Date: Tue, 5 Apr 2016 18:34:36 +0000 (UTC) From: Adam Weinberger <adamw@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r412582 - in branches/2016Q2: . japanese/spamassassin mail/spamassassin mail/spamassassin/files Message-ID: <201604051834.u35IYapI003904@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: adamw Date: Tue Apr 5 18:34:35 2016 New Revision: 412582 URL: https://svnweb.freebsd.org/changeset/ports/412582 Log: MFH: r412519 Fix build/test without SSLv3, and enable TLSv1.1 and TLSv1.2. This is a patch made by Debian's own Noah Meyerhans that fixes or removes the tests that choke when OpenSSL is built without SSLv3 support (and in all current versions of LibreSSL), and lets IO::Socket::SSL choose the best TLS level rather than forcing it at TLSv1. PORTREVISION bump. PR: 208225 Submitted by: Sascha Holzleiter Obtained from: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7199 Approved by: ports-secteam (feld) Added: branches/2016Q2/mail/spamassassin/files/patch-bug7199 - copied unchanged from r412519, head/mail/spamassassin/files/patch-bug7199 Modified: branches/2016Q2/UPDATING branches/2016Q2/japanese/spamassassin/Makefile branches/2016Q2/mail/spamassassin/Makefile Directory Properties: branches/2016Q2/ (props changed) Modified: branches/2016Q2/UPDATING ============================================================================== --- branches/2016Q2/UPDATING Tue Apr 5 18:17:23 2016 (r412581) +++ branches/2016Q2/UPDATING Tue Apr 5 18:34:35 2016 (r412582) @@ -5,6 +5,15 @@ they are unavoidable. You should get into the habit of checking this file for changes each time you update your ports collection, before attempting any port upgrades. +20160404: + AFFECTS: mail/spamassassin + AUTHOR: adamw@FreeBSD.org + + Support for SSLv3 has been removed from SpamAssassin, because + SSLv3 is a Bad Idea. No direct option is provided to re-enable it. + If your setup requires use of SSLv3, some instructions are available + in FreeBSD PR 208225. + 20160331: AFFECTS: security/clamav-unofficial-sigs AUTHOR: lukasz@wasikowski.net, sf@maxempire.com Modified: branches/2016Q2/japanese/spamassassin/Makefile ============================================================================== --- branches/2016Q2/japanese/spamassassin/Makefile Tue Apr 5 18:17:23 2016 (r412581) +++ branches/2016Q2/japanese/spamassassin/Makefile Tue Apr 5 18:34:35 2016 (r412582) @@ -1,7 +1,7 @@ # Created by: TAOKA Fumiyoshi # $FreeBSD$ -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= japanese mail perl5 PKGNAMEPREFIX= ja- Modified: branches/2016Q2/mail/spamassassin/Makefile ============================================================================== --- branches/2016Q2/mail/spamassassin/Makefile Tue Apr 5 18:17:23 2016 (r412581) +++ branches/2016Q2/mail/spamassassin/Makefile Tue Apr 5 18:34:35 2016 (r412582) @@ -3,7 +3,7 @@ PORTNAME= spamassassin PORTVERSION= 3.4.1 -PORTREVISION?= 5 # also bump japanese/spamassassin +PORTREVISION?= 6 # also bump japanese/spamassassin CATEGORIES?= mail perl5 MASTER_SITES= APACHE/spamassassin/source CPAN/Mail DISTNAME= Mail-SpamAssassin-${PORTVERSION} Copied: branches/2016Q2/mail/spamassassin/files/patch-bug7199 (from r412519, head/mail/spamassassin/files/patch-bug7199) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2016Q2/mail/spamassassin/files/patch-bug7199 Tue Apr 5 18:34:35 2016 (r412582, copy of r412519, head/mail/spamassassin/files/patch-bug7199) @@ -0,0 +1,258 @@ +--- spamc/libspamc.c.orig ++++ spamc/libspamc.c +@@ -1187,7 +1187,7 @@ int message_filter(struct transport *tp, + unsigned int throwaway; + SSL_CTX *ctx = NULL; + SSL *ssl = NULL; +- SSL_METHOD *meth; ++ const SSL_METHOD *meth; + char zlib_on = 0; + unsigned char *zlib_buf = NULL; + int zlib_bufsiz = 0; +@@ -1213,11 +1213,7 @@ int message_filter(struct transport *tp, + if (flags & SPAMC_USE_SSL) { + #ifdef SPAMC_SSL + SSLeay_add_ssl_algorithms(); +- if (flags & SPAMC_TLSV1) { +- meth = TLSv1_client_method(); +- } else { +- meth = SSLv3_client_method(); /* default */ +- } ++ meth = SSLv23_client_method(); + SSL_load_error_strings(); + ctx = SSL_CTX_new(meth); + #else +@@ -1596,7 +1592,7 @@ int message_tell(struct transport *tp, c + int failureval; + SSL_CTX *ctx = NULL; + SSL *ssl = NULL; +- SSL_METHOD *meth; ++ const SSL_METHOD *meth; + + assert(tp != NULL); + assert(m != NULL); +@@ -1604,7 +1600,7 @@ int message_tell(struct transport *tp, c + if (flags & SPAMC_USE_SSL) { + #ifdef SPAMC_SSL + SSLeay_add_ssl_algorithms(); +- meth = SSLv3_client_method(); ++ meth = SSLv23_client_method(); + SSL_load_error_strings(); + ctx = SSL_CTX_new(meth); + #else +--- spamc/spamc.c.orig ++++ spamc/spamc.c +@@ -368,16 +368,11 @@ read_args(int argc, char **argv, + case 'S': + { + flags |= SPAMC_USE_SSL; +- if (!spamc_optarg || (strcmp(spamc_optarg,"sslv3") == 0)) { +- flags |= SPAMC_SSLV3; +- } +- else if (strcmp(spamc_optarg,"tlsv1") == 0) { +- flags |= SPAMC_TLSV1; +- } +- else { +- libspamc_log(flags, LOG_ERR, "Please specify a legal ssl version (%s)", spamc_optarg); +- ret = EX_USAGE; +- } ++ if(spamc_optarg) { ++ libspamc_log(flags, LOG_ERR, ++ "Explicit specification of an SSL/TLS version no longer supported."); ++ ret = EX_USAGE; ++ } + break; + } + #endif +--- spamd/spamd.raw.orig ++++ spamd/spamd.raw +@@ -409,7 +409,6 @@ GetOptions( + 'sql-config!' => \$opt{'sql-config'}, + 'ssl' => \$opt{'ssl'}, + 'ssl-port=s' => \$opt{'ssl-port'}, +- 'ssl-version=s' => \$opt{'ssl-version'}, + 'syslog-socket=s' => \$opt{'syslog-socket'}, + 'syslog|s=s' => \$opt{'syslog'}, + 'log-timestamp-fmt:s' => \$opt{'log-timestamp-fmt'}, +@@ -744,11 +743,6 @@ if ( defined $ENV{'HOME'} ) { + + # Do whitelist later in tmp dir. Side effect: this will be done as -u user. + +-my $sslversion = $opt{'ssl-version'} || 'sslv3'; +-if ($sslversion !~ /^(?:sslv3|tlsv1)$/) { +- die "spamd: invalid ssl-version: $opt{'ssl-version'}\n"; +-} +- + $opt{'server-key'} ||= "$LOCAL_RULES_DIR/certs/server-key.pem"; + $opt{'server-cert'} ||= "$LOCAL_RULES_DIR/certs/server-cert.pem"; + +@@ -899,9 +893,8 @@ sub compose_listen_info_string { + $socket_info->{ip_addr}, $socket_info->{port})); + + } elsif ($socket->isa('IO::Socket::SSL')) { +- push(@listeninfo, sprintf("SSL [%s]:%s, ssl version %s", +- $socket_info->{ip_addr}, $socket_info->{port}, +- $opt{'ssl-version'}||'sslv3')); ++ push(@listeninfo, sprintf("SSL [%r]:%s", $socket_info->{ip_addr}, ++ $socket_info->{port})); + } + } + +@@ -1072,7 +1065,6 @@ sub server_sock_setup_inet { + $sockopt{V6Only} = 1 if $io_socket_module_name eq 'IO::Socket::IP' + && IO::Socket::IP->VERSION >= 0.09; + %sockopt = (%sockopt, ( +- SSL_version => $sslversion, + SSL_verify_mode => 0x00, + SSL_key_file => $opt{'server-key'}, + SSL_cert_file => $opt{'server-cert'}, +@@ -1093,7 +1085,8 @@ sub server_sock_setup_inet { + if (!$server_inet) { + $diag = sprintf("could not create %s socket on [%s]:%s: %s", + $ssl ? 'IO::Socket::SSL' : $io_socket_module_name, +- $adr, $port, $!); ++ $adr, $port, $ssl && $IO::Socket::SSL::SSL_ERROR ? ++ "$!,$IO::Socket::SSL::SSL_ERROR" : $!); + push(@diag_fail, $diag); + } else { + $diag = sprintf("created %s socket on [%s]:%s", +@@ -3238,7 +3231,6 @@ Options: + -H [dir], --helper-home-dir[=dir] Specify a different HOME directory + --ssl Enable SSL on TCP connections + --ssl-port port Override --port setting for SSL connections +- --ssl-version sslversion Specify SSL protocol version to use + --server-key keyfile Specify an SSL keyfile + --server-cert certfile Specify an SSL certificate + --socketpath=path Listen on a given UNIX domain socket +@@ -3727,14 +3719,6 @@ Optionally specifies the port number for + SSL connections (default: whatever --port uses). See B<--ssl> for + more details. + +-=item B<--ssl-version>=I<sslversion> +- +-Specify the SSL protocol version to use, one of B<sslv3> or B<tlsv1>. +-The default, B<sslv3>, is the most flexible, accepting a SSLv3 or +-higher hello handshake, then negotiating use of SSLv3 