Honza Horák
parent
875f9ad500
commit
59701bc4ab
146
mutt-1.5.21-tlsv1v2.patch
Normal file
146
mutt-1.5.21-tlsv1v2.patch
Normal file
@ -0,0 +1,146 @@
|
||||
Some servers have problem when connection uses TLS 1.0 or SSL 3.0.
|
||||
Since openssl offers TLS 1.1 and 1.2, we would like to use these
|
||||
when connecting to server, while having ability to disable these
|
||||
protocols if needed.
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=957840
|
||||
|
||||
Upstream related bug report:
|
||||
http://dev.mutt.org/trac/ticket/3571
|
||||
|
||||
diff -up mutt-1.5.21/init.h.tlsv1v2 mutt-1.5.21/init.h
|
||||
--- mutt-1.5.21/init.h.tlsv1v2 2013-06-27 12:46:14.120389035 +0200
|
||||
+++ mutt-1.5.21/init.h 2013-06-27 12:47:28.020387743 +0200
|
||||
@@ -2970,6 +2970,18 @@ struct option_t MuttVars[] = {
|
||||
** This variable specifies whether to attempt to use TLSv1 in the
|
||||
** SSL authentication process.
|
||||
*/
|
||||
+ { "ssl_use_tlsv1_1", DT_BOOL, R_NONE, OPTTLSV1_1, 1 },
|
||||
+ /*
|
||||
+ ** .pp
|
||||
+ ** This variable specifies whether to attempt to use TLSv1.1 in the
|
||||
+ ** SSL authentication process.
|
||||
+ */
|
||||
+ { "ssl_use_tlsv1_2", DT_BOOL, R_NONE, OPTTLSV1_2, 1 },
|
||||
+ /*
|
||||
+ ** .pp
|
||||
+ ** This variable specifies whether to attempt to use TLSv1.2 in the
|
||||
+ ** SSL authentication process.
|
||||
+ */
|
||||
#ifdef USE_SSL_OPENSSL
|
||||
{ "ssl_usesystemcerts", DT_BOOL, R_NONE, OPTSSLSYSTEMCERTS, 1 },
|
||||
/*
|
||||
diff -up mutt-1.5.21/mutt.h.tlsv1v2 mutt-1.5.21/mutt.h
|
||||
--- mutt-1.5.21/mutt.h.tlsv1v2 2010-09-13 19:19:55.000000000 +0200
|
||||
+++ mutt-1.5.21/mutt.h 2013-06-27 12:47:28.020387743 +0200
|
||||
@@ -376,6 +376,8 @@ enum
|
||||
# endif /* USE_SSL_GNUTLS */
|
||||
OPTSSLV3,
|
||||
OPTTLSV1,
|
||||
+ OPTTLSV1_1,
|
||||
+ OPTTLSV1_2,
|
||||
OPTSSLFORCETLS,
|
||||
OPTSSLVERIFYDATES,
|
||||
OPTSSLVERIFYHOST,
|
||||
diff -up mutt-1.5.21/mutt_ssl.c.tlsv1v2 mutt-1.5.21/mutt_ssl.c
|
||||
--- mutt-1.5.21/mutt_ssl.c.tlsv1v2 2010-08-25 18:31:40.000000000 +0200
|
||||
+++ mutt-1.5.21/mutt_ssl.c 2013-06-27 12:47:28.021387743 +0200
|
||||
@@ -106,6 +106,18 @@ int mutt_ssl_starttls (CONNECTION* conn)
|
||||
dprint (1, (debugfile, "mutt_ssl_starttls: Error allocating SSL_CTX\n"));
|
||||
goto bail_ssldata;
|
||||
}
|
||||
+#ifdef SSL_OP_NO_TLSv1_1
|
||||
+ if (!option(OPTTLSV1_1))
|
||||
+ {
|
||||
+ SSL_CTX_set_options(ssldata->ctx, SSL_OP_NO_TLSv1_1);
|
||||
+ }
|
||||
+#endif
|
||||
+#ifdef SSL_OP_NO_TLSv1_2
|
||||
+ if (!option(OPTTLSV1_2))
|
||||
+ {
|
||||
+ SSL_CTX_set_options(ssldata->ctx, SSL_OP_NO_TLSv1_2);
|
||||
+ }
|
||||
+#endif
|
||||
|
||||
ssl_get_client_cert(ssldata, conn);
|
||||
|
||||
@@ -303,6 +315,21 @@ static int ssl_socket_open (CONNECTION *
|
||||
{
|
||||
SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1);
|
||||
}
|
||||
+ /* TLSv1.1/1.2 support was added in OpenSSL 1.0.1, but some OS distros such
|
||||
+ * as Fedora 17 are on OpenSSL 1.0.0.
