Backported support for TLS 1.2 and TLS 1.2 protocols

Resolves: #957840
This commit is contained in:
Honza Horák 2013-06-27 13:37:23 +02:00
parent 875f9ad500
commit 59701bc4ab
2 changed files with 155 additions and 3 deletions

146
mutt-1.5.21-tlsv1v2.patch Normal file
View File

@ -0,0 +1,146 @@
Some servers have problem when connection uses TLS 1.0 or SSL 3.0.
Since openssl offers TLS 1.1 and 1.2, we would like to use these
when connecting to server, while having ability to disable these
protocols if needed.
https://bugzilla.redhat.com/show_bug.cgi?id=957840
Upstream related bug report:
http://dev.mutt.org/trac/ticket/3571
diff -up mutt-1.5.21/init.h.tlsv1v2 mutt-1.5.21/init.h
--- mutt-1.5.21/init.h.tlsv1v2 2013-06-27 12:46:14.120389035 +0200
+++ mutt-1.5.21/init.h 2013-06-27 12:47:28.020387743 +0200
@@ -2970,6 +2970,18 @@ struct option_t MuttVars[] = {
** This variable specifies whether to attempt to use TLSv1 in the
** SSL authentication process.
*/
+ { "ssl_use_tlsv1_1", DT_BOOL, R_NONE, OPTTLSV1_1, 1 },
+ /*
+ ** .pp
+ ** This variable specifies whether to attempt to use TLSv1.1 in the
+ ** SSL authentication process.
+ */
+ { "ssl_use_tlsv1_2", DT_BOOL, R_NONE, OPTTLSV1_2, 1 },
+ /*
+ ** .pp
+ ** This variable specifies whether to attempt to use TLSv1.2 in the
+ ** SSL authentication process.
+ */
#ifdef USE_SSL_OPENSSL
{ "ssl_usesystemcerts", DT_BOOL, R_NONE, OPTSSLSYSTEMCERTS, 1 },
/*
diff -up mutt-1.5.21/mutt.h.tlsv1v2 mutt-1.5.21/mutt.h
--- mutt-1.5.21/mutt.h.tlsv1v2 2010-09-13 19:19:55.000000000 +0200
+++ mutt-1.5.21/mutt.h 2013-06-27 12:47:28.020387743 +0200
@@ -376,6 +376,8 @@ enum
# endif /* USE_SSL_GNUTLS */
OPTSSLV3,
OPTTLSV1,
+ OPTTLSV1_1,
+ OPTTLSV1_2,
OPTSSLFORCETLS,
OPTSSLVERIFYDATES,
OPTSSLVERIFYHOST,
diff -up mutt-1.5.21/mutt_ssl.c.tlsv1v2 mutt-1.5.21/mutt_ssl.c
--- mutt-1.5.21/mutt_ssl.c.tlsv1v2 2010-08-25 18:31:40.000000000 +0200
+++ mutt-1.5.21/mutt_ssl.c 2013-06-27 12:47:28.021387743 +0200
@@ -106,6 +106,18 @@ int mutt_ssl_starttls (CONNECTION* conn)
dprint (1, (debugfile, "mutt_ssl_starttls: Error allocating SSL_CTX\n"));
goto bail_ssldata;
}
+#ifdef SSL_OP_NO_TLSv1_1
+ if (!option(OPTTLSV1_1))
+ {
+ SSL_CTX_set_options(ssldata->ctx, SSL_OP_NO_TLSv1_1);
+ }
+#endif
+#ifdef SSL_OP_NO_TLSv1_2
+ if (!option(OPTTLSV1_2))
+ {
+ SSL_CTX_set_options(ssldata->ctx, SSL_OP_NO_TLSv1_2);
+ }
+#endif
ssl_get_client_cert(ssldata, conn);
@@ -303,6 +315,21 @@ static int ssl_socket_open (CONNECTION *
{
SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1);
}
+ /* TLSv1.1/1.2 support was added in OpenSSL 1.0.1, but some OS distros such
+ * as Fedora 17 are on OpenSSL 1.0.0.
+ */
+#ifdef SSL_OP_NO_TLSv1_1
+ if (!option(OPTTLSV1_1))
+ {
+ SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1_1);
+ }
+#endif
+#ifdef SSL_OP_NO_TLSv1_2
+ if (!option(OPTTLSV1_2))
+ {
+ SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1_2);
+ }
+#endif
if (!option(OPTSSLV2))
{
SSL_CTX_set_options(data->ctx, SSL_OP_NO_SSLv2);
diff -up mutt-1.5.21/mutt_ssl_gnutls.c.tlsv1v2 mutt-1.5.21/mutt_ssl_gnutls.c
--- mutt-1.5.21/mutt_ssl_gnutls.c.tlsv1v2 2013-06-27 12:46:14.123389035 +0200
+++ mutt-1.5.21/mutt_ssl_gnutls.c 2013-06-27 12:47:28.018387743 +0200
@@ -238,7 +238,11 @@ err_crt:
gnutls_x509_crt_deinit (clientcrt);
}
-static int protocol_priority[] = {GNUTLS_TLS1, GNUTLS_SSL3, 0};
+/* This array needs to be large enough to hold all the possible values support
+ * by Mutt. The initialized values are just placeholders--the array gets
+ * overwrriten in tls_negotiate() depending on the $ssl_use_* options.
+ */
+static int protocol_priority[] = {GNUTLS_TLS1_2, GNUTLS_TLS1_1, GNUTLS_TLS1, GNUTLS_SSL3, 0};
/* tls_negotiate: After TLS state has been initialised, attempt to negotiate
* TLS over the wire, including certificate checks. */
@@ -246,6 +250,7 @@ static int tls_negotiate (CONNECTION * c
{
tlssockdata *data;
int err;
+ size_t nproto = 0; /* number of tls/ssl protocols */
data = (tlssockdata *) safe_calloc (1, sizeof (tlssockdata));
conn->sockdata = data;
@@ -286,22 +291,22 @@ static int tls_negotiate (CONNECTION * c
/* set socket */
gnutls_transport_set_ptr (data->state, (gnutls_transport_ptr)conn->fd);
+ if (option(OPTTLSV1_2))
+ protocol_priority[nproto++] = GNUTLS_TLS1_2;
+ if (option(OPTTLSV1_1))
+ protocol_priority[nproto++] = GNUTLS_TLS1_1;
+ if (option(OPTTLSV1))
+ protocol_priority[nproto++] = GNUTLS_TLS1;
+ if (option(OPTSSLV3))
+ protocol_priority[nproto++] = GNUTLS_SSL3;
+ protocol_priority[nproto] = 0;
+
/* disable TLS/SSL protocols as needed */
- if (!option(OPTTLSV1) && !option(OPTSSLV3))
+ if (nproto == 0)
{
mutt_error (_("All available protocols for TLS/SSL connection disabled"));
goto fail;
}
- else if (!option(OPTTLSV1))
- {
- protocol_priority[0] = GNUTLS_SSL3;
- protocol_priority[1] = 0;
- }
- else if (!option(OPTSSLV3))
- {
- protocol_priority[0] = GNUTLS_TLS1;
- protocol_priority[1] = 0;
- }
/*
else
use the list set above

