On Mon, Aug 07, 2017 at 09:00:05PM +0200, Salvatore Bonaccorso wrote: > Hi Sebastian > > On Mon, Aug 07, 2017 at 07:15:19PM +0200, Sebastian Andrzej Siewior wrote: > > On 2017-08-07 14:26:07 [+0200], Salvatore Bonaccorso wrote: > > > Control: severity important > > > > as in SSL not working anymore in unstable for libesmtp. > > > > > Hi Jeremy, > > Hi Salvatore, > > > > > Please find attached a (refreshed) patch which is still valid to add > > > the proper support for TLSv1.1+ > > > > Description: Add TLSv1.1 and TLSv1.2 support > > Origin: vendor > > Bug-Debian: https://bugs.debian.org/802658 > > Author: Salvatore Bonaccorso <car...@debian.org> > > Last-Update: 2015-11-07 > > > > --- a/smtp-tls.c > > +++ b/smtp-tls.c > > @@ -197,11 +197,24 @@ starttls_create_ctx (smtp_session_t sess > > ckf_t status; > > > > /* The decision not to support SSL v2 and v3 but instead to use only > > - TLSv1 is deliberate. This is in line with the intentions of RFC > > + TLSv1.X is deliberate. This is in line with the intentions of RFC > > 3207. Servers typically support SSL as well as TLS because some > > versions of Netscape do not support TLS. I am assuming that all > > currently deployed servers correctly support TLS. */ > > - ctx = SSL_CTX_new (TLSv1_client_method ()); > > +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ > > + !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL) > > + ctx = SSL_CTX_new (TLS_client_method ()); > > +#else > > + ctx = SSL_CTX_new (SSLv23_client_method ()); > > +#endif > > + > > +#ifdef OPENSSL_NO_SSL3 > > + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); > > +#endif > > + > > +#ifdef OPENSSL_NO_SSL2 > > + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); > > +#endif > > > > /* Load our keys and certificates. To avoid messing with configuration > > variables etc, use fixed paths for the certificate store. These are > > > > This looks good. I would however just replace TLSv1_client_method() with > > SSLv23_client_method() (without the version check) and be done with it. > > Setting the NO_SSLvX thingy is a nop in Debian but upstream might be > > happy to see it. > > Thanks for review. The reason I did that is indeed, to have a patch > which is most acceptable for upstream to include, independent on > Debian, although upstream since I initially pinged never replied to my > queries :-(. Thus as well the explicit version checking, since AFAIU > the use of the SSLv23_client_method is deprecated in favour of > TLS_client_method. > > The POD for SSL_CTX_new states this explicitly: > > SSLv23_method(), SSLv23_server_method() and SSLv23_client_method() > were deprecated and the preferred TLS_method(), TLS_server_method() > and TLS_client_method() functions were introduced in OpenSSL 1.1.0. > > Did I missunderstood something here?
Even tought it's deprecated, it's unlikely we'll remove the compatiblity define any time soon. So either way really works for me. Kurt
