Hello community, here is the log from the commit of package cyrus-imapd for openSUSE:Factory checked in at 2014-11-24 11:09:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cyrus-imapd (Old) and /work/SRC/openSUSE:Factory/.cyrus-imapd.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cyrus-imapd" Changes: -------- --- /work/SRC/openSUSE:Factory/cyrus-imapd/cyrus-imapd.changes 2014-03-09 18:21:58.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.cyrus-imapd.new/cyrus-imapd.changes 2014-11-24 11:09:20.000000000 +0100 @@ -1,0 +2,25 @@ +Fri Nov 21 11:55:51 UTC 2014 - tchva...@suse.com + +- Drop unused patch: + * KOLAB_cyrus-imapd-2.3.18_cross-domain-acls.patch + +------------------------------------------------------------------- +Fri Nov 14 10:49:38 UTC 2014 - rha...@suse.com + +- Replace the TLS/POODLE patch with what was merged into the upstream + git repo: + * cyrus-imapd.tls_options.patch + * Obsoletes patches cyrus-imapd.tls_tlsonly.patch and + cyrus-imapd.tls_ec.patch +- Add a default tls_versions settings to imapd.conf which disables + POODLE affected SSL versions. + +------------------------------------------------------------------- +Sat Oct 18 11:15:00 UTC 2014 - johan...@lst.de + +- Add two patches from Kristian Kraemmer Nielsen found on the info-cyrus mailing list + (http://lists.andrew.cmu.edu/pipermail/info-cyrus/2014-October/037708.html) + * cyrus-imapd.tls_ec.patch - adding tls_ec for Perfect Forward Secrecy + * cyrus-imapd.tls_tlsonly.patch - add tlsonly config option to fix POODLE vulnerability + +------------------------------------------------------------------- @@ -353 +377,0 @@ -------------------------------------------------------------------- @@ -354,0 +379 @@ +------------------------------------------------------------------- @@ -363 +387,0 @@ -------------------------------------------------------------------- @@ -364,0 +389 @@ +------------------------------------------------------------------- Old: ---- KOLAB_cyrus-imapd-2.3.18_cross-domain-acls.patch New: ---- cyrus-imapd.tls_options.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cyrus-imapd.spec ++++++ --- /var/tmp/diff_new_pack.uxiVmW/_old 2014-11-24 11:09:21.000000000 +0100 +++ /var/tmp/diff_new_pack.uxiVmW/_new 2014-11-24 11:09:21.000000000 +0100 @@ -66,6 +66,8 @@ Patch26: cyrus-imapd-2.4.17_tls-session-leak.patch # PATCH-FEATURE-UPSTREAM -- Allow a result attribute to be specified with ptclient/ldap.c // included in 2.5 Patch27: cyrus-imapd-2.4.17_ptloader-ldap_user_attribute.patch +# PATCH-FIX-UPSTREAM -- Allow to configure TLS more detailed (e.g. to fix POODLE an add PFS) +Patch28: cyrus-imapd.tls_options.patch BuildRequires: automake BuildRequires: bison @@ -225,6 +227,7 @@ %patch25 -p1 %patch26 -p1 %patch27 -p1 +%patch28 -p1 # remove executable bit from docs find doc -type f -name '*.html' -exec %{__chmod} -x {} \; ++++++ cyrus-imapd-rc-2.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SUSE/imapd.conf new/SUSE/imapd.conf --- old/SUSE/imapd.conf 2014-01-27 17:45:45.000000000 +0100 +++ new/SUSE/imapd.conf 2014-11-07 12:30:00.000000000 +0100 @@ -25,4 +25,5 @@ #tls_cert_file: /etc/ssl/certs/cyrus-imapd.pem #tls_key_file: /etc/ssl/private/cyrus-imapd.key #tls_ca_file: /etc/ssl/cacert.pem -#tls_ca_path: /etc/ssl/ \ No newline at end of file +#tls_ca_path: /etc/ssl/ +tls_versions: tls1_0 tls1_1 tls1_2 ++++++ cyrus-imapd.tls_options.patch ++++++ commit 4b26d2d7244eeaa481871c337e57cd393fd76dfe Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeu...@kolabsys.com> Date: Thu Oct 16 11:12:20 2014 +0200 Enhance SSL/TLS configuration options New settings: tls_compression: 0 Enable TLS compression. Disabled by default. tls_eccurve: prime256v1 Select the elliptic curve used for ECDHE. tls_prefer_server_ciphers: 0 Prefer the cipher order configured on the server-side. tls_versions: ssl2 ssl3 tls1_0 tls1_1 tls1_2 Disable SSL/TLS protocols not in this list. Bugzilla #3822, #3830, #3843, #3861. diff --git a/imap/tls.c b/imap/tls.c index 6db4a2f..92f4c88 100644 --- a/imap/tls.c +++ b/imap/tls.c @@ -631,6 +631,7 @@ int tls_init_serverengine(const char *ident, const char *s_cert_file; const char *s_key_file; int requirecert; + int server_cipher_order; int timeout; if (tls_serverengine) @@ -646,13 +647,6 @@ int tls_init_serverengine(const char *ident, return -1; } -#if 0 - if (tlsonly) { - s_ctx = SSL_CTX_new(TLSv1_server_method()); - } else { - s_ctx = SSL_CTX_new(SSLv23_server_method()); - } -#endif /* even if we want TLS only, we use SSLv23 server method so we can deal with a client sending an SSLv2 greeting message */ @@ -662,10 +656,40 @@ int tls_init_serverengine(const char *ident, }; off |= SSL_OP_ALL; /* Work around all known bugs */ - if (tlsonly) { + + const char *tls_versions = config_getstring(IMAPOPT_TLS_VERSIONS); + + if (strstr(tls_versions, "ssl2") == NULL || tlsonly) { off |= SSL_OP_NO_SSLv2; + } + + if (strstr(tls_versions, "ssl3") == NULL || tlsonly) { off |= SSL_OP_NO_SSLv3; } + + if (strstr(tls_versions, "tls1_2") == NULL) { +#if (OPENSSL_VERSION_NUMBER >= 0x1000105fL) + off |= SSL_OP_NO_TLSv1_2; +#else + syslog(LOG_ERR, "ERROR: TLSv1.2 configured, OpenSSL < 1.0.1e insufficient"); +#endif + } + + if (strstr(tls_versions, "tls1_1") == NULL) { +#if (OPENSSL_VERSION_NUMBER >= 0x1000000fL) + off |= SSL_OP_NO_TLSv1_1; +#else + syslog(LOG_ERR, "ERROR: TLSv1.1 configured, OpenSSL < 1.0.0 insufficient"); +#endif + } + if (strstr(tls_versions, "tls1_0") == NULL) { + off |= SSL_OP_NO_TLSv1; + } + + server_cipher_order = config_getswitch(IMAPOPT_TLS_PREFER_SERVER_CIPHERS); + if (server_cipher_order) + off |= SSL_OP_CIPHER_SERVER_PREFERENCE; + SSL_CTX_set_options(s_ctx, off); SSL_CTX_set_info_callback(s_ctx, (void (*)()) apps_ssl_info_callback); @@ -679,10 +703,15 @@ int tls_init_serverengine(const char *ident, CAfile = config_getstring(IMAPOPT_TLS_CA_FILE); CApath = config_getstring(IMAPOPT_TLS_CA_PATH); - if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) || - (!SSL_CTX_set_default_verify_paths(s_ctx))) { - /* just a warning since this is only necessary for client auth */ - syslog(LOG_NOTICE,"TLS server engine: cannot load CA data"); + if (CAfile || CApath) { + if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) || + (!SSL_CTX_set_default_verify_paths(s_ctx))) { + /* just a warning since this is only necessary for client auth */ + syslog(LOG_NOTICE,"TLS server engine: cannot load CA data. Disabling client certs."); + askcert = 0; + } + } else { + askcert = 0; } s_cert_file = config_getstring(IMAPOPT_TLS_CERT_FILE); @@ -697,11 +726,23 @@ int tls_init_serverengine(const char *ident, #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) /* Load DH params for DHE-* key exchanges */ SSL_CTX_set_tmp_dh(s_ctx, load_dh_param(s_key_file, s_cert_file)); - /* FIXME: Load ECDH params for ECDHE suites when 0.9.9 is released */ +#endif + +#if (OPENSSL_VERSION_NUMBER >= 0x1000103fL) + const char *ec = config_getstring(IMAPOPT_TLS_ECCURVE); + int openssl_nid = OBJ_sn2nid(ec); + if (openssl_nid != 0) { + EC_KEY *ecdh; + ecdh = EC_KEY_new_by_curve_name(openssl_nid); + if (ecdh != NULL) { + SSL_CTX_set_tmp_ecdh(s_ctx, ecdh); + EC_KEY_free(ecdh); + } + } #endif verify_depth = verifydepth; - if (askcert!