mirror of
https://git.FreeBSD.org/ports.git
synced 2025-01-12 07:27:57 +00:00
b728cc2245
- Fix MAILDIR_HEADER_CACHE if IMAP_HEADER_CACHE is not set - Add options to disable TLS versions 1.1 and 1.2 if OPENSSL >= 1.0.0 is used (taken from upstream) - Fix broken link in package description - Bumped PORTREVISION PR: 181431, 181319 Submitted by: Udo Schweigert <udo.schweigert@siemens.com> (maintainer)
113 lines
3.2 KiB
Plaintext
113 lines
3.2 KiB
Plaintext
--- init.h.orig 2010-09-15 08:39:31.000000000 -0700
|
|
+++ init.h 2012-03-28 10:58:42.870572835 -0700
|
|
@@ -2972,6 +2972,18 @@ struct option_t MuttVars[] = {
|
|
** SSL authentication process.
|
|
*/
|
|
#ifdef USE_SSL_OPENSSL
|
|
+ { "ssl_use_tlsv1_1", DT_BOOL, R_NONE, OPTTLSV1_1, 1 },
|
|
+ /*
|
|
+ ** .pp
|
|
+ ** This variable specifies whether to attempt to use TLSv1.1 in the
|
|
+ ** SSL authentication process.
|
|
+ */
|
|
+ { "ssl_use_tlsv1_2", DT_BOOL, R_NONE, OPTTLSV1_2, 1 },
|
|
+ /*
|
|
+ ** .pp
|
|
+ ** This variable specifies whether to attempt to use TLSv1.2 in the
|
|
+ ** SSL authentication process.
|
|
+ */
|
|
{ "ssl_usesystemcerts", DT_BOOL, R_NONE, OPTSSLSYSTEMCERTS, 1 },
|
|
/*
|
|
** .pp
|
|
--- mutt.h 2010-09-13 10:19:55.000000000 -0700
|
|
+++ mutt.h 2012-03-28 10:59:24.437237530 -0700
|
|
@@ -376,6 +376,8 @@ enum
|
|
# endif /* USE_SSL_GNUTLS */
|
|
OPTSSLV3,
|
|
OPTTLSV1,
|
|
+ OPTTLSV1_1,
|
|
+ OPTTLSV1_2,
|
|
OPTSSLFORCETLS,
|
|
OPTSSLVERIFYDATES,
|
|
OPTSSLVERIFYHOST,
|
|
--- mutt_ssl.c.orig 2010-08-25 18:31:40.000000000 +0200
|
|
+++ mutt_ssl.c 2013-08-20 13:51:14.000000000 +0200
|
|
@@ -100,12 +100,33 @@
|
|
goto bail;
|
|
|
|
ssldata = (sslsockdata*) safe_calloc (1, sizeof (sslsockdata));
|
|
- /* the ssl_use_xxx protocol options don't apply. We must use TLS in TLS. */
|
|
- if (! (ssldata->ctx = SSL_CTX_new (TLSv1_client_method ())))
|
|
+ /* the ssl_use_xxx protocol options don't apply. We must use TLS in TLS.
|
|
+ * TLSv1.2 support was added in OpenSSL 1.0.1. RHEL6 shipped with 1.0.0 so
|
|
+ * our configure script checks for TLSv1.2 availability.
|
|
+ */
|
|
+ if (! (ssldata->ctx = SSL_CTX_new (
|
|
+#ifdef HAVE_TLSV1_2_CLIENT_METHOD
|
|
+ TLSv1_2_client_method ()
|
|
+#else
|
|
+ TLSv1_client_method ()
|
|
+#endif
|
|
+ )))
|
|
{
|
|
dprint (1, (debugfile, "mutt_ssl_starttls: Error allocating SSL_CTX\n"));
|
|
goto bail_ssldata;
|
|
}
|
|
+#ifdef SSL_OP_NO_TLSv1_1
|
|
+ if (!option(OPTTLSV1_1))
|
|
+ {
|
|
+ SSL_CTX_set_options(ssldata->ctx, SSL_OP_NO_TLSv1_1);
|
|
+ }
|
|
+#endif
|
|
+#ifdef SSL_OP_NO_TLSv1_2
|
|
+ if (!option(OPTTLSV1_2))
|
|
+ {
|
|
+ SSL_CTX_set_options(ssldata->ctx, SSL_OP_NO_TLSv1_2);
|
|
+ }
|
|
+#endif
|
|
|
|
ssl_get_client_cert(ssldata, conn);
|
|
|
|
@@ -303,6 +324,21 @@
|
|
{
|
|
SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1);
|
|
}
|
|
+ /* TLSv1.1/1.2 support was added in OpenSSL 1.0.1, but some OS distros such
|
|
+ * as Fedora 17 are on OpenSSL 1.0.0.
|
|
+ */
|
|
+#ifdef SSL_OP_NO_TLSv1_1
|
|
+ if (!option(OPTTLSV1_1))
|
|
+ {
|
|
+ SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1_1);
|
|
+ }
|
|
+#endif
|
|
+#ifdef SSL_OP_NO_TLSv1_2
|
|
+ if (!option(OPTTLSV1_2))
|
|
+ {
|
|
+ SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1_2);
|
|
+ }
|
|
+#endif
|
|
if (!option(OPTSSLV2))
|
|
{
|
|
SSL_CTX_set_options(data->ctx, SSL_OP_NO_SSLv2);
|
|
@@ -375,8 +411,8 @@
|
|
if (!ssl_check_certificate (conn, ssldata))
|
|
return -1;
|
|
|
|
- mutt_message (_("SSL connection using %s (%s)"),
|
|
- SSL_get_cipher_version (ssldata->ssl), SSL_get_cipher_name (ssldata->ssl));
|
|
+ mutt_message (_("%s connection using %s (%s)"),
|
|
+ SSL_get_version(ssldata->ssl), SSL_get_cipher_version (ssldata->ssl), SSL_get_cipher_name (ssldata->ssl));
|
|
mutt_sleep (0);
|
|
|
|
return 0;
|
|
@@ -911,7 +947,7 @@
|
|
|
|
static int interactive_check_cert (X509 *cert, int idx, int len)
|
|
{
|
|
- char *part[] =
|
|
+ static const char * const part[] =
|
|
{"/CN=", "/Email=", "/O=", "/OU=", "/L=", "/ST=", "/C="};
|
|
char helpstr[LONG_STRING];
|
|
char buf[STRING];
|