rpms/mutt
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Backported support for TLS 1.2 and TLS 1.2 protocols

Browse Source 
Resolves: #957840
This commit is contained in:
Honza Horák 2013-06-27 13:37:23 +02:00
parent 875f9ad500
commit 59701bc4ab
2 changed files with 155 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

146
mutt-1.5.21-tlsv1v2.patch Normal file
View File

@ -0,0 +1,146 @@
Some servers have problem when connection uses TLS 1.0 or SSL 3.0.
Since openssl offers TLS 1.1 and 1.2, we would like to use these
when connecting to server, while having ability to disable these
protocols if needed.
https://bugzilla.redhat.com/show_bug.cgi?id=957840
Upstream related bug report:
http://dev.mutt.org/trac/ticket/3571
diff -up mutt-1.5.21/init.h.tlsv1v2 mutt-1.5.21/init.h
--- mutt-1.5.21/init.h.tlsv1v2 2013-06-27 12:46:14.120389035 +0200
+++ mutt-1.5.21/init.h 2013-06-27 12:47:28.020387743 +0200
@@ -2970,6 +2970,18 @@ struct option_t MuttVars[] = {
** This variable specifies whether to attempt to use TLSv1 in the
** SSL authentication process.
*/
+ { "ssl_use_tlsv1_1", DT_BOOL, R_NONE, OPTTLSV1_1, 1 },
+ /*
+ ** .pp
+ ** This variable specifies whether to attempt to use TLSv1.1 in the
+ ** SSL authentication process.
+ */
+ { "ssl_use_tlsv1_2", DT_BOOL, R_NONE, OPTTLSV1_2, 1 },
+ /*
+ ** .pp
+ ** This variable specifies whether to attempt to use TLSv1.2 in the
+ ** SSL authentication process.
+ */
#ifdef USE_SSL_OPENSSL
{ "ssl_usesystemcerts", DT_BOOL, R_NONE, OPTSSLSYSTEMCERTS, 1 },
/*
diff -up mutt-1.5.21/mutt.h.tlsv1v2 mutt-1.5.21/mutt.h
--- mutt-1.5.21/mutt.h.tlsv1v2 2010-09-13 19:19:55.000000000 +0200
+++ mutt-1.5.21/mutt.h 2013-06-27 12:47:28.020387743 +0200
@@ -376,6 +376,8 @@ enum
# endif /* USE_SSL_GNUTLS */
OPTSSLV3,
OPTTLSV1,
+ OPTTLSV1_1,
+ OPTTLSV1_2,
OPTSSLFORCETLS,
OPTSSLVERIFYDATES,
OPTSSLVERIFYHOST,
diff -up mutt-1.5.21/mutt_ssl.c.tlsv1v2 mutt-1.5.21/mutt_ssl.c
--- mutt-1.5.21/mutt_ssl.c.tlsv1v2 2010-08-25 18:31:40.000000000 +0200
+++ mutt-1.5.21/mutt_ssl.c 2013-06-27 12:47:28.021387743 +0200
@@ -106,6 +106,18 @@ int mutt_ssl_starttls (CONNECTION* conn)
dprint (1, (debugfile, "mutt_ssl_starttls: Error allocating SSL_CTX\n"));
goto bail_ssldata;
}
+#ifdef SSL_OP_NO_TLSv1_1
+ if (!option(OPTTLSV1_1))
+ {
+ SSL_CTX_set_options(ssldata->ctx, SSL_OP_NO_TLSv1_1);
+ }
+#endif
+#ifdef SSL_OP_NO_TLSv1_2
+ if (!option(OPTTLSV1_2))
+ {
+ SSL_CTX_set_options(ssldata->ctx, SSL_OP_NO_TLSv1_2);
+ }
+#endif
ssl_get_client_cert(ssldata, conn);
@@ -303,6 +315,21 @@ static int ssl_socket_open (CONNECTION *
{
SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1);
}
+ /* TLSv1.1/1.2 support was added in OpenSSL 1.0.1, but some OS distros such
+ * as Fedora 17 are on OpenSSL 1.0.0.
+ */
+#ifdef SSL_OP_NO_TLSv1_1
+ if (!option(OPTTLSV1_1))
+ {
+ SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1_1);
+ }
+#endif
+#ifdef SSL_OP_NO_TLSv1_2
+ if (!option(OPTTLSV1_2))
+ {
+ SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1_2);
+ }
+#endif
if (!option(OPTSSLV2))
{
SSL_CTX_set_options(data->ctx, SSL_OP_NO_SSLv2);
diff -up mutt-1.5.21/mutt_ssl_gnutls.c.tlsv1v2 mutt-1.5.21/mutt_ssl_gnutls.c
--- mutt-1.5.21/mutt_ssl_gnutls.c.tlsv1v2 2013-06-27 12:46:14.123389035 +0200
+++ mutt-1.5.21/mutt_ssl_gnutls.c 2013-06-27 12:47:28.018387743 +0200
@@ -238,7 +238,11 @@ err_crt:
gnutls_x509_crt_deinit (clientcrt);
}
-static int protocol_priority[] = {GNUTLS_TLS1, GNUTLS_SSL3, 0};
+/* This array needs to be large enough to hold all the possible values support
+ * by Mutt. The initialized values are just placeholders--the array gets
+ * overwrriten in tls_negotiate() depending on the $ssl_use_* options.
+ */
+static int protocol_priority[] = {GNUTLS_TLS1_2, GNUTLS_TLS1_1, GNUTLS_TLS1, GNUTLS_SSL3, 0};
/* tls_negotiate: After TLS state has been initialised, attempt to negotiate
* TLS over the wire, including certificate checks. */
@@ -246,6 +250,7 @@ static int tls_negotiate (CONNECTION * c
{
tlssockdata *data;
int err;
+ size_t nproto = 0; /* number of tls/ssl protocols */
data = (tlssockdata *) safe_calloc (1, sizeof (tlssockdata));
conn->sockdata = data;
@@ -286,22 +291,22 @@ static int tls_negotiate (CONNECTION * c
/* set socket */
gnutls_transport_set_ptr (data->state, (gnutls_transport_ptr)conn->fd);
+ if (option(OPTTLSV1_2))
+ protocol_priority[nproto++] = GNUTLS_TLS1_2;
+ if (option(OPTTLSV1_1))
+ protocol_priority[nproto++] = GNUTLS_TLS1_1;
+ if (option(OPTTLSV1))
+ protocol_priority[nproto++] = GNUTLS_TLS1;
+ if (option(OPTSSLV3))
+ protocol_priority[nproto++] = GNUTLS_SSL3;
+ protocol_priority[nproto] = 0;
+
/* disable TLS/SSL protocols as needed */
- if (!option(OPTTLSV1) && !option(OPTSSLV3))
+ if (nproto == 0)
{
mutt_error (_("All available protocols for TLS/SSL connection disabled"));
goto fail;
}
- else if (!option(OPTTLSV1))
- {
- protocol_priority[0] = GNUTLS_SSL3;
- protocol_priority[1] = 0;
- }
- else if (!option(OPTSSLV3))
- {
- protocol_priority[0] = GNUTLS_TLS1;
- protocol_priority[1] = 0;
- }
/*
else
use the list set above

12
mutt.spec
View File

@ -16,7 +16,7 @@
Summary: A text mode mail user agent Summary: A text mode mail user agent
Name: mutt Name: mutt
Version: 1.5.21 Version: 1.5.21
Release: 20%{?dist} Release: 21%{?dist}
Epoch: 5 Epoch: 5
# The entire source code is GPLv2+ except # The entire source code is GPLv2+ except
# pgpewrap.c setenv.c sha1.c wcwidth.c which are Public Domain # pgpewrap.c setenv.c sha1.c wcwidth.c which are Public Domain
@ -40,6 +40,7 @@ Patch14: mutt-1.5.21-writehead.patch
Patch15: mutt-1.5.21-tmpdir.patch Patch15: mutt-1.5.21-tmpdir.patch
Patch16: mutt-1.5.21-verpeers.patch Patch16: mutt-1.5.21-verpeers.patch
Patch17: mutt-1.5.21-manhelp.patch Patch17: mutt-1.5.21-manhelp.patch
Patch18: mutt-1.5.21-tlsv1v2.patch
Url: http://www.mutt.org/ Url: http://www.mutt.org/
Requires: mailcap urlview Requires: mailcap urlview
BuildRequires: ncurses-devel BuildRequires: ncurses-devel
@ -91,6 +92,7 @@ for selecting groups of messages.
%patch15 -p1 -b .tmpdir %patch15 -p1 -b .tmpdir
%patch16 -p1 -b .verpeers %patch16 -p1 -b .verpeers
%patch17 -p1 -b .manhelp %patch17 -p1 -b .manhelp
%patch18 -p1 -b .tlsv1v2
sed -i.gpgerror 's/`$GPGME_CONFIG --libs`/"\0 -lgpg-error"/' configure sed -i.gpgerror 's/`$GPGME_CONFIG --libs`/"\0 -lgpg-error"/' configure
@ -177,6 +179,10 @@ ln -sf ./muttrc.5 $RPM_BUILD_ROOT%{_mandir}/man5/muttrc.local.5
%{_mandir}/man5/muttrc.* %{_mandir}/man5/muttrc.*
%changelog %changelog
* Thu Jun 27 2013 Honza Horak <hhorak@redhat.com> - 5:1.5.21-21
- Backported support for TLS 1.2 and TLS 1.2 protocols
Resolves: #957840
* Wed May 29 2013 Honza Horak <hhorak@redhat.com> - 5:1.5.21-20 * Wed May 29 2013 Honza Horak <hhorak@redhat.com> - 5:1.5.21-20
- Fix patch for #750929 - Fix patch for #750929
Resolves: #957542 Resolves: #957542
@ -615,10 +621,10 @@ ln -sf ./muttrc.5 $RPM_BUILD_ROOT%{_mandir}/man5/muttrc.local.5
* Sat Jan 1 2000 Bill Nottingham <notting@redhat.com> * Sat Jan 1 2000 Bill Nottingham <notting@redhat.com>
- fix an odd y2k issue on receiving mail from ancient clients - fix an odd y2k issue on receiving mail from ancient clients
* Fri Oct 21 1999 Bill Nottingham <notting@redhat.com> * Thu Oct 21 1999 Bill Nottingham <notting@redhat.com>
- one-point-oh. - one-point-oh.
* Fri Sep 25 1999 Bill Nottingham <notting@redhat.com> * Sat Sep 25 1999 Bill Nottingham <notting@redhat.com>
- add a buffer overflow patch - add a buffer overflow patch
* Tue Aug 31 1999 Bill Nottingham <notting@redhat.com> * Tue Aug 31 1999 Bill Nottingham <notting@redhat.com>