Disable SSLv3 and enable TLSv1.1 and TLSv1.2.

This is a patch make by Debian's own Noah Meyerhans that disables SSLv3, fixes or removes the tests that choke without SSLv3, and lets IO::Socket::SSL choose the best TLS level rather than forcing it at TLSv1. I can't think of a responsible reason to allow re-enabling it as an OPTION, so add a note to UPDATING warning people of the change and referencing the below PR. PORTREVISION bump. PR: 208225 Submitted by: Sascha Holzleiter Obtained from: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7199 MFH: 2016Q2
author: Adam Weinberger <adamw@FreeBSD.org> 2016-04-04 17:05:31 +0000
committer: Adam Weinberger <adamw@FreeBSD.org> 2016-04-04 17:05:31 +0000
commit: bd221c2699ba0b8a431b2d72ac3475c3e577f398 (patch)
tree: 670b2ce7c183943f6a6e140c06f294b62b387e41 /mail/spamassassin
parent: a6cdee9790980a4c1057d01ecd858609ad1b575b (diff)
download: ports-bd221c2699ba0b8a431b2d72ac3475c3e577f398.tar.gz
ports-bd221c2699ba0b8a431b2d72ac3475c3e577f398.zip
2 files changed, 259 insertions, 1 deletions
diff --git a/mail/spamassassin/Makefile b/mail/spamassassin/Makefile
index 6c8d98e9c3f3..1e0ead84fab0 100644
--- a/mail/spamassassin/Makefile
+++ b/mail/spamassassin/Makefile
@@ -3,7 +3,7 @@
 
 PORTNAME=	spamassassin
 PORTVERSION=	3.4.1
-PORTREVISION?=	5	# also bump japanese/spamassassin
+PORTREVISION?=	6	# also bump japanese/spamassassin
 CATEGORIES?=	mail perl5
 MASTER_SITES=	APACHE/spamassassin/source CPAN/Mail
 DISTNAME=	Mail-SpamAssassin-${PORTVERSION}
diff --git a/mail/spamassassin/files/patch-bug7199 b/mail/spamassassin/files/patch-bug7199
new file mode 100644
index 000000000000..b67eec56d3ef
--- /dev/null
+++ b/mail/spamassassin/files/patch-bug7199
@@ -0,0 +1,258 @@
+--- spamc/libspamc.c.orig
++++ spamc/libspamc.c
+@@ -1187,7 +1187,7 @@ int message_filter(struct transport *tp,
+     unsigned int throwaway;
+     SSL_CTX *ctx = NULL;
+     SSL *ssl = NULL;
+-    SSL_METHOD *meth;
++    const SSL_METHOD *meth;
+     char zlib_on = 0;
+     unsigned char *zlib_buf = NULL;
+     int zlib_bufsiz = 0;
+@@ -1213,11 +1213,7 @@ int message_filter(struct transport *tp,
+     if (flags & SPAMC_USE_SSL) {
+ #ifdef SPAMC_SSL
+ 	SSLeay_add_ssl_algorithms();
+-	if (flags & SPAMC_TLSV1) {
+-	    meth = TLSv1_client_method();
+-	} else {
+-	    meth = SSLv3_client_method(); /* default */
+-	}
++	meth = SSLv23_client_method();
+ 	SSL_load_error_strings();
+ 	ctx = SSL_CTX_new(meth);
+ #else
+@@ -1596,7 +1592,7 @@ int message_tell(struct transport *tp, c
+     int failureval;
+     SSL_CTX *ctx = NULL;
+     SSL *ssl = NULL;
+-    SSL_METHOD *meth;
++    const SSL_METHOD *meth;
+ 
+     assert(tp != NULL);
+     assert(m != NULL);
+@@ -1604,7 +1600,7 @@ int message_tell(struct transport *tp, c
+     if (flags & SPAMC_USE_SSL) {
+ #ifdef SPAMC_SSL
+ 	SSLeay_add_ssl_algorithms();
+-	meth = SSLv3_client_method();
++	meth = SSLv23_client_method();
+ 	SSL_load_error_strings();
+ 	ctx = SSL_CTX_new(meth);
+ #else
+--- spamc/spamc.c.orig
++++ spamc/spamc.c
+@@ -368,16 +368,11 @@ read_args(int argc, char **argv,
+             case 'S':
+             {
+                 flags |= SPAMC_USE_SSL;
+-		if (!spamc_optarg || (strcmp(spamc_optarg,"sslv3") == 0)) {
+-		    flags |= SPAMC_SSLV3;
+-		}
+-		else if (strcmp(spamc_optarg,"tlsv1") == 0) {
+-		    flags |= SPAMC_TLSV1;
+-		}
+-		else {
+-		    libspamc_log(flags, LOG_ERR, "Please specify a legal ssl version (%s)", spamc_optarg);
+-		    ret = EX_USAGE;
+-		}
++                if(spamc_optarg) {
++                    libspamc_log(flags, LOG_ERR,
++                        "Explicit specification of an SSL/TLS version no longer supported.");
++                    ret = EX_USAGE;
++                }
+                 break;
+             }
+ #endif
+--- spamd/spamd.raw.orig
++++ spamd/spamd.raw
+@@ -409,7 +409,6 @@ GetOptions(
+   'sql-config!'              => \$opt{'sql-config'},
+   'ssl'                      => \$opt{'ssl'},
+   'ssl-port=s'               => \$opt{'ssl-port'},
+-  'ssl-version=s'            => \$opt{'ssl-version'},
+   'syslog-socket=s'          => \$opt{'syslog-socket'},
+   'syslog|s=s'               => \$opt{'syslog'},
+   'log-timestamp-fmt:s'      => \$opt{'log-timestamp-fmt'},
+@@ -744,11 +743,6 @@ if ( defined $ENV{'HOME'} ) {
+ 
+ # Do whitelist later in tmp dir. Side effect: this will be done as -u user.
