Package: imapfilter
Version: 1:2.6.2-1
Followup-For: Bug #804457
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu xenial ubuntu-patch
Dear Maintainer,
We recently have disabled SSLv3 in Ubuntu as part of testing that we
found that imapfilter coredumped on startup. Looking at Debian we see
that it is being disabled there such that imapfilter will no longer
build. For Ubuntu we are applying the attached patch which follows the
recommendation in this Bug and as such should fix the issue in Debian
also:
* Switch to using SSLv23_client_method in all cases to avoid using
now removed/nutered protocols and increasing forward compatibility.
(LP: #1516585).
Thanks for considering the patch.
-- System Information:
Debian Release: stretch/sid
APT prefers xenial-updates
APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500,
'xenial-proposed'), (500, 'xenial'), (100, 'xenial-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.2.0-19-generic (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru imapfilter-2.6.2/debian/patches/series imapfilter-2.6.2/debian/patches/series
--- imapfilter-2.6.2/debian/patches/series 2015-01-05 18:29:14.000000000 +0000
+++ imapfilter-2.6.2/debian/patches/series 2015-11-16 12:53:46.000000000 +0000
@@ -1 +1,2 @@
fix-makefile.diff
+ubuntu-switch-to-SSLv23_client_method-and-use-CTX-options-to-select-protocol.patch
diff -Nru imapfilter-2.6.2/debian/patches/ubuntu-switch-to-SSLv23_client_method-and-use-CTX-options-to-select-protocol.patch imapfilter-2.6.2/debian/patches/ubuntu-switch-to-SSLv23_client_method-and-use-CTX-options-to-select-protocol.patch
--- imapfilter-2.6.2/debian/patches/ubuntu-switch-to-SSLv23_client_method-and-use-CTX-options-to-select-protocol.patch 1970-01-01 01:00:00.000000000 +0100
+++ imapfilter-2.6.2/debian/patches/ubuntu-switch-to-SSLv23_client_method-and-use-CTX-options-to-select-protocol.patch 2015-11-16 13:29:59.000000000 +0000
@@ -0,0 +1,125 @@
+Description: switch to SSLv23_client_method() and use CTX options to select protocol
+ With us disabling SSLv3 we now either will not build (on Debian) or
+ coredump during initialisation. As per the Debian bug recommendation
+ switch to always using SSLv23_client_method() as that can handle the best
+ protocol available (including TLS etc) going forward. Where we need to
+ specify a specific protocol start using SSL_CTS_set_options() to limit
+ the negociable protocols.
+Author: Andy Whitcroft <a...@ubuntu.com>
+Bug-Debian: https://bugs.debian.org/804457
+Bug-Ubuntu: https://launchpad.net/bugs/1516585
+
+Index: imapfilter-2.6.2/src/imapfilter.c
+===================================================================
+--- imapfilter-2.6.2.orig/src/imapfilter.c
++++ imapfilter-2.6.2/src/imapfilter.c
+@@ -21,10 +21,7 @@
+
+ extern buffer ibuf, obuf, nbuf, cbuf;
+ extern regexp responses[];
+-extern SSL_CTX *ssl3ctx, *ssl23ctx, *tls1ctx;
+-#if OPENSSL_VERSION_NUMBER >= 0x01000100fL
+-extern SSL_CTX *tls11ctx, *tls12ctx;
+-#endif
++extern SSL_CTX *ssl23ctx;
+
+ options opts; /* Program options. */
