse.org/package/show/server:mail/dovecot23?expand=0&rev=69
This commit is contained in:
Marcus Rückert 2020-04-29 21:26:47 +00:00 committed by Git OBS Bridge
parent 21a5cd0499
commit c112b436c3
3 changed files with 54 additions and 0 deletions

43
allow-tls1.3-only.patch Normal file
View File

@ -0,0 +1,43 @@
Index: dovecot-2.3.10/src/config/old-set-parser.c
===================================================================
--- dovecot-2.3.10.orig/src/config/old-set-parser.c
+++ dovecot-2.3.10/src/config/old-set-parser.c
@@ -171,7 +171,7 @@ static int ssl_protocols_to_min_protocol
const char **error_r)
{
static const char *protocol_versions[] = {
- "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2",
+ "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3",
};
/* Array where -1 = disable, 0 = not found, 1 = enable */
int protos[N_ELEMENTS(protocol_versions)];
Index: dovecot-2.3.10/src/lib-ssl-iostream/iostream-openssl-common.c
===================================================================
--- dovecot-2.3.10.orig/src/lib-ssl-iostream/iostream-openssl-common.c
+++ dovecot-2.3.10/src/lib-ssl-iostream/iostream-openssl-common.c
@@ -9,6 +9,16 @@
#include <openssl/err.h>
#include <arpa/inet.h>
+/*
+ * SSL_TXT_TLSV1_3 is not defined in the openssl headers up to 1.1.1g.
+ * Define it here as no other part of the code uses those defines.
+ *
+ * https://github.com/openssl/openssl/pull/6720
+ */
+#ifndef SSL_TXT_TLSV1_3
+#define SSL_TXT_TLSV1_3 "TLSv1.3"
+#endif
+
/* openssl_min_protocol_to_options() scans this array for name and returns
version and opt. opt is used with SSL_set_options() and version is used with
SSL_set_min_proto_version(). Using either method should enable the same
@@ -23,6 +33,8 @@ static const struct {
{ SSL_TXT_TLSV1_1, TLS1_1_VERSION, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 },
{ SSL_TXT_TLSV1_2, TLS1_2_VERSION,
SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 },
+ { SSL_TXT_TLSV1_3, TLS1_3_VERSION,
+ SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 },
};
int openssl_min_protocol_to_options(const char *min_protocol, long *opt_r,
int *version_r)

View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Wed Apr 29 21:25:30 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>
- add allow-tls1.3-only.patch:
Allow setting TLSv1.3 as minimum TLS version
https://github.com/dovecot/core/pull/126
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Mar 6 11:14:00 UTC 2020 - Arjen de Korte <suse+build@de-korte.org> Fri Mar 6 11:14:00 UTC 2020 - Arjen de Korte <suse+build@de-korte.org>

View File

@ -143,6 +143,8 @@ Source11: http://pigeonhole.dovecot.org/releases/%{dovecot_branch}/%{dovec
Source12: dovecot23.keyring Source12: dovecot23.keyring
Patch: dovecot-2.3.0-dont_use_etc_ssl_certs.patch Patch: dovecot-2.3.0-dont_use_etc_ssl_certs.patch
Patch1: dovecot-2.3.0-better_ssl_defaults.patch Patch1: dovecot-2.3.0-better_ssl_defaults.patch
# https://github.com/dovecot/core/pull/126
Patch2: allow-tls1.3-only.patch
Summary: IMAP and POP3 Server Written Primarily with Security in Mind Summary: IMAP and POP3 Server Written Primarily with Security in Mind
License: BSD-3-Clause AND LGPL-2.1-or-later AND MIT License: BSD-3-Clause AND LGPL-2.1-or-later AND MIT
Group: Productivity/Networking/Email/Servers Group: Productivity/Networking/Email/Servers
@ -322,6 +324,7 @@ dovecot tree.
%setup -q -n %{pkg_name}-%{dovecot_version} -a 1 %setup -q -n %{pkg_name}-%{dovecot_version} -a 1
%patch -p1 %patch -p1
%patch1 -p1 %patch1 -p1
%patch2 -p1
gzip -9v ChangeLog gzip -9v ChangeLog
# Fix plugins dir. # Fix plugins dir.
sed -i 's|#mail_plugin_dir = /usr/lib/dovecot|mail_plugin_dir = %{_libdir}/dovecot/modules|' doc/example-config/conf.d/10-mail.conf sed -i 's|#mail_plugin_dir = /usr/lib/dovecot|mail_plugin_dir = %{_libdir}/dovecot/modules|' doc/example-config/conf.d/10-mail.conf