Bug#622054: PATCH: fix SSLv2_client_method-related FTBFS.

Matthias Andree Mon, 11 Apr 2011 07:02:20 -0700

commit c22a3afca46c83ee6d53a6ee58deb122f309c460
Author: Matthias Andree <matthias.and...@gmx.de>
Date:   Mon Apr 11 14:08:32 2011 +0200


    Remove support for SSLv2 (fixes Debian Bug #622054).
    
    SSLv2 has been deprecated since 1996, and is insecure.
    Remove --sslproto SSL2 support.
    Set SSL_OP_NO_SSLvSSL_CTX 2 option so that the SSLv23 multi-version
    client no longer negotiates SSLv2.
    
    Note that some distributions (such as Debian) build OpenSSL 1.0.0
    without SSLv2 support, so on those, the build would fail.
    
    Fixes Debian Bug #622054
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622054

diff --git a/NEWS b/NEWS
index 922bf0f..221bfcf 100644
--- a/NEWS
+++ b/NEWS
@@ -57,6 +57,10 @@ removed from a 6.4.0 or newer release.)
 fetchmail-6.3.20 (not yet released):
 
 # CHANGES
+* fetchmail no longer supports SSL v2, nor the corresponding SSL2 option to
+  --sslproto. SSLv2 is insecure and had been deprecated 15 years ago. fetchmail
+  will actively forbid SSLv2 negotiation by means of SSL_OP_NO_SSLv2.
+  To fix Debian Bug#622054.
 * fetchmail now always uses its own MD5 implementation.  The library and header
   variants are too diverse, and we've been bitten before -- and configure
   complains noisily on Cyrus-SASL's RFC1321 md5.h.
diff --git a/fetchmail.man b/fetchmail.man
index 495a60e..69aa887 100644
--- a/fetchmail.man
+++ b/fetchmail.man
@@ -474,8 +474,9 @@ Also see \-\-sslcert above.
 (Keyword: sslproto)
 .br
 Forces an SSL/TLS protocol. Possible values are \fB''\fP,
-\&'\fBSSL2\fP', '\fBSSL23\fP', (use of these two values is discouraged
-and should only be used as a last resort) \&'\fBSSL3\fP', and
+\&'\fBSSL23\fP' (note however that fetchmail, since v6.3.20, prohibits
+negotiation of SSLv2 -- it has been deprecated for 15 years and is
+insecure), \&'\fBSSL3\fP', and
 \&'\fBTLS1\fP'.  The default behaviour if this option is unset is: for
 connections without \-\-ssl, use \&'\fBTLS1\fP' so that fetchmail will
 opportunistically try STARTTLS negotiation with TLS1. You can configure
diff --git a/options.c b/options.c
index d53044f..aee616b 100644
--- a/options.c
+++ b/options.c
@@ -651,7 +651,7 @@ int parsecmdline (int argc /** argument count */,
 	P(GT_("      --sslcertpath path to trusted-CA ssl certificate directory\n"));
 	P(GT_("      --sslcommonname  expect this CommonName from server (discouraged)\n"));
 	P(GT_("      --sslfingerprint fingerprint that must match that of the server's cert.\n"));
-	P(GT_("      --sslproto    force ssl protocol (SSL2/SSL3/TLS1)\n"));
+	P(GT_("      --sslproto    force ssl protocol (SSL23/SSL3/TLS1)\n"));
 #endif
 	P(GT_("      --plugin      specify external command to open connection\n"));
 	P(GT_("      --plugout     specify external command to open smtp connection\n"));
diff --git a/po/de.po b/po/de.po
index 6340260..6158050 100644
--- a/po/de.po
+++ b/po/de.po
@@ -2269,8 +2269,8 @@ msgstr ""
 "Servers.\n"
 
 #: options.c:654
-msgid "      --sslproto    force ssl protocol (SSL2/SSL3/TLS1)\n"
-msgstr "      --sslproto    SSL-Protokoll erzwingen (SSL2/SSL3/TLS1)\n"
+msgid "      --sslproto    force ssl protocol (SSL23/SSL3/TLS1)\n"
+msgstr "      --sslproto    SSL-Protokoll erzwingen (SSL23/SSL3/TLS1)\n"
 
 #: options.c:656
 msgid "      --plugin      specify external command to open connection\n"
@@ -3174,9 +3174,9 @@ msgstr "Datei-Deskriptor außerhalb des Bereichs für SSL"
 
 #: socket.c:901
 #, c-format
-msgid "Invalid SSL protocol '%s' specified, using default (SSLv23).\n"
+msgid "Invalid SSL protocol '%s' specified, using default (SSL23).\n"
 msgstr ""
-"Ungültiges SSL-Protokoll „%s“ angegeben, benutze Voreinstellung (SSLv23).\n"
+"Ungültiges SSL-Protokoll „%s“ angegeben, benutze Voreinstellung (SSL23).\n"
 
 #: socket.c:994
 msgid "Certificate/fingerprint verification was somehow skipped!\n"
diff --git a/socket.c b/socket.c
index 1adc839..fad21c5 100644
--- a/socket.c
+++ b/socket.c
@@ -889,16 +889,14 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck
 	/* Make sure a connection referring to an older context is not left */
 	_ssl_context[sock] = NULL;
 	if(myproto) {
-		if(!strcasecmp("ssl2",myproto)) {
-			_ctx[sock] = SSL_CTX_new(SSLv2_client_method());
-		} else if(!strcasecmp("ssl3",myproto)) {
+		if(!strcasecmp("ssl3",myproto)) {
 			_ctx[sock] = SSL_CTX_new(SSLv3_client_method());
 		} else if(!strcasecmp("tls1",myproto)) {
 			_ctx[sock] = SSL_CTX_new(TLSv1_client_method());
 		} else if (!strcasecmp("ssl23",myproto)) {
 			myproto = NULL;
 		} else {
-			fprintf(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSLv23).\n"), myproto);
+			fprintf(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSL23).\n"), myproto);
 			myproto = NULL;
 		}
 	}
@@ -910,7 +908,7 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck
 		return(-1);
 	}
 
-	SSL_CTX_set_options(_ctx[sock], SSL_OP_ALL);
+	SSL_CTX_set_options(_ctx[sock], SSL_OP_ALL | SSL_OP_NO_SSLv2);
 
 	if (certck) {
 		SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback);



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#622054: PATCH: fix SSLv2_client_method-related FTBFS.

Reply via email to