diff --git a/mutt-1.5.23-ssl_ciphers.patch b/mutt-1.5.23-ssl_ciphers.patch new file mode 100644 index 0000000..a70b70b --- /dev/null +++ b/mutt-1.5.23-ssl_ciphers.patch @@ -0,0 +1,74 @@ +diff -rup mutt-17a4f92e4a95-orig/init.h mutt-17a4f92e4a95/init.h +--- mutt-17a4f92e4a95-orig/init.h 2015-07-30 11:09:54.536930119 +0200 ++++ mutt-17a4f92e4a95/init.h 2015-07-30 11:11:17.383772131 +0200 +@@ -3092,7 +3092,7 @@ struct option_t MuttVars[] = { + ** URL. You should only unset this for particular known hosts, using + ** the \fC$\fP function. + */ +- { "ssl_ciphers", DT_STR, R_NONE, UL &SslCiphers, UL 0 }, ++ { "ssl_ciphers", DT_STR, R_NONE, UL &SslCiphers, UL "@SYSTEM" }, + /* + ** .pp + ** Contains a colon-seperated list of ciphers to use when using SSL. +--- mutt-17a4f92e4a95/mutt_ssl_gnutls.c.ssl_ciphers 2015-08-20 13:19:24.990481900 +0200 ++++ mutt-17a4f92e4a95/mutt_ssl_gnutls.c 2015-08-20 14:37:18.405928684 +0200 +@@ -286,32 +286,35 @@ + else + safe_strcat (priority, priority_size, "NORMAL"); + +- if (! option(OPTTLSV1_2)) ++ if (SslCiphers && strcmp(SslCiphers, "@SYSTEM")) + { +- nproto--; +- safe_strcat (priority, priority_size, ":-VERS-TLS1.2"); +- } +- if (! option(OPTTLSV1_1)) +- { +- nproto--; +- safe_strcat (priority, priority_size, ":-VERS-TLS1.1"); +- } +- if (! option(OPTTLSV1)) +- { +- nproto--; +- safe_strcat (priority, priority_size, ":-VERS-TLS1.0"); +- } +- if (! option(OPTSSLV3)) +- { +- nproto--; +- safe_strcat (priority, priority_size, ":-VERS-SSL3.0"); +- } ++ if (! option(OPTTLSV1_2)) ++ { ++ nproto--; ++ safe_strcat (priority, priority_size, ":-VERS-TLS1.2"); ++ } ++ if (! option(OPTTLSV1_1)) ++ { ++ nproto--; ++ safe_strcat (priority, priority_size, ":-VERS-TLS1.1"); ++ } ++ if (! option(OPTTLSV1)) ++ { ++ nproto--; ++ safe_strcat (priority, priority_size, ":-VERS-TLS1.0"); ++ } ++ if (! option(OPTSSLV3)) ++ { ++ nproto--; ++ safe_strcat (priority, priority_size, ":-VERS-SSL3.0"); ++ } + +- if (nproto == 0) +- { +- mutt_error (_("All available protocols for TLS/SSL connection disabled")); +- FREE (&priority); +- return -1; ++ if (nproto == 0) ++ { ++ mutt_error (_("All available protocols for TLS/SSL connection disabled")); ++ FREE (&priority); ++ return -1; ++ } + } + + if ((err = gnutls_priority_set_direct (data->state, priority, NULL)) < 0) diff --git a/mutt.spec b/mutt.spec index e626f93..ebb32a2 100644 --- a/mutt.spec +++ b/mutt.spec @@ -20,7 +20,7 @@ Summary: A text mode mail user agent Name: mutt Version: 1.5.23 -Release: 10.%{?snapver}%{?dist} +Release: 11.%{?snapver}%{?dist} Epoch: 5 # The entire source code is GPLv2+ except # pgpewrap.c setenv.c sha1.c wcwidth.c which are Public Domain @@ -37,6 +37,7 @@ Patch3: mutt-1.5.21-syncdebug.patch Patch4: mutt-1.5.23-add_debug_option.patch Patch7: mutt-1.5.23-domainname.patch Patch8: mutt-1.5.23-system_certs.patch +Patch9: mutt-1.5.23-ssl_ciphers.patch Url: http://www.mutt.org/ Requires: mailcap, urlview BuildRequires: ncurses-devel, gettext, automake @@ -86,6 +87,7 @@ autoreconf --install %patch4 -p1 -b .add_debug_option %patch7 -p1 -b .domainname %patch8 -p1 -b .system_certs +%patch9 -p1 -b .ssl_ciphers sed -i -r 's/`$GPGME_CONFIG --libs`/"\0 -lgpg-error"/' configure # disable mutt_dotlock program - remove support from mutt binary @@ -99,6 +101,11 @@ if echo %{release} | grep -E -q '%{hgreldate}'; then echo %{release} | sed -r 's/.*%{hgreldate}.*/"\1-\2-\3";/' >> reldate.h fi +# remove mutt_ssl.c to be sure it won't be used because it violates +# Packaging:CryptoPolicies +# https://fedoraproject.org/wiki/Packaging:CryptoPolicies +rm -f mutt_ssl.c + %build %configure \ @@ -190,6 +197,10 @@ ln -sf ./muttrc.5 $RPM_BUILD_ROOT%{_mandir}/man5/muttrc.local.5 %changelog +* Wed Aug 26 2015 Matej Muzila - 5:1.5.23-11.20150609hg17a4f92e4a95 +- Utilize system-wide crypto-policies +- rhbz#1179324 + * Thu Jun 25 2015 Matej Muzila - 5:1.5.23-10.20150609hg17a4f92e4a95 - Make system CA bundle default in mutt - Resolves: #1069778