Date: Mon, 4 Apr 2016 17:05:31 +0000 (UTC) From: Adam Weinberger <adamw@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r412519 - in head: . japanese/spamassassin mail/spamassassin mail/spamassassin/files Message-ID: <201604041705.u34H5VIa040846@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: adamw Date: Mon Apr 4 17:05:31 2016 New Revision: 412519 URL: https://svnweb.freebsd.org/changeset/ports/412519 Log: Disable SSLv3 and enable TLSv1.1 and TLSv1.2. This is a patch make by Debian's own Noah Meyerhans that disables SSLv3, fixes or removes the tests that choke without SSLv3, and lets IO::Socket::SSL choose the best TLS level rather than forcing it at TLSv1. I can't think of a responsible reason to allow re-enabling it as an OPTION, so add a note to UPDATING warning people of the change and referencing the below PR. PORTREVISION bump. PR: 208225 Submitted by: Sascha Holzleiter Obtained from: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7199 MFH: 2016Q2 Added: head/mail/spamassassin/files/patch-bug7199 (contents, props changed) Modified: head/UPDATING head/japanese/spamassassin/Makefile head/mail/spamassassin/Makefile Modified: head/UPDATING ============================================================================== --- head/UPDATING Mon Apr 4 16:26:58 2016 (r412518) +++ head/UPDATING Mon Apr 4 17:05:31 2016 (r412519) @@ -5,6 +5,15 @@ they are unavoidable. You should get into the habit of checking this file for changes each time you update your ports collection, before attempting any port upgrades. +20160404: + AFFECTS: mail/spamassassin + AUTHOR: adamw@FreeBSD.org + + Support for SSLv3 has been removed from SpamAssassin, because + SSLv3 is a Bad Idea. No direct option is provided to re-enable it. + If your setup requires use of SSLv3, some instructions are available + in FreeBSD PR 208225. + 20160331: AFFECTS: security/clamav-unofficial-sigs AUTHOR: lukasz@wasikowski.net, sf@maxempire.com Modified: head/japanese/spamassassin/Makefile ============================================================================== --- head/japanese/spamassassin/Makefile Mon Apr 4 16:26:58 2016 (r412518) +++ head/japanese/spamassassin/Makefile Mon Apr 4 17:05:31 2016 (r412519) @@ -1,7 +1,7 @@ # Created by: TAOKA Fumiyoshi # $FreeBSD$ -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= japanese mail perl5 PKGNAMEPREFIX= ja- Modified: head/mail/spamassassin/Makefile ============================================================================== --- head/mail/spamassassin/Makefile Mon Apr 4 16:26:58 2016 (r412518) +++ head/mail/spamassassin/Makefile Mon Apr 4 17:05:31 2016 (r412519) @@ -3,7 +3,7 @@ PORTNAME= spamassassin PORTVERSION= 3.4.1 -PORTREVISION?= 5 # also bump japanese/spamassassin +PORTREVISION?= 6 # also bump japanese/spamassassin CATEGORIES?= mail perl5 MASTER_SITES= APACHE/spamassassin/source CPAN/Mail DISTNAME= Mail-SpamAssassin-${PORTVERSION} Added: head/mail/spamassassin/files/patch-bug7199 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/mail/spamassassin/files/patch-bug7199 Mon Apr 4 17:05:31 2016 (r412519) @@ -0,0 +1,258 @@ +--- spamc/libspamc.c.orig ++++ spamc/libspamc.c +@@ -1187,7 +1187,7 @@ int message_filter(struct transport *tp, + unsigned int throwaway; + SSL_CTX *ctx = NULL; + SSL *ssl = NULL; +- SSL_METHOD *meth; ++ const SSL_METHOD *meth; + char zlib_on = 0; + unsigned char *zlib_buf = NULL; + int zlib_bufsiz = 0; +@@ -1213,11 +1213,7 @@ int message_filter(struct transport *tp, + if (flags & SPAMC_USE_SSL) { + #ifdef SPAMC_SSL + SSLeay_add_ssl_algorithms(); +- if (flags & SPAMC_TLSV1) { +- meth = TLSv1_client_method(); +- } else { +- meth = SSLv3_client_method(); /* default */ +- } ++ meth = SSLv23_client_method(); + SSL_load_error_strings(); + ctx = SSL_CTX_new(meth); + #else +@@ -1596,7 +1592,7 @@ int message_tell(struct transport *tp, c + int