+ 
+-my $sslversion = $opt{'ssl-version'} || 'sslv3';
+-if ($sslversion !~ /^(?:sslv3|tlsv1)$/) {
+-  die "spamd: invalid ssl-version: $opt{'ssl-version'}\n";
+-}
+-
+ $opt{'server-key'}  ||= "$LOCAL_RULES_DIR/certs/server-key.pem";
+ $opt{'server-cert'} ||= "$LOCAL_RULES_DIR/certs/server-cert.pem";
+ 
+@@ -899,9 +893,8 @@ sub compose_listen_info_string {
+                       $socket_info->{ip_addr}, $socket_info->{port}));
+ 
+     } elsif ($socket->isa('IO::Socket::SSL')) {
+-      push(@listeninfo, sprintf("SSL [%s]:%s, ssl version %s",
+-                      $socket_info->{ip_addr}, $socket_info->{port},
+-                      $opt{'ssl-version'}||'sslv3'));
++      push(@listeninfo, sprintf("SSL [%r]:%s", $socket_info->{ip_addr},
++                      $socket_info->{port}));
+     }
+   }
+ 
+@@ -1072,7 +1065,6 @@ sub server_sock_setup_inet {
+     $sockopt{V6Only} = 1  if $io_socket_module_name eq 'IO::Socket::IP'
+                              && IO::Socket::IP->VERSION >= 0.09;
+     %sockopt = (%sockopt, (
+-      SSL_version     => $sslversion,
+       SSL_verify_mode => 0x00,
+       SSL_key_file    => $opt{'server-key'},
+       SSL_cert_file   => $opt{'server-cert'},
+@@ -1093,7 +1085,8 @@ sub server_sock_setup_inet {
+     if (!$server_inet) {
+       $diag = sprintf("could not create %s socket on [%s]:%s: %s",
+                       $ssl ? 'IO::Socket::SSL' : $io_socket_module_name,
+-                      $adr, $port, $!);
++                      $adr, $port, $ssl && $IO::Socket::SSL::SSL_ERROR ?
++                      "$!,$IO::Socket::SSL::SSL_ERROR" : $!);
+       push(@diag_fail, $diag);
+     } else {
+       $diag = sprintf("created %s socket on [%s]:%s",
+@@ -3238,7 +3231,6 @@ Options:
+  -H [dir], --helper-home-dir[=dir] Specify a different HOME directory
+  --ssl                             Enable SSL on TCP connections
+  --ssl-port port                   Override --port setting for SSL connections
+- --ssl-version sslversion          Specify SSL protocol version to use
+  --server-key keyfile              Specify an SSL keyfile
+  --server-cert certfile            Specify an SSL certificate
+  --socketpath=path                 Listen on a given UNIX domain socket
+@@ -3727,14 +3719,6 @@ Optionally specifies the port number for
+ SSL connections (default: whatever --port uses).  See B<--ssl> for
+ more details.
+ 
+-=item B<--ssl-version>=I<sslversion>
+-
+-Specify the SSL protocol version to use, one of B<sslv3> or B<tlsv1>.
+-The default, B<sslv3>, is the most flexible, accepting a SSLv3 or
+-higher hello handshake, then negotiating use of SSLv3 or TLSv1
+-protocol if the client can accept it.  Specifying B<--ssl-version>
+-implies B<--ssl>.
+-
+ =item B<--server-key> I<keyfile>
+ 
+ Specify the SSL key file to use for SSL connections.
+--- spamc/spamc.pod.orig
++++ spamc/spamc.pod
+@@ -177,12 +177,10 @@ The default is 1 time (ie. one attempt a
+ Sleep for I<sleep> seconds between failed spamd filtering attempts.
+ The default is 1 second.
+ 
+-=item B<-S>, B<--ssl>, B<--ssl>=I<sslversion>
++=item B<-S>, B<--ssl>, B<--ssl>
+ 
+ If spamc was built with support for SSL, encrypt data to and from the
+ spamd process with SSL; spamd must support SSL as well.