View File

@ -16,7 +16,7 @@
Summary: A text mode mail user agent
Name: mutt
Version: 1.5.21
Release: 20%{?dist}
Release: 21%{?dist}
Epoch: 5
# The entire source code is GPLv2+ except
# pgpewrap.c setenv.c sha1.c wcwidth.c which are Public Domain
@ -40,6 +40,7 @@ Patch14: mutt-1.5.21-writehead.patch
Patch15: mutt-1.5.21-tmpdir.patch
Patch16: mutt-1.5.21-verpeers.patch
Patch17: mutt-1.5.21-manhelp.patch
Patch18: mutt-1.5.21-tlsv1v2.patch
Url: http://www.mutt.org/
Requires: mailcap urlview
BuildRequires: ncurses-devel
@ -91,6 +92,7 @@ for selecting groups of messages.
%patch15 -p1 -b .tmpdir
%patch16 -p1 -b .verpeers
%patch17 -p1 -b .manhelp
%patch18 -p1 -b .tlsv1v2
sed -i.gpgerror 's/`$GPGME_CONFIG --libs`/"\0 -lgpg-error"/' configure
@ -177,6 +179,10 @@ ln -sf ./muttrc.5 $RPM_BUILD_ROOT%{_mandir}/man5/muttrc.local.5
%{_mandir}/man5/muttrc.*
%changelog
* Thu Jun 27 2013 Honza Horak <hhorak@redhat.com> - 5:1.5.21-21
- Backported support for TLS 1.2 and TLS 1.2 protocols
Resolves: #957840
* Wed May 29 2013 Honza Horak <hhorak@redhat.com> - 5:1.5.21-20
- Fix patch for #750929
Resolves: #957542
@ -615,10 +621,10 @@ ln -sf ./muttrc.5 $RPM_BUILD_ROOT%{_mandir}/man5/muttrc.local.5
* Sat Jan 1 2000 Bill Nottingham <notting@redhat.com>
- fix an odd y2k issue on receiving mail from ancient clients
* Fri Oct 21 1999 Bill Nottingham <notting@redhat.com>
* Thu Oct 21 1999 Bill Nottingham <notting@redhat.com>
- one-point-oh.
* Fri Sep 25 1999 Bill Nottingham <notting@redhat.com>
* Sat Sep 25 1999 Bill Nottingham <notting@redhat.com>
- add a buffer overflow patch
* Tue Aug 31 1999 Bill Nottingham <notting@redhat.com>