failureval; + SSL_CTX *ctx = NULL; + SSL *ssl = NULL; +- SSL_METHOD *meth; ++ const SSL_METHOD *meth; + + assert(tp != NULL); + assert(m != NULL); +@@ -1604,7 +1600,7 @@ int message_tell(struct transport *tp, c + if (flags & SPAMC_USE_SSL) { + #ifdef SPAMC_SSL + SSLeay_add_ssl_algorithms(); +- meth = SSLv3_client_method(); ++ meth = SSLv23_client_method(); + SSL_load_error_strings(); + ctx = SSL_CTX_new(meth); + #else +--- spamc/spamc.c.orig ++++ spamc/spamc.c +@@ -368,16 +368,11 @@ read_args(int argc, char **argv, + case 'S': + { + flags |= SPAMC_USE_SSL; +- if (!spamc_optarg || (strcmp(spamc_optarg,"sslv3") == 0)) { +- flags |= SPAMC_SSLV3; +- } +- else if (strcmp(spamc_optarg,"tlsv1") == 0) { +- flags |= SPAMC_TLSV1; +- } +- else { +- libspamc_log(flags, LOG_ERR, "Please specify a legal ssl version (%s)", spamc_optarg); +- ret = EX_USAGE; +- } ++ if(spamc_optarg) { ++ libspamc_log(flags, LOG_ERR, ++ "Explicit specification of an SSL/TLS version no longer supported."); ++ ret = EX_USAGE; ++ } + break; + } + #endif +--- spamd/spamd.raw.orig ++++ spamd/spamd.raw +@@ -409,7 +409,6 @@ GetOptions( + 'sql-config!' => \$opt{'sql-config'}, + 'ssl' => \$opt{'ssl'}, + 'ssl-port=s' => \$opt{'ssl-port'}, +- 'ssl-version=s' => \$opt{'ssl-version'}, + 'syslog-socket=s' => \$opt{'syslog-socket'}, + 'syslog|s=s' => \$opt{'syslog'}, + 'log-timestamp-fmt:s' => \$opt{'log-timestamp-fmt'}, +@@ -744,11 +743,6 @@ if ( defined $ENV{'HOME'} ) { + + # Do whitelist later in tmp dir. Side effect: this will be done as -u user. + +-my $sslversion = $opt{'ssl-version'} || 'sslv3'; +-if ($sslversion !~ /^(?:sslv3|tlsv1)$/) { +- die "spamd: invalid ssl-version: $opt{'ssl-version'}\n"; +-} +- + $opt{'server-key'} ||= "$LOCAL_RULES_DIR/certs/server-key.pem"; + $opt{'server-cert'} ||= "$LOCAL_RULES_DIR/certs/server-cert.pem"; + +@@ -899,9 +893,8 @@ sub compose_listen_info_string { + $socket_info->{ip_addr}, $socket_info->{port})); + + } elsif ($socket->isa('IO::Socket::SSL')) { +- push(@listeninfo, sprintf("SSL [%s]:%s, ssl version %s", +- $socket_info->{ip_addr}, $socket_info->{port}, +- $opt{'ssl-version'}||'sslv3')); ++ push(@listeninfo, sprintf("SSL [%r]:%s", $socket_info->{ip_addr}, ++ $socket_info->{port})); + } + } + +@@ -1072,7 +1065,6 @@ sub server_sock_setup_inet { + $sockopt{V6Only} = 1 if $io_socket_module_name eq 'IO::Socket::IP' + && IO::Socket::IP->VERSION >= 0.09; + %sockopt = (%sockopt, ( +- SSL_version => $sslversion, + SSL_verify_mode => 0x00, + SSL_key_file => $opt{'server-key'}, + SSL_cert_file => $opt{'server-cert'}, +@@ -1093,7 +1085,8 @@ sub server_sock_setup_inet { + if (!$server_inet) { + $diag = sprintf("could not create %s socket on [%s]:%s: %s", + $ssl ? 'IO::Socket::SSL' : $io_socket_module_name, +- $adr, $port, $!); ++ $adr, $port, $ssl && $IO::Socket::SSL::SSL_ERROR ? ++ "$!,$IO::Socket::SSL::SSL_ERROR" : $!); + push(@diag_fail, $diag); + } else { + $diag = sprintf("created %s socket on [%s]:%s", +@@ -3238,7 +3231,6 @@ Options: + -H [dir], --helper-home-dir[=dir] Specify a different HOME directory + --ssl Enable SSL on TCP connections + --ssl-port port Override --port setting for SSL connections +- --ssl-version sslversion Specify SSL protocol version to use + --server-key keyfile Specify an SSL keyfile + --server-cert certfile Specify an SSL certificate + --socketpath=path Listen on a given UNIX domain socket +@@ -3727,14 +3719,6 @@ Optionally specifies the port number for + SSL connections (default: whatever --port uses). See B<--ssl> for + more details. + +-=item B<--ssl-version>=I<sslversion> +- +-Specify the SSL protocol version to use, one of B<sslv3> or B<tlsv1>. +-The default, B<sslv3>, is the most flexible, accepting a SSLv3 or +-higher hello handshake, then negotiating use of SSLv3 or TLSv1 +-protocol if the client can accept it. Specifying B<--ssl-version> +-implies B<--ssl>. +- + =item