+-I<sslversion> specifies the SSL protocol version to use, either
+-C<sslv3>, or C<tlsv1>. The default, is C<sslv3>.
+ 
+ =item B<-t> I<timeout>, B<--timeout>=I<timeout>
+ 
+--- t/spamd_ssl_tls.t.orig
++++ t/spamd_ssl_tls.t
+@@ -1,28 +0,0 @@ 
+-#!/usr/bin/perl
+-
+-use lib '.'; use lib 't';
+-use SATest; sa_t_init("spamd_ssl_tls");
+-use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9);
+-
+-exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE);
+-
+-# ---------------------------------------------------------------------------
+-
+-%patterns = (
+-
+-q{ Return-Path: sb55sb55@yahoo.com}, 'firstline',
+-q{ Subject: There yours for FREE!}, 'subj',
+-q{ X-Spam-Status: Yes, score=}, 'status',
+-q{ X-Spam-Flag: YES}, 'flag',
+-q{ X-Spam-Level: **********}, 'stars',
+-q{ TEST_ENDSNUMS}, 'endsinnums',
+-q{ TEST_NOREALNAME}, 'noreal',
+-q{ This must be the very last line}, 'lastline',
+-
+-
+-);
+-
+-ok (sdrun ("-L --ssl --ssl-version=tlsv1 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert",
+-           "--ssl=tlsv1 < data/spam/001",
+-           \&patterns_run_cb));
+-ok_all_patterns();
+--- t/spamd_ssl_v3.t.orig
++++ t/spamd_ssl_v3.t
+@@ -1,28 +0,0 @@ 
+-#!/usr/bin/perl
+-
+-use lib '.'; use lib 't';
+-use SATest; sa_t_init("spamd_sslv3");
+-use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9);
+-
+-exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE);
+-
+-# ---------------------------------------------------------------------------
+-
+-%patterns = (
+-
+-q{ Return-Path: sb55sb55@yahoo.com}, 'firstline',
+-q{ Subject: There yours for FREE!}, 'subj',
+-q{ X-Spam-Status: Yes, score=}, 'status',
+-q{ X-Spam-Flag: YES}, 'flag',
+-q{ X-Spam-Level: **********}, 'stars',
+-q{ TEST_ENDSNUMS}, 'endsinnums',
+-q{ TEST_NOREALNAME}, 'noreal',
+-q{ This must be the very last line}, 'lastline',
+-
+-
+-);
+-
+-ok (sdrun ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert",
+-           "--ssl=sslv3 < data/spam/001",
+-           \&patterns_run_cb));
+-ok_all_patterns();
+--- t/spamd_ssl_accept_fail.t.orig
++++ t/spamd_ssl_accept_fail.t
+@@ -23,9 +23,9 @@ q{ This must be the very last line}, 'la
+ 
+ );
+ 
+-ok (start_spamd ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert"));
++ok (start_spamd ("-L --ssl --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert"));
+ ok (spamcrun ("< data/spam/001", \&patterns_run_cb));
+-ok (spamcrun ("--ssl=sslv3  < data/spam/001", \&patterns_run_cb));
++ok (spamcrun ("--ssl < data/spam/001", \&patterns_run_cb));
+ ok (stop_spamd ());
+ 
+ ok_all_patterns();
+--- t/spamd_ssl.t.orig
++++ t/spamd_ssl.t
+@@ -2,10 +2,7 @@ 
+ 
+ use lib '.'; use lib 't';
+ use SATest; sa_t_init("spamd_ssl");
+-use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9),
+-    onfail => sub {
+-	warn "\n\nNote: This may not be a SpamAssassin bug, as some platforms require that you" .
+-	    "\nspecify a protocol in spamc --ssl option, and possibly in spamd --ssl-version.\n\n" };
++use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9);
+ 
+ exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE);
+ 
+--- MANIFEST.orig
++++ MANIFEST
+@@ -513,8 +513,6 @@ t/spamd_report_ifspam.t
+ t/spamd_sql_prefs.t
+ t/spamd_ssl.t
+ t/spamd_ssl_accept_fail.t
+-t/spamd_ssl_tls.t
+-t/spamd_ssl_v3.t
+ t/spamd_stop.t
+ t/spamd_symbols.t
+ t/spamd_syslog.t
author	Adam Weinberger <adamw@FreeBSD.org>	2016-04-04 17:05:31 +0000
committer	Adam Weinberger <adamw@FreeBSD.org>	2016-04-04 17:05:31 +0000
commit	bd221c2699ba0b8a431b2d72ac3475c3e577f398 (patch)
tree	670b2ce7c183943f6a6e140c06f294b62b387e41 /mail/spamassassin
parent	a6cdee9790980a4c1057d01ecd858609ad1b575b (diff)
download	ports-bd221c2699ba0b8a431b2d72ac3475c3e577f398.tar.gz ports-bd221c2699ba0b8a431b2d72ac3475c3e577f398.zip