=0) + if (askcert != 0) verify_flags |= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE; requirecert = config_getswitch(IMAPOPT_TLS_REQUIRE_CERT); @@ -714,7 +755,7 @@ int tls_init_serverengine(const char *ident, if (CAfile == NULL) { syslog(LOG_ERR, "TLS server engine: No CA file specified. " - "Client side certs may not work"); + "Client side certs will not work."); } else { SSL_CTX_set_client_CA_list(s_ctx, SSL_load_client_CA_file(CAfile)); } @@ -1209,7 +1250,7 @@ int tls_init_clientengine(int verifydepth, return -1; } - c_ctx = SSL_CTX_new(TLSv1_client_method()); + c_ctx = SSL_CTX_new(SSLv23_client_method()); if (c_ctx == NULL) { return (-1); }; @@ -1224,7 +1265,7 @@ int tls_init_clientengine(int verifydepth, if ((!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) || (!SSL_CTX_set_default_verify_paths(c_ctx))) { /* just a warning since this is only necessary for client auth */ - syslog(LOG_NOTICE,"TLS client engine: cannot load CA data"); + syslog(LOG_NOTICE,"TLS client engine: cannot load CA data"); } if (strlen(var_tls_cert_file) == 0) diff --git a/imtest/imtest.c b/imtest/imtest.c index 9351e20..80ca37f 100644 --- a/imtest/imtest.c +++ b/imtest/imtest.c @@ -506,7 +506,7 @@ static int tls_init_clientengine(int verifydepth, char *var_tls_cert_file, char return IMTEST_FAIL; } - tls_ctx = SSL_CTX_new(TLSv1_client_method()); + tls_ctx = SSL_CTX_new(SSLv23_client_method()); if (tls_ctx == NULL) { return IMTEST_FAIL; }; diff --git a/lib/imapoptions b/lib/imapoptions index 352ab60..d428fb3 100644 --- a/lib/imapoptions +++ b/lib/imapoptions @@ -1338,10 +1338,20 @@ product version in the capabilities */ /* The list of SSL/TLS ciphers to allow. The format of the string is described in ciphers(1). */ +{ "tls_compression", 0, SWITCH } +/* deactivate TLS compression by default */ + +{ "tls_eccurve", "prime256v1", STRING } +/* The elliptic curve used for ECDHE. Default is NIST Suite B prime256. + See 'openssl ecparam -list_curves' for possible values. */ + { "tls_key_file", NULL, STRING } /* File containing the private key belonging to the server certificate. A value of "disabled" will disable SSL/TLS. */ +{ "tls_prefer_server_ciphers", 0, SWITCH } +/* Prefer the ciphers on the server side instead of client side */ + { "tls_require_cert", 0, SWITCH } /* Require a client certificate for ALL services (imap, pop3, lmtp, sieve). */ @@ -1350,6 +1360,12 @@ product version in the capabilities */ for later reuse. The maximum value is 1440 (24 hours), the default. A value of 0 will disable session caching. */ +{ "tls_versions", "ssl2 ssl3 tls1_0 tls1_1 tls1_2", STRING } +/* A list of SSL/TLS versions to not disable. Cyrus IMAP SSL/TLS starts + with all protocols, and substracts protocols not in this list. Newer + versions of SSL/TLS will need to be added here to allow them to get + disabled. */ + { "umask", "077", STRING } /* The umask value used by various Cyrus IMAP programs. */ -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org