aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--main/imap/2014_openssl1.1.1_sni.patch40
-rw-r--r--main/imap/APKBUILD6
-rw-r--r--main/imap/sni.patch24
3 files changed, 43 insertions, 27 deletions
diff --git a/main/imap/2014_openssl1.1.1_sni.patch b/main/imap/2014_openssl1.1.1_sni.patch
new file mode 100644
index 0000000000..af2bf99962
--- /dev/null
+++ b/main/imap/2014_openssl1.1.1_sni.patch
@@ -0,0 +1,40 @@
+Bug-Debian: https://bugs.debian.org/916041
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1834340
+Description:
+ Google IMAP servers require SNI if TLSv1.3 is used,
+ otherwise it sends a self-signed certificate which
+ fails validation.
+
+ OpenSSL support/versions:
+ - TLSv1.3 on 1.1.1,
+ - a2i_IPADDRESS() on 0.9.8'ish,
+ - SSL_set_tlsext_host_name() on 0.9.8'ish/1.0.0;
+ per 'git blame/describe' and the CHANGES file.
+
+ So check for TLSv1.3 support / OpenSSL 1.1.1
+ not to incur behavior changes on pre-TLSv1.3,
+ and set host_name to 'host' (ssl_open_verify()
+ validates this, via 'ssl_last_host' variable)
+
+ This patch just combines these two patches:
+ - BTS#916041 (message #5) by Ed Spiridonov,
+ - LP#916041 (comment #6) by David Zuelke.
+Author: Mauricio Faria de Oliveira <mfo@canonical.com>
+
+--- a/src/osdep/unix/ssl_unix.c
++++ b/src/osdep/unix/ssl_unix.c
+@@ -266,6 +266,14 @@ static char *ssl_start_work (SSLSTREAM *
+ /* create connection */
+ if (!(stream->con = (SSL *) SSL_new (stream->context)))
+ return "SSL connection failed";
++#if OPENSSL_VERSION_NUMBER >= 0x10101000
++ /* Use SNI in case server requires it with TLSv1.3.
++ * Literal IP addresses not permitted per RFC 6066. */
++ if (!a2i_IPADDRESS(host)) {
++ ERR_clear_error();
++ SSL_set_tlsext_host_name(stream->con,host);
++ }
++#endif
+ bio = BIO_new_socket (stream->tcpstream->tcpsi,BIO_NOCLOSE);
+ SSL_set_bio (stream->con,bio,bio);
+ SSL_set_connect_state (stream->con);
diff --git a/main/imap/APKBUILD b/main/imap/APKBUILD
index 1b34a85c73..d3d4c4e0e2 100644
--- a/main/imap/APKBUILD
+++ b/main/imap/APKBUILD
@@ -5,7 +5,7 @@
# build it shared
pkgname=imap
pkgver=2007f
-pkgrel=10
+pkgrel=11
pkgdesc="An IMAP/POP server"
url="http://www.washington.edu/imap"
arch="all"
@@ -17,7 +17,7 @@ source="http://ftp.ntua.gr/pub/net/mail/imap/imap-$pkgver.tar.gz
fix-linking.patch
c-client-2006k_KOLAB_Annotations.patch
1006_openssl1.1_autoverify.patch
- sni.patch
+ 2014_openssl1.1.1_sni.patch
"
builddir="$srcdir"/$pkgname-$pkgver
@@ -67,4 +67,4 @@ sha512sums="7c3e1d9927872001e768ff2ddbcf3af74078243efe58dd70e01d966856b7611134e4
f8a4b5b8759b690273ec8c86db55c3c3ebf7b358321aa829341bc65e98db0f10696b1eeae922eecada668f011b0b3231ed73c3a959b47b4cba00568bf7d231c1 fix-linking.patch
871093236b3ae300968e1e200a2389566af72ed1f62ad57c1dc617dd59e8378f29175fe07e5cfc575e022f3c27769b06850cbf21567f7cc359ca204c4d87a3af c-client-2006k_KOLAB_Annotations.patch
7ecbe52adc6e3d1deee05790745642f794150ffaebf51c0cf689dc036eea9c7d80e643648aac37bf0aa83ac138b8bb63abfad3b540bc9440de3456162dfabae5 1006_openssl1.1_autoverify.patch
-2b1ec17da5c57832f3adb30f09f4fd31f6cdfc63a696f36141b84bdc0a375f0b40a2c84cba3d11658a2895125687f49ead04ef381eed4b61564ede65f6149622 sni.patch"
+884fe866cdce7955134c0ff939f1f5ef151ccbed772e64807095d369cb96fb67790cb070a7ea588e1e8f5523fcfeac5a6af6b1db69ec8f516b4c08db0cb029cb 2014_openssl1.1.1_sni.patch"
diff --git a/main/imap/sni.patch b/main/imap/sni.patch
deleted file mode 100644
index 2247f65f98..0000000000
--- a/main/imap/sni.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Description: Google IMAP servers require SNI if client supports TLS 1.3.
-Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/php-imap/+bug/1834340
-
---- a/src/osdep/unix/ssl_unix.c
-+++ b/src/osdep/unix/ssl_unix.c
-@@ -273,6 +273,18 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags)
- /* create connection */
- if (!(stream->con = (SSL *) SSL_new (stream->context)))
- return "SSL connection failed";
-+#if OPENSSL_VERSION_NUMBER >= 0x10200000L
-+ ASN1_OCTET_STRING *ip;
-+ /* support SNI if host is not an IP address */
-+ /* per RFC 6066: */
-+ /* Literal IPv4 and IPv6 addresses are not permitted in "HostName". */
-+ /* a2i_IPADDRESS is available since OpenSSL 1.0.2 */
-+ ip = a2i_IPADDRESS(host);
-+ if (ip == NULL) {
-+ ERR_clear_error();
-+ SSL_set_tlsext_host_name(stream->con,host);
-+ }
-+#endif
- bio = BIO_new_socket (stream->tcpstream->tcpsi,BIO_NOCLOSE);
- SSL_set_bio (stream->con,bio,bio);
- SSL_set_connect_state (stream->con);