+ environment env; /* Environment variables. */
+@@ -109,25 +106,13 @@ main(int argc, char *argv[])
+
+ SSL_library_init();
+ SSL_load_error_strings();
+- ssl3ctx = SSL_CTX_new(SSLv3_client_method());
+ ssl23ctx = SSL_CTX_new(SSLv23_client_method());
+- tls1ctx = SSL_CTX_new(TLSv1_client_method());
+-#if OPENSSL_VERSION_NUMBER >= 0x01000100fL
+- tls11ctx = SSL_CTX_new(TLSv1_1_client_method());
+- tls12ctx = SSL_CTX_new(TLSv1_2_client_method());
+-#endif
+
+ if (exists_dir(opts.truststore))
+ capath = opts.truststore;
+ if (exists_file(opts.truststore))
+ cafile = opts.truststore;
+- SSL_CTX_load_verify_locations(ssl3ctx, cafile, capath);
+ SSL_CTX_load_verify_locations(ssl23ctx, cafile, capath);
+- SSL_CTX_load_verify_locations(tls1ctx, cafile, capath);
+-#if OPENSSL_VERSION_NUMBER >= 0x01000100fL
+- SSL_CTX_load_verify_locations(tls11ctx, cafile, capath);
+- SSL_CTX_load_verify_locations(tls12ctx, cafile, capath);
+-#endif
+
+ start_lua();
+ #if LUA_VERSION_NUM < 502
+@@ -146,13 +131,7 @@ main(int argc, char *argv[])
+ #endif
+ stop_lua();
+
+- SSL_CTX_free(ssl3ctx);
+ SSL_CTX_free(ssl23ctx);
+- SSL_CTX_free(tls1ctx);
+-#if OPENSSL_VERSION_NUMBER >= 0x01000100fL
+- SSL_CTX_free(tls11ctx);
+- SSL_CTX_free(tls12ctx);
+-#endif
+ ERR_free_strings();
+
+ regexp_free(responses);
+Index: imapfilter-2.6.2/src/socket.c
+===================================================================
+--- imapfilter-2.6.2.orig/src/socket.c
++++ imapfilter-2.6.2/src/socket.c
+@@ -17,11 +17,7 @@
+ #include "session.h"
+
+
+-SSL_CTX *ssl3ctx, *ssl23ctx, *tls1ctx;
+-#if OPENSSL_VERSION_NUMBER >= 0x01000100fL
+-SSL_CTX *tls11ctx, *tls12ctx;
+-#endif
+-
++SSL_CTX *ssl23ctx;
+
+ /*
+ * Connect to mail server.
+@@ -90,28 +86,28 @@ int
+ open_secure_connection(session *ssn)
+ {
+ int r, e;
+- SSL_CTX *ctx;
++ SSL_CTX *ctx = ssl23ctx;
+
+- if (!ssn->sslproto) {
+- ctx = ssl23ctx;
+- } else if (!strcasecmp(ssn->sslproto, "ssl3")) {
+- ctx = ssl3ctx;
++ if (!strcasecmp(ssn->sslproto, "ssl3")) {
++ SSL_CTX_set_options(ctx, SSL_OP_NO_SSL_MASK);
++ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
+ } else if (!strcasecmp(ssn->sslproto, "tls1")) {
+- ctx = tls1ctx;
++ SSL_CTX_set_options(ctx, SSL_OP_NO_SSL_MASK);
++ SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1);
+ } else if (!strcasecmp(ssn->sslproto, "tls1.1")) {
++ SSL_CTX_set_options(ctx, SSL_OP_NO_SSL_MASK);
+ #if OPENSSL_VERSION_NUMBER >= 0x01000100fL
+- ctx = tls11ctx;
++ SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_1);
+ #else
+- ctx = tls1ctx;
++ SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1);
+ #endif
+ } else if (!strcasecmp(ssn->sslproto, "tls1.2")) {
++ SSL_CTX_set_options(ctx, SSL_OP_NO_SSL_MASK);
+ #if OPENSSL_VERSION_NUMBER >= 0x01000100fL
+- ctx = tls12ctx;
++ SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_2);
+ #else
+- ctx = tls1ctx;
++ SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1);
+ #endif
+- } else {
+- ctx = ssl23ctx;
+ }
+
+ if (!(ssn->sslconn = SSL_new(ctx)))
