Login
Log in using an SSO provider:
Fedora Account System
Red Hat Associate
Red Hat Customer
Login using a Red Hat Bugzilla account
Forgot Password
Create an Account
Red Hat Bugzilla – Attachment 1388346 Details for
Bug 1540020
Compatibility with OpenSSL 1.1
Home
New
Search
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh90 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
[?]
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
0001-fix-compatibility-with-OpenSSL-1.1-rhbz-1540020.patch
0001-fix-compatibility-with-OpenSSL-1.1-rhbz-1540020.patch (text/plain), 4.28 KB, created by
Remi Collet
on 2018-01-30 12:22:24 UTC
(
hide
)
Description:
0001-fix-compatibility-with-OpenSSL-1.1-rhbz-1540020.patch
Filename:
MIME Type:
Creator:
Remi Collet
Created:
2018-01-30 12:22:24 UTC
Size:
4.28 KB
patch
obsolete
>From 635cd07dd61820f75fa4ce27dba3f7d0795cec64 Mon Sep 17 00:00:00 2001 >From: Remi Collet <remi@fedoraproject.org> >Date: Tue, 30 Jan 2018 13:20:55 +0100 >Subject: [PATCH] fix compatibility with OpenSSL 1.1 rhbz#1540020 using patch > from debian > >--- > 1006_openssl1.1_autoverify.patch | 58 ++++++++++++++++++++++++++++++++++++++++ > uw-imap.spec | 13 +++++---- > 2 files changed, 66 insertions(+), 5 deletions(-) > create mode 100644 1006_openssl1.1_autoverify.patch > >diff --git a/1006_openssl1.1_autoverify.patch b/1006_openssl1.1_autoverify.patch >new file mode 100644 >index 0000000..087e747 >--- /dev/null >+++ b/1006_openssl1.1_autoverify.patch >@@ -0,0 +1,58 @@ >+Description: Support OpenSSL 1.1 >+ When building with OpenSSL 1.1 and newer, use the new built-in >+ hostname verification instead of code that doesn't compile due to >+ structs having been made opaque. >+Bug-Debian: https://bugs.debian.org/828589 >+ >+--- a/src/osdep/unix/ssl_unix.c >++++ b/src/osdep/unix/ssl_unix.c >+@@ -227,8 +227,16 @@ static char *ssl_start_work (SSLSTREAM * >+ /* disable certificate validation? */ >+ if (flags & NET_NOVALIDATECERT) >+ SSL_CTX_set_verify (stream->context,SSL_VERIFY_NONE,NIL); >+- else SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify); >++ else { >++#if OPENSSL_VERSION_NUMBER >= 0x10100000 >++ X509_VERIFY_PARAM *param = SSL_CTX_get0_param(stream->context); >++ X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); >++ X509_VERIFY_PARAM_set1_host(param, host, 0); >++#endif >++ >++ SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify); >+ /* set default paths to CAs... */ >++ } >+ SSL_CTX_set_default_verify_paths (stream->context); >+ /* ...unless a non-standard path desired */ >+ if (s = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL)) >+@@ -266,6 +274,7 @@ static char *ssl_start_work (SSLSTREAM * >+ if (SSL_write (stream->con,"",0) < 0) >+ return ssl_last_error ? ssl_last_error : "SSL negotiation failed"; >+ /* need to validate host names? */ >++#if OPENSSL_VERSION_NUMBER < 0x10100000 >+ if (!(flags & NET_NOVALIDATECERT) && >+ (err = ssl_validate_cert (cert = SSL_get_peer_certificate (stream->con), >+ host))) { >+@@ -275,6 +284,7 @@ static char *ssl_start_work (SSLSTREAM * >+ sprintf (tmp,"*%.128s: %.255s",err,cert ? cert->name : "???"); >+ return ssl_last_error = cpystr (tmp); >+ } >++#endif >+ return NIL; >+ } >+ >+@@ -313,6 +323,7 @@ static int ssl_open_verify (int ok,X509_ >+ * Returns: NIL if validated, else string of error message >+ */ >+ >++#if OPENSSL_VERSION_NUMBER < 0x10100000 >+ static char *ssl_validate_cert (X509 *cert,char *host) >+ { >+ int i,n; >+@@ -342,6 +353,7 @@ static char *ssl_validate_cert (X509 *ce >+ else ret = "Unable to locate common name in certificate"; >+ return ret; >+ } >++#endif >+ >+ /* Case-independent wildcard pattern match >+ * Accepts: base string >diff --git a/uw-imap.spec b/uw-imap.spec >index b7eb8ab..f6c91c1 100644 >--- a/uw-imap.spec >+++ b/uw-imap.spec >@@ -22,7 +22,7 @@ > Summary: UW Server daemons for IMAP and POP network mail protocols > Name: uw-imap > Version: 2007f >-Release: 17%{?dist} >+Release: 18%{?dist} > > # See LICENSE.txt, http://www.apache.org/licenses/LICENSE-2.0 > License: ASL 2.0 >@@ -70,6 +70,8 @@ Patch10: imap-2007e-authmd5.patch > Patch11: imap-2007e-system_c_client.patch > Patch12: imap-2007f-format-security.patch > Patch13: imap-2007e-poll.patch >+# From debian >+Patch14: 1006_openssl1.1_autoverify.patch > > BuildRequires: krb5-devel > BuildRequires: pam-devel >@@ -77,11 +79,7 @@ BuildRequires: pam-devel > Requires: xinetd > Requires(post): openssl > >-%if 0%{?fedora} > 25 || 0%{?rhel} > 7 >-BuildRequires: compat-openssl10-devel >-%else > BuildRequires: openssl-devel >-%endif > > %if 0%{?_with_system_libc_client} > BuildRequires: libc-client-devel = %{version} >@@ -182,6 +180,7 @@ install -p -m644 %{SOURCE22} imap.pam > > %patch12 -p1 -b .fmt-sec > %patch13 -p1 -b .poll >+%patch14 -p1 -b .openssl11 > > > %build >@@ -351,6 +350,10 @@ done > > > %changelog >+* Tue Jan 30 2017 Remi Collet <rcollet@redhat.com> - 2007f-18 >+- fix compatibility with OpenSSL 1.1 rhbz#1540020 >+ using patch from debian >+ > * Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2007f-17 > - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild > >-- >2.14.3 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1388346">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1540020
:
1388346
|
1388349