B<--server-key> I<keyfile> + + Specify the SSL key file to use for SSL connections. +--- spamc/spamc.pod.orig ++++ spamc/spamc.pod +@@ -177,12 +177,10 @@ The default is 1 time (ie. one attempt a + Sleep for I<sleep> seconds between failed spamd filtering attempts. + The default is 1 second. + +-=item B<-S>, B<--ssl>, B<--ssl>=I<sslversion> ++=item B<-S>, B<--ssl>, B<--ssl> + + If spamc was built with support for SSL, encrypt data to and from the + spamd process with SSL; spamd must support SSL as well. +-I<sslversion> specifies the SSL protocol version to use, either +-C<sslv3>, or C<tlsv1>. The default, is C<sslv3>. + + =item B<-t> I<timeout>, B<--timeout>=I<timeout> + +--- t/spamd_ssl_tls.t.orig ++++ t/spamd_ssl_tls.t +@@ -1,28 +0,0 @@ +-#!/usr/bin/perl +- +-use lib '.'; use lib 't'; +-use SATest; sa_t_init("spamd_ssl_tls"); +-use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9); +- +-exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE); +- +-# --------------------------------------------------------------------------- +- +-%patterns = ( +- +-q{ Return-Path: sb55sb55@yahoo.com}, 'firstline', +-q{ Subject: There yours for FREE!}, 'subj', +-q{ X-Spam-Status: Yes, score=}, 'status', +-q{ X-Spam-Flag: YES}, 'flag', +-q{ X-Spam-Level: **********}, 'stars', +-q{ TEST_ENDSNUMS}, 'endsinnums', +-q{ TEST_NOREALNAME}, 'noreal', +-q{ This must be the very last line}, 'lastline', +- +- +-); +- +-ok (sdrun ("-L --ssl --ssl-version=tlsv1 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert", +- "--ssl=tlsv1 < data/spam/001", +- \&patterns_run_cb)); +-ok_all_patterns(); +--- t/spamd_ssl_v3.t.orig ++++ t/spamd_ssl_v3.t +@@ -1,28 +0,0 @@ +-#!/usr/bin/perl +- +-use lib '.'; use lib 't'; +-use SATest; sa_t_init("spamd_sslv3"); +-use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9); +- +-exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE); +- +-# --------------------------------------------------------------------------- +- +-%patterns = ( +- +-q{ Return-Path: sb55sb55@yahoo.com}, 'firstline', +-q{ Subject: There yours for FREE!}, 'subj', +-q{ X-Spam-Status: Yes, score=}, 'status', +-q{ X-Spam-Flag: YES}, 'flag', +-q{ X-Spam-Level: **********}, 'stars', +-q{ TEST_ENDSNUMS}, 'endsinnums', +-q{ TEST_NOREALNAME}, 'noreal', +-q{ This must be the very last line}, 'lastline', +- +- +-); +- +-ok (sdrun ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert", +- "--ssl=sslv3 < data/spam/001", +- \&patterns_run_cb)); +-ok_all_patterns(); +--- t/spamd_ssl_accept_fail.t.orig ++++ t/spamd_ssl_accept_fail.t +@@ -23,9 +23,9 @@ q{ This must be the very last line}, 'la + + ); + +-ok (start_spamd ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert")); ++ok (start_spamd ("-L --ssl --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert")); + ok (spamcrun ("< data/spam/001", \&patterns_run_cb)); +-ok (spamcrun ("--ssl=sslv3 < data/spam/001", \&patterns_run_cb)); ++ok (spamcrun ("--ssl < data/spam/001", \&patterns_run_cb)); + ok (stop_spamd ()); + + ok_all_patterns(); +--- t/spamd_ssl.t.orig ++++ t/spamd_ssl.t +@@ -2,10 +2,7 @@ + + use lib '.'; use lib 't'; + use SATest; sa_t_init("spamd_ssl"); +-use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9), +- onfail => sub { +- warn "\n\nNote: This may not be a SpamAssassin bug, as some platforms require that you" . +- "\nspecify a protocol in spamc --ssl option, and possibly in spamd --ssl-version.\n\n" }; ++use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9); + + exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE); + +--- MANIFEST.orig ++++ MANIFEST +@@ -513,8 +513,6 @@ t/spamd_report_ifspam.t + t/spamd_sql_prefs.t + t/spamd_ssl.t + t/spamd_ssl_accept_fail.t +-t/spamd_ssl_tls.t +-t/spamd_ssl_v3.t + t/spamd_stop.t + t/spamd_symbols.t + t/spamd_syslog.t
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201604041705.u34H5VIa040846>