On Tue, Jan 18, 2011 at 12:20:16PM -0800, Steve Jenkins wrote:
> I just built and installed Postfix 2.8-RC2 using "make upgrade"
> (upgraded from 2.3.3) and I'm getting the following warning in my
> maillog:
>
> postfix/smtpd[27208]: warning: unknown tls_disable_workarounds value
> "CVE-2010-4180" in "CVE-2005-2969 CVE-2010-4180"
Sorry, my mistake, when the OpenSSL team removes a work-around from
SSL_OP_ALL, we should not remove its name from the list of names Postfix
recognizes. It will do no harm.
Please apply the following patch to 2.8.0-RC[12] or 2.9-2011011[67]
Index: src/tls/tls_misc.c
--- src/tls/tls_misc.c 13 Jan 2011 06:42:09 -0000 1.1.1.6.28.1
+++ src/tls/tls_misc.c 18 Jan 2011 20:33:19 -0000
@@ -219,76 +219,62 @@
};
/*
- * SSL_OP_MUMBLE bug work-around name <=> mask conversion. We expect the C
- * preprocessor to be able to handle "long" #if operands
+ * SSL_OP_MUMBLE bug work-around name <=> mask conversion.
*/
#define NAMEBUG(x) #x, SSL_OP_##x
static const LONG_NAME_MASK ssl_bug_tweaks[] = {
-#if defined(SSL_OP_MICROSOFT_SESS_ID_BUG) && \
- ((SSL_OP_MICROSOFT_SESS_ID_BUG & SSL_OP_ALL) != 0L)
+#if defined(SSL_OP_MICROSOFT_SESS_ID_BUG)
NAMEBUG(MICROSOFT_SESS_ID_BUG), /* 0x00000001L */
#endif
-#if defined(SSL_OP_NETSCAPE_CHALLENGE_BUG) && \
- ((SSL_OP_NETSCAPE_CHALLENGE_BUG & SSL_OP_ALL) != 0L)
+#if defined(SSL_OP_NETSCAPE_CHALLENGE_BUG)
NAMEBUG(NETSCAPE_CHALLENGE_BUG), /* 0x00000002L */
#endif
-#if defined(SSL_OP_LEGACY_SERVER_CONNECT) && \
- ((SSL_OP_LEGACY_SERVER_CONNECT & SSL_OP_ALL) != 0L)
+#if defined(SSL_OP_LEGACY_SERVER_CONNECT)
NAMEBUG(LEGACY_SERVER_CONNECT), /* 0x00000004L */
#endif
-#if defined(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && \
- ((SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG & SSL_OP_ALL) != 0L)
+#if defined(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)
NAMEBUG(NETSCAPE_REUSE_CIPHER_CHANGE_BUG), /* 0x00000008L */
"CVE-2010-4180", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG,
#endif
-#if defined(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG) && \
- ((SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG & SSL_OP_ALL) != 0L)
+#if defined(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG)
NAMEBUG(SSLREF2_REUSE_CERT_TYPE_BUG), /* 0x00000010L */
#endif
-#if defined(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER) && \
- ((SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER & SSL_OP_ALL) != 0L)
+#if defined(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
NAMEBUG(MICROSOFT_BIG_SSLV3_BUFFER),/* 0x00000020L */
#endif
-#if defined(SSL_OP_MSIE_SSLV2_RSA_PADDING) && \
- ((SSL_OP_MSIE_SSLV2_RSA_PADDING & SSL_OP_ALL) != 0L)
+#if defined(SSL_OP_MSIE_SSLV2_RSA_PADDING)
NAMEBUG(MSIE_SSLV2_RSA_PADDING), /* 0x00000040L */
"CVE-2005-2969", SSL_OP_MSIE_SSLV2_RSA_PADDING,
#endif
-#if defined(SSL_OP_SSLEAY_080_CLIENT_DH_BUG) && \
- ((SSL_OP_SSLEAY_080_CLIENT_DH_BUG & SSL_OP_ALL) != 0L)
+#if defined(SSL_OP_SSLEAY_080_CLIENT_DH_BUG)
NAMEBUG(SSLEAY_080_CLIENT_DH_BUG), /* 0x00000080L */
#endif
-#if defined(SSL_OP_TLS_D5_BUG) && \
- ((SSL_OP_TLS_D5_BUG & SSL_OP_ALL) != 0L)
+#if defined(SSL_OP_TLS_D5_BUG)
NAMEBUG(TLS_D5_BUG), /* 0x00000100L */
#endif
-#if defined(SSL_OP_TLS_BLOCK_PADDING_BUG) && \
- ((SSL_OP_TLS_BLOCK_PADDING_BUG & SSL_OP_ALL) != 0L)
+#if defined(SSL_OP_TLS_BLOCK_PADDING_BUG)
NAMEBUG(TLS_BLOCK_PADDING_BUG), /* 0x00000200L */
#endif
-#if defined(SSL_OP_TLS_ROLLBACK_BUG) && \
- ((SSL_OP_TLS_ROLLBACK_BUG & SSL_OP_ALL) != 0L)
+#if defined(SSL_OP_TLS_ROLLBACK_BUG)
NAMEBUG(TLS_ROLLBACK_BUG), /* 0x00000400L */
#endif
-#if defined(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) && \
- ((SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS & SSL_OP_ALL) != 0L)
+#if defined(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
NAMEBUG(DONT_INSERT_EMPTY_FRAGMENTS), /* 0x00000800L */
#endif
-#if defined(SSL_OP_CRYPTOPRO_TLSEXT_BUG) && \
- ((SSL_OP_CRYPTOPRO_TLSEXT_BUG & SSL_OP_ALL) != 0L)
+#if defined(SSL_OP_CRYPTOPRO_TLSEXT_BUG)
NAMEBUG(CRYPTOPRO_TLSEXT_BUG), /* 0x80000000L */
#endif
0, 0,
--
Viktor.
