Control: severity important Hi Jeremy,
Cc'ing the OpenSSL maintainers. On Mon, Nov 21, 2016 at 07:42:17AM +0100, Salvatore Bonaccorso wrote: > Hi Jeremy, > > On Thu, Oct 13, 2016 at 06:20:49PM -0400, Jeremy T. Bouse wrote: > > Upstream has been completely MIA for several years now. I've not really > > checked to determine if there's actually anything dependent on libesmtp > > and have contemplated archive removal as I am not taking over as > > upstream and the project itself has appeared to be lifeless and I've > > merely been keeping the packaging updated. > > Some time ago you wrote the above. In case you are interested, I might > happy to help maintaining it until someone steps up who as well will > take it over from upstream development point of view. > > popcon is increasing for libesmtp actually, it is not dead, and some > packages depend on it. > > And from my personal point of view, I have the additional patch to > support TSL 1.1+ running since several months now. > > Let me know, and regards. Thanks a lot for maintaining it for Debian. I guess now we need to take action. OpenSSL changed as follows with the upload of openssl today, the "should support" might now be rewritten to "needs to support": https://lists.debian.org/debian-devel-announce/2017/08/msg00004.html [...] When building it will now already show the deprecation: /bin/bash ./libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I. -Wdate-time -D_FORTIFY_SOURCE=2 -pthread -std=c99 -pedantic -g -O2 -fdebug-prefix-map=/build/libesmtp-1.0.6=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -Wchar-subscripts -Wmis sing-declarations -Wmissing-prototypes -Wstrict-prototypes -Wnested-externs -Wpointer-arith -Wbad-function-cast -Wcast-align -pthread -std=c99 -pedantic -g -O2 -fdebug-prefix-map=/build/libesmtp-1.0.6=. -fstack-protector-strong -Wformat -Werror=format-security -c -o smtp-tls.lo smtp-tls.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -I. -Wdate-time -D_FORTIFY_SOURCE=2 -pthread -std=c99 -pedantic -g -O2 -fdebug-prefix-map=/build/libesmtp-1.0.6=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -Wchar-subscripts -Wmissing-declarations -Wmissing-prototypes -Wstrict-prototypes -Wnested-externs -Wpointer-arith -Wbad-function-cast -Wcast-align -pthread -std=c99 -pedantic -g -O2 -fdebug-prefix-map=/build/libesmtp-1.0.6=. -fstack-protector-strong -Wformat -Werror=format-security -c smtp-tls.c -fPIC -DPIC -o .libs/smtp-tls.o smtp-tls.c: In function 'starttls_create_ctx': smtp-tls.c:204:3: warning: 'TLSv1_client_method' is deprecated [-Wdeprecated-declarations] ctx = SSL_CTX_new (TLSv1_client_method ()); ^~~ In file included from /usr/include/openssl/ct.h:13:0, from /usr/include/openssl/ssl.h:61, from libesmtp-private.h:28, from smtp-tls.c:46: /usr/include/openssl/ssl.h:1614:1: note: declared here DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_client_method(void)) /* TLSv1.0 */ ^ [...] Please find attached a (refreshed) patch which is still valid to add the proper support for TLSv1.1+ Regards, Salvatore
Description: Add TLSv1.1 and TLSv1.2 support Origin: vendor Bug-Debian: https://bugs.debian.org/802658 Author: Salvatore Bonaccorso <car...@debian.org> Last-Update: 2015-11-07 --- a/smtp-tls.c +++ b/smtp-tls.c @@ -197,11 +197,24 @@ starttls_create_ctx (smtp_session_t sess ckf_t status; /* The decision not to support SSL v2 and v3 but instead to use only - TLSv1 is deliberate. This is in line with the intentions of RFC + TLSv1.X is deliberate. This is in line with the intentions of RFC 3207. Servers typically support SSL as well as TLS because some versions of Netscape do not support TLS. I am assuming that all currently deployed servers correctly support TLS. */ - ctx = SSL_CTX_new (TLSv1_client_method ()); +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ + !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL) + ctx = SSL_CTX_new (TLS_client_method ()); +#else + ctx = SSL_CTX_new (SSLv23_client_method ()); +#endif + +#ifdef OPENSSL_NO_SSL3 + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); +#endif + +#ifdef OPENSSL_NO_SSL2 + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); +#endif /* Load our keys and certificates. To avoid messing with configuration variables etc, use fixed paths for the certificate store. These are