|
||||
+ */
|
||||
+#ifdef SSL_OP_NO_TLSv1_1
|
||||
+ if (!option(OPTTLSV1_1))
|
||||
+ {
|
||||
+ SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1_1);
|
||||
+ }
|
||||
+#endif
|
||||
+#ifdef SSL_OP_NO_TLSv1_2
|
||||
+ if (!option(OPTTLSV1_2))
|
||||
+ {
|
||||
+ SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1_2);
|
||||
+ }
|
||||
+#endif
|
||||
if (!option(OPTSSLV2))
|
||||
{
|
||||
SSL_CTX_set_options(data->ctx, SSL_OP_NO_SSLv2);
|
||||
diff -up mutt-1.5.21/mutt_ssl_gnutls.c.tlsv1v2 mutt-1.5.21/mutt_ssl_gnutls.c
|
||||
--- mutt-1.5.21/mutt_ssl_gnutls.c.tlsv1v2 2013-06-27 12:46:14.123389035 +0200
|
||||
+++ mutt-1.5.21/mutt_ssl_gnutls.c 2013-06-27 12:47:28.018387743 +0200
|
||||
@@ -238,7 +238,11 @@ err_crt:
|
||||
gnutls_x509_crt_deinit (clientcrt);
|
||||
}
|
||||
|
||||
-static int protocol_priority[] = {GNUTLS_TLS1, GNUTLS_SSL3, 0};
|
||||
+/* This array needs to be large enough to hold all the possible values support
|
||||
+ * by Mutt. The initialized values are just placeholders--the array gets
|
||||
+ * overwrriten in tls_negotiate() depending on the $ssl_use_* options.
|
||||
+ */
|
||||
+static int protocol_priority[] = {GNUTLS_TLS1_2, GNUTLS_TLS1_1, GNUTLS_TLS1, GNUTLS_SSL3, 0};
|
||||
|
||||
/* tls_negotiate: After TLS state has been initialised, attempt to negotiate
|
||||
* TLS over the wire, including certificate checks. */
|
||||
@@ -246,6 +250,7 @@ static int tls_negotiate (CONNECTION * c
|
||||
{
|
||||
tlssockdata *data;
|
||||
int err;
|
||||
+ size_t nproto = 0; /* number of tls/ssl protocols */
|
||||
|
||||
data = (tlssockdata *) safe_calloc (1, sizeof (tlssockdata));
|
||||
conn->sockdata = data;
|
||||
@@ -286,22 +291,22 @@ static int tls_negotiate (CONNECTION * c
|
||||
/* set socket */
|
||||
gnutls_transport_set_ptr (data->state, (gnutls_transport_ptr)conn->fd);
|
||||
|
||||
+ if (option(OPTTLSV1_2))
|
||||
+ protocol_priority[nproto++] = GNUTLS_TLS1_2;
|
||||
+ if (option(OPTTLSV1_1))
|
||||
+ protocol_priority[nproto++] = GNUTLS_TLS1_1;
|
||||
+ if (option(OPTTLSV1))
|
||||
+ protocol_priority[nproto++] = GNUTLS_TLS1;
|
||||
+ if (option(OPTSSLV3))
|
||||
+ protocol_priority[nproto++] = GNUTLS_SSL3;
|
||||
+ protocol_priority[nproto] = 0;
|
||||
+
|
||||
/* disable TLS/SSL protocols as needed */
|
||||
- if (!option(OPTTLSV1) && !option(OPTSSLV3))
|
||||
+ if (nproto == 0)
|
||||
{
|
||||
mutt_error (_("All available protocols for TLS/SSL connection disabled"));