or TLSv1 +-protocol if the client can accept it. Specifying B<--ssl-version> +-implies B<--ssl>. +- + =item B<--server-key> I<keyfile> + + Specify the SSL key file to use for SSL connections. +--- spamc/spamc.pod.orig ++++ spamc/spamc.pod +@@ -177,12 +177,10 @@ The default is 1 time (ie. one attempt a + Sleep for I<sleep> seconds between failed spamd filtering attempts. + The default is 1 second. + +-=item B<-S>, B<--ssl>, B<--ssl>=I<sslversion> ++=item B<-S>, B<--ssl>, B<--ssl> + + If spamc was built with support for SSL, encrypt data to and from the + spamd process with SSL; spamd must support SSL as well. +-I<sslversion> specifies the SSL protocol version to use, either +-C<sslv3>, or C<tlsv1>. The default, is C<sslv3>. + + =item B<-t> I<timeout>, B<--timeout>=I<timeout> + +--- t/spamd_ssl_tls.t.orig ++++ t/spamd_ssl_tls.t +@@ -1,28 +0,0 @@ +-#!/usr/bin/perl +- +-use lib '.'; use lib 't'; +-use SATest; sa_t_init("spamd_ssl_tls"); +-use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9); +- +-exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE); +- +-# --------------------------------------------------------------------------- +- +-%patterns = ( +- +-q{ Return-Path: sb55sb55@yahoo.com}, 'firstline', +-q{ Subject: There yours for FREE!}, 'subj', +-q{ X-Spam-Status: Yes, score=}, 'status', +-q{ X-Spam-Flag: YES}, 'flag', +-q{ X-Spam-Level: **********}, 'stars', +-q{ TEST_ENDSNUMS}, 'endsinnums', +-q{ TEST_NOREALNAME}, 'noreal', +-q{ This must be the very last line}, 'lastline', +- +- +-); +- +-ok (sdrun ("-L --ssl --ssl-version=tlsv1 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert", +- "--ssl=tlsv1 < data/spam/001", +- \&patterns_run_cb)); +-ok_all_patterns(); +--- t/spamd_ssl_v3.t.orig ++++ t/spamd_ssl_v3.t +@@ -1,28 +0,0 @@ +-#!/usr/bin/perl +- +-use lib '.'; use lib 't'; +-use SATest; sa_t_init("spamd_sslv3"); +-use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9); +- +-exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE); +- +-# --------------------------------------------------------------------------- +- +-%patterns = ( +- +-q{ Return-Path: sb55sb55@yahoo.com}, 'firstline', +-q{ Subject: There yours for FREE!}, 'subj', +-q{ X-Spam-Status: Yes, score=}, 'status', +-q{ X-Spam-Flag: YES}, 'flag', +-q{ X-Spam-Level: **********}, 'stars', +-q{ TEST_ENDSNUMS}, 'endsinnums', +-q{ TEST_NOREALNAME}, 'noreal', +-q{ This must be the very last line}, 'lastline', +- +- +-); +- +-ok (sdrun ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert", +- "--ssl=sslv3 < data/spam/001", +- \&patterns_run_cb)); +-ok_all_patterns(); +--- t/spamd_ssl_accept_fail.t.orig ++++ t/spamd_ssl_accept_fail.t +@@ -23,9 +23,9 @@ q{ This must be the very last line}, 'la + + ); + +-ok (start_spamd ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert")); ++ok (start_spamd ("-L --ssl --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert")); + ok (spamcrun ("< data/spam/001", \&patterns_run_cb)); +-ok (spamcrun ("--ssl=sslv3 < data/spam/001", \&patterns_run_cb)); ++ok (spamcrun ("--ssl < data/spam/001", \&patterns_run_cb)); + ok (stop_spamd ()); + + ok_all_patterns(); +--- t/spamd_ssl.t.orig ++++ t/spamd_ssl.t +@@ -2,10 +2,7 @@ + + use lib '.'; use lib 't'; + use SATest; sa_t_init("spamd_ssl"); +-use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9), +- onfail => sub { +- warn "\n\nNote: This may not be a SpamAssassin bug, as some platforms require that you" . +- "\nspecify a protocol in spamc --ssl option, and possibly in spamd --ssl-version.\n\n" }; ++use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9); + + exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE); + +--- MANIFEST.orig ++++ MANIFEST +@@ -513,8 +513,6 @@ t/spamd_report_ifspam.t + t/spamd_sql_prefs.t + t/spamd_ssl.t + t/spamd_ssl_accept_fail.t +-t/spamd_ssl_tls.t +-t/spamd_ssl_v3.t + t/spamd_stop.t + t/spamd_symbols.t + t/spamd_syslog.t
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201604051834.u35IYapI003904>