aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorOndrej Exner <ondrej.exner@ubnt.com>2019-09-09 13:04:58 +0200
committerNatanael Copa <ncopa@alpinelinux.org>2019-09-12 11:33:27 +0200
commit783f17a9ea9e07009f72100cd31f71dca8972f3d (patch)
tree334a2c1be22301e4493ea0c84515312a520318bb
parent2a3ce42d7058df47a346c7bc6e262c6af7d1db13 (diff)
downloadaports-783f17a9ea9e07009f72100cd31f71dca8972f3d.tar.gz
aports-783f17a9ea9e07009f72100cd31f71dca8972f3d.tar.bz2
aports-783f17a9ea9e07009f72100cd31f71dca8972f3d.tar.xz
main/imap: SNI patch required for TLS 1.3
squashed cherry-picks from master of: commit 21ffc72e4201l (main/imap: SNI patch required for TLS 1.3) commit ffdcf96da172d (main/imap: fix for the previous SNI patch)
-rw-r--r--main/imap/2014_openssl1.1.1_sni.patch40
-rw-r--r--main/imap/APKBUILD6
2 files changed, 44 insertions, 2 deletions
diff --git a/main/imap/2014_openssl1.1.1_sni.patch b/main/imap/2014_openssl1.1.1_sni.patch
new file mode 100644
index 0000000000..af2bf99962
--- /dev/null
+++ b/main/imap/2014_openssl1.1.1_sni.patch
@@ -0,0 +1,40 @@
+Bug-Debian: https://bugs.debian.org/916041
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1834340
+Description:
+ Google IMAP servers require SNI if TLSv1.3 is used,
+ otherwise it sends a self-signed certificate which
+ fails validation.
+
+ OpenSSL support/versions:
+ - TLSv1.3 on 1.1.1,
+ - a2i_IPADDRESS() on 0.9.8'ish,
+ - SSL_set_tlsext_host_name() on 0.9.8'ish/1.0.0;
+ per 'git blame/describe' and the CHANGES file.
+
+ So check for TLSv1.3 support / OpenSSL 1.1.1
+ not to incur behavior changes on pre-TLSv1.3,
+ and set host_name to 'host' (ssl_open_verify()
+ validates this, via 'ssl_last_host' variable)
+
+ This patch just combines these two patches:
+ - BTS#916041 (message #5) by Ed Spiridonov,
+ - LP#916041 (comment #6) by David Zuelke.
+Author: Mauricio Faria de Oliveira <mfo@canonical.com>
+
+--- a/src/osdep/unix/ssl_unix.c
++++ b/src/osdep/unix/ssl_unix.c
+@@ -266,6 +266,14 @@ static char *ssl_start_work (SSLSTREAM *
+ /* create connection */
+ if (!(stream->con = (SSL *) SSL_new (stream->context)))
+ return "SSL connection failed";
++#if OPENSSL_VERSION_NUMBER >= 0x10101000
++ /* Use SNI in case server requires it with TLSv1.3.
++ * Literal IP addresses not permitted per RFC 6066. */
++ if (!a2i_IPADDRESS(host)) {
++ ERR_clear_error();
++ SSL_set_tlsext_host_name(stream->con,host);
++ }
++#endif
+ bio = BIO_new_socket (stream->tcpstream->tcpsi,BIO_NOCLOSE);
+ SSL_set_bio (stream->con,bio,bio);
+ SSL_set_connect_state (stream->con);
diff --git a/main/imap/APKBUILD b/main/imap/APKBUILD
index 37b294d476..4a0dbaf910 100644
--- a/main/imap/APKBUILD
+++ b/main/imap/APKBUILD
@@ -5,7 +5,7 @@
# build it shared
pkgname=imap
pkgver=2007f
-pkgrel=9
+pkgrel=10
pkgdesc="An IMAP/POP server"
url="http://www.washington.edu/imap"
arch="all"
@@ -17,6 +17,7 @@ source="http://ftp.ntua.gr/pub/net/mail/imap/imap-$pkgver.tar.gz
fix-linking.patch
c-client-2006k_KOLAB_Annotations.patch
1006_openssl1.1_autoverify.patch
+ 2014_openssl1.1.1_sni.patch
"
builddir="$srcdir"/$pkgname-$pkgver
@@ -65,4 +66,5 @@ cclient() {
sha512sums="7c3e1d9927872001e768ff2ddbcf3af74078243efe58dd70e01d966856b7611134e4b579818691a954bade9acaeeda6f2f30f40d812b8aa20990de5cb90d5d35 imap-2007f.tar.gz
f8a4b5b8759b690273ec8c86db55c3c3ebf7b358321aa829341bc65e98db0f10696b1eeae922eecada668f011b0b3231ed73c3a959b47b4cba00568bf7d231c1 fix-linking.patch
871093236b3ae300968e1e200a2389566af72ed1f62ad57c1dc617dd59e8378f29175fe07e5cfc575e022f3c27769b06850cbf21567f7cc359ca204c4d87a3af c-client-2006k_KOLAB_Annotations.patch
-7ecbe52adc6e3d1deee05790745642f794150ffaebf51c0cf689dc036eea9c7d80e643648aac37bf0aa83ac138b8bb63abfad3b540bc9440de3456162dfabae5 1006_openssl1.1_autoverify.patch"
+7ecbe52adc6e3d1deee05790745642f794150ffaebf51c0cf689dc036eea9c7d80e643648aac37bf0aa83ac138b8bb63abfad3b540bc9440de3456162dfabae5 1006_openssl1.1_autoverify.patch
+884fe866cdce7955134c0ff939f1f5ef151ccbed772e64807095d369cb96fb67790cb070a7ea588e1e8f5523fcfeac5a6af6b1db69ec8f516b4c08db0cb029cb 2014_openssl1.1.1_sni.patch"