|
||||
goto fail;
|
||||
}
|
||||
- else if (!option(OPTTLSV1))
|
||||
- {
|
||||
- protocol_priority[0] = GNUTLS_SSL3;
|
||||
- protocol_priority[1] = 0;
|
||||
- }
|
||||
- else if (!option(OPTSSLV3))
|
||||
- {
|
||||
- protocol_priority[0] = GNUTLS_TLS1;
|
||||
- protocol_priority[1] = 0;
|
||||
- }
|
||||
/*
|
||||
else
|
||||
use the list set above
|
||||
12
mutt.spec
12
mutt.spec
@ -16,7 +16,7 @@
|
||||
Summary: A text mode mail user agent
|
||||
Name: mutt
|
||||
Version: 1.5.21
|
||||
Release: 20%{?dist}
|
||||
Release: 21%{?dist}
|
||||
Epoch: 5
|
||||
# The entire source code is GPLv2+ except
|
||||
# pgpewrap.c setenv.c sha1.c wcwidth.c which are Public Domain
|
||||
@ -40,6 +40,7 @@ Patch14: mutt-1.5.21-writehead.patch
|
||||
Patch15: mutt-1.5.21-tmpdir.patch
|
||||
Patch16: mutt-1.5.21-verpeers.patch
|
||||
Patch17: mutt-1.5.21-manhelp.patch
|
||||
Patch18: mutt-1.5.21-tlsv1v2.patch
|
||||
Url: http://www.mutt.org/
|
||||
Requires: mailcap urlview
|
||||
BuildRequires: ncurses-devel
|
||||
@ -91,6 +92,7 @@ for selecting groups of messages.
|
||||
%patch15 -p1 -b .tmpdir
|
||||
%patch16 -p1 -b .verpeers
|
||||
%patch17 -p1 -b .manhelp
|
||||
%patch18 -p1 -b .tlsv1v2
|
||||
|
||||
sed -i.gpgerror 's/`$GPGME_CONFIG --libs`/"\0 -lgpg-error"/' configure
|
||||
|
||||
@ -177,6 +179,10 @@ ln -sf ./muttrc.5 $RPM_BUILD_ROOT%{_mandir}/man5/muttrc.local.5
|
||||
%{_mandir}/man5/muttrc.*
|
||||
|
||||
%changelog
|
||||
* Thu Jun 27 2013 Honza Horak <hhorak@redhat.com> - 5:1.5.21-21
|
||||
- Backported support for TLS 1.2 and TLS 1.2 protocols
|
||||
Resolves: #957840
|
||||
|
||||
* Wed May 29 2013 Honza Horak <hhorak@redhat.com> - 5:1.5.21-20
|
||||
- Fix patch for #750929
|
||||
Resolves: #957542
|
||||
@ -615,10 +621,10 @@ ln -sf ./muttrc.5 $RPM_BUILD_ROOT%{_mandir}/man5/muttrc.local.5
|
||||
* Sat Jan 1 2000 Bill Nottingham <notting@redhat.com>
|
||||
- fix an odd y2k issue on receiving mail from ancient clients
|
||||
|
||||
* Fri Oct 21 1999 Bill Nottingham <notting@redhat.com>
|
||||
* Thu Oct 21 1999 Bill Nottingham <notting@redhat.com>
|
||||
- one-point-oh.
|
||||
|
||||
* Fri Sep 25 1999 Bill Nottingham <notting@redhat.com>
|
||||
* Sat Sep 25 1999 Bill Nottingham <notting@redhat.com>
|
||||
- add a buffer overflow patch
|
||||
|
||||
* Tue Aug 31 1999 Bill Nottingham <notting@redhat.com>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user