Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Please login to access the resource
server:mail
imap
imap-openssl.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File imap-openssl.patch of Package imap
Index: imap-2007e/src/osdep/unix/ssl_unix.c =================================================================== --- imap-2007e.orig/src/osdep/unix/ssl_unix.c +++ imap-2007e/src/osdep/unix/ssl_unix.c @@ -38,7 +38,7 @@ #undef crypt #define SSLBUFLEN 8192 -#define SSLCIPHERLIST "ALL:!LOW" +#define SSLCIPHERLIST "DEFAULT" /* SSL I/O stream */ @@ -93,28 +93,13 @@ static int sslonceonly = 0; void ssl_onceonlyinit (void) { if (!sslonceonly++) { /* only need to call it once */ - int fd; - char tmp[MAILTMPLEN]; - struct stat sbuf; - /* if system doesn't have /dev/urandom */ - if (stat ("/dev/urandom",&sbuf)) { - while ((fd = open (tmpnam (tmp),O_WRONLY|O_CREAT|O_EXCL,0600)) < 0) - sleep (1); - unlink (tmp); /* don't need the file */ - fstat (fd,&sbuf); /* get information about the file */ - close (fd); /* flush descriptor */ - /* not great but it'll have to do */ - sprintf (tmp + strlen (tmp),"%.80s%lx%.80s%lx%lx%lx%lx%lx", - tcp_serveraddr (),(unsigned long) tcp_serverport (), - tcp_clientaddr (),(unsigned long) tcp_clientport (), - (unsigned long) sbuf.st_ino,(unsigned long) time (0), - (unsigned long) gethostid (),(unsigned long) getpid ()); - RAND_seed (tmp,strlen (tmp)); - } - /* apply runtime linkage */ - mail_parameters (NIL,SET_SSLDRIVER,(void *) &ssldriver); - mail_parameters (NIL,SET_SSLSTART,(void *) ssl_start); - SSL_library_init (); /* add all algorithms */ + mail_parameters (NIL,SET_SSLDRIVER,(void *) &ssldriver); + mail_parameters (NIL,SET_SSLSTART,(void *) ssl_start); +#if OPENSSL_VERSION_NUMBER < 0x10100000L + SSL_library_init(); +#else + OPENSSL_init_ssl(0, NULL); +#endif } } @@ -219,11 +204,13 @@ static char *ssl_start_work (SSLSTREAM * (sslclientkey_t) mail_parameters (NIL,GET_SSLCLIENTKEY,NIL); if (ssl_last_error) fs_give ((void **) &ssl_last_error); ssl_last_host = host; - if (!(stream->context = SSL_CTX_new ((flags & NET_TLSCLIENT) ? - TLSv1_client_method () : - SSLv23_client_method ()))) + if (!(stream->context = SSL_CTX_new (SSLv23_client_method ()))) return "SSL context failed"; - SSL_CTX_set_options (stream->context,0); +#ifdef SSL_CTX_set_min_proto_version + SSL_CTX_set_min_proto_version(stream->context, TLS1_VERSION); +#else + SSL_CTX_set_options (stream->context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); +#endif /* disable certificate validation? */ if (flags & NET_NOVALIDATECERT) SSL_CTX_set_verify (stream->context,SSL_VERIFY_NONE,NIL); @@ -702,13 +689,22 @@ void ssl_server_init (char *server) if (stat (key,&sbuf)) strcpy (key,cert); } /* create context */ - if (!(stream->context = SSL_CTX_new (start_tls ? - TLSv1_server_method () : - SSLv23_server_method ()))) + if (!(stream->context = SSL_CTX_new (SSLv23_server_method ()))) syslog (LOG_ALERT,"Unable to create SSL context, host=%.80s", tcp_clienthost ()); else { /* set context options */ - SSL_CTX_set_options (stream->context,SSL_OP_ALL); + SSL_CTX_set_options (stream->context, SSL_OP_ALL); +#if defined(SSL_CTX_set_min_proto_version) + SSL_CTX_set_min_proto_version(stream->context, TLS1_VERSION); +#else + SSL_CTX_set_options (stream->context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); +#endif +#if defined(SSL_CTX_set_dh_auto) + SSL_CTX_set_dh_auto(stream->context, 1); +#endif +#if defined(SSL_CTX_set_ecdh_auto) + SSL_CTX_set_ecdh_auto(stream->context, 1); +#endif /* set cipher list */ if (!SSL_CTX_set_cipher_list (stream->context,SSLCIPHERLIST)) syslog (LOG_ALERT,"Unable to set cipher list %.80s, host=%.80s", @@ -724,8 +720,6 @@ void ssl_server_init (char *server) key,tcp_clienthost ()); else { /* generate key if needed */ - if (SSL_CTX_need_tmp_RSA (stream->context)) - SSL_CTX_set_tmp_rsa_callback (stream->context,ssl_genkey); /* create new SSL connection */ if (!(stream->con = SSL_new (stream->context))) syslog (LOG_ALERT,"Unable to create SSL connection, host=%.80s", @@ -760,31 +754,7 @@ void ssl_server_init (char *server) ssl_close (stream); /* punt stream */ exit (1); /* punt this program too */ } - -/* Generate one-time key for server - * Accepts: SSL connection - * export flag - * keylength - * Returns: generated key, always - */ -static RSA *ssl_genkey (SSL *con,int export,int keylength) -{ - unsigned long i; - static RSA *key = NIL; - if (!key) { /* if don't have a key already */ - /* generate key */ - if (!(key = RSA_generate_key (export ? keylength : 1024,RSA_F4,NIL,NIL))) { - syslog (LOG_ALERT,"Unable to generate temp key, host=%.80s", - tcp_clienthost ()); - while (i = ERR_get_error ()) - syslog (LOG_ALERT,"SSL error status: %s",ERR_error_string (i,NIL)); - exit (1); - } - } - return key; -} - /* Wait for stdin input * Accepts: timeout in seconds * Returns: T if have input on stdin, else NIL
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor