File qmail-1.05-tls-openssl098l.patch of Package netqmail

Overview Repositories Revisions Requests Users Attributes Meta

File qmail-1.05-tls-openssl098l.patch of Package netqmail

# This file is licensed under the terms of the
# GNU General Public License Version 2. A copy of these terms should be
# enclosed as "gpl-2.0.txt" in the package containing this file.

--- qmail-1.03/qmail-remote.c.orig	2010-03-26 22:20:18.000000000 +0100
+++ qmail-1.03/qmail-remote.c	2010-03-26 22:26:00.000000000 +0100
@@ -505,6 +505,17 @@
   }
 
   ssl = myssl;
+#ifdef SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+  /* Required for openssl-0.9.8l or later.
+   * This should not be a security problem here, because
+   *  - a MITM can only issue commands that don't require client authentication
+   *    up to the first "rcpt to: <relay-rcpt>"
+   *  - the legitimate client will, after authentication, most likely issue
+   *    a "mail from: ...", which truncates the recipient list -> no harm done
+   */
+  ssl->s3->flags |= SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+#endif
+
   if (ssl_timeoutconn(timeout, smtpfd, smtpfd, ssl) <= 0)
     tls_quit("ZTLS connect failed", ssl_error_str());

Places

File qmail-1.05-tls-openssl098l.patch of Package netqmail

Places