Date: Sun, 29 May 2022 07:50:10 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 264324] mail/sendmail: Add support MTA-STS and TLS_USE_CERTIFICATE_CHAIN_FILE, and fix some options and a bug Message-ID: <bug-264324-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D264324 Bug ID: 264324 Summary: mail/sendmail: Add support MTA-STS and TLS_USE_CERTIFICATE_CHAIN_FILE, and fix some options and a bug Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: dinoex@FreeBSD.org Reporter: nork@ninth-nine.com Flags: maintainer-feedback?(dinoex@FreeBSD.org) Assignee: dinoex@FreeBSD.org Created attachment 234304 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D234304&action= =3Dedit a patch for sendmail port Hi. I hope to add support MTA-STS and TLS_USE_CERTIFICATE_CHAIN_FILE features. And I organize some TLS related features, I found a bug for MTA-STS. [OPTIONS] Add MTA-STS and TLS_CERT_CHAIN. [OPTIONS DEPENDENCY] MTA-STS -> SOCKETMAP and TLS. TLS_CERT_CHAIN -> TLS CYRUSLOOKUP -> SOCKETMAP (fix) [BUG FIX] ports/mail/py-postfix-mta-sts-resolver's default port number is 8461, not 5= 461. [TLS FEATURE] Define TLS_EC -> Define TLS_EC=3D2 * ECDH's feature, Only specified prime256v1 to OpenSSL default EC like X25= 519 and others. Define _FFR_TLS_ALTNAMES. * Add support Subject Alternative Name, not only Common Name. https://cabforum.org/wp-content/uploads/BRv1.1.7.pdf Page#9, 9.2.1 Subje= ct Alternative Name Extension. Define _FFR_VRFY_TRUSTED_FIRST. * Enable X509_V_FLAG_TRUSTED_FIRST option for X509_VERIFY_PARAM_set_flags() function[1], to deal with the DST ROOT CA X3 expiration problem[2]. [1] https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpir= e/ [2] https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ [TLS_USE_CERTIFICATE_CHAIN_FILE] NOT COMPATIBLE how to specify `confCACERT*`, and behavior changes `confSERVER_CERT` and `confCLIENT_CERT`, So I don't think enable DEFAULT option. This option enabled: confCACERT_PATH -> Use only server mode, and verify client certificates. confCACERT -> Use only server mode, and verify a client certificate. confSERVER_CERT -> Add support certificate chain file, like Apache. confCLIENT_CERT -> Add support certificate chain file, like Apache. This option disabled: confCACERT_PATH -> Use only server mode, and verify client certificates. confCACERT -> Use server and client mode, verify client certificates = and add intermediate certificates. Oh My God! confSERVER_CERT -> Use only a server certificate. confCLIENT_CERT -> Use only a client certificate.=20 [P.S.] If you are interested in MTA-STS, catch up two following reports too. * https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D262251 * https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D262254 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-264324-7788>