Bug 1315056
Summary: | tls_version macro incorrectly calculated | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Ted Rule <ejtr> | ||||||||
Component: | sendmail | Assignee: | Jaroslav Škarvada <jskarvad> | ||||||||
Status: | CLOSED WONTFIX | QA Contact: | qe-baseos-daemons | ||||||||
Severity: | low | Docs Contact: | |||||||||
Priority: | unspecified | ||||||||||
Version: | 6.5 | CC: | redbugz, thozza | ||||||||
Target Milestone: | rc | ||||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Unspecified | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | |||||||||||
: | 1472763 (view as bug list) | Environment: | |||||||||
Last Closed: | 2017-09-06 09:32:20 UTC | Type: | Bug | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | |||||||||||
Bug Blocks: | 1472763 | ||||||||||
Attachments: |
|
Description
Ted Rule
2016-03-06 10:40:35 UTC
Created attachment 1264526 [details]
sendmail-8.14.4 patch file to correct Sendmail logging of SSL/TLS Protocol
Created attachment 1264527 [details]
Updated Spec File implementing new Sendmail TLS Version Logging Patch
The current TLS Protocol logging in Sendmail is broken, as Ted Rule points out in the description of this bug. It is important that the actual TLS protocol version be reported instead of an ambiguous "SSLv3/TLSv1", particularly in light of the fact that SSL is no longer considered secure, and TLSv1.0 is on the way out as well, particularly in light of the PCI Council's decision that SSL and TLSv1.0 is no longer acceptable for PCI compliance. Ted's recommended fix is very close to what needs to be implemented, however he's supplying the structure argument in his example. The SSL_CIPHER_get_version() function has the following prototype: char *SSL_CIPHER_get_version(const SSL_CIPHER *c); But, the proper replacement function has the following prototype: const char *SSL_get_version(const SSL *s); So, after examining the sendmail/tls.c source code and taking the proper structure arguments into consideration, here is the recommended fix: .... s = SSL_CIPHER_get_version(c); if (s == NULL) s = "UNKNOWN"; macdefine(mac, A_TEMP, macid("{tls_version}"), s); .... I have also attached a proposed patch file and updated Spec file for the build. Tested as an update to sendmail-8.14.4-9.el6_8.1.src.rpm. I request that serious consideration is given to classifying this patch as an important security fix and that it be included in a future Production 2 Phase Release for Red Hat Enterprise Linux 6. Correction to Comment 5: The current TLS Protocol logging in Sendmail is broken, as Ted Rule points out in the description of this bug. It is important that the actual TLS protocol version be reported instead of an ambiguous "SSLv3/TLSv1", particularly in light of the fact that SSL is no longer considered secure, and TLSv1.0 is on the way out as well, particularly in light of the PCI Council's decision that SSL and TLSv1.0 is no longer acceptable for PCI compliance. Ted's recommended fix is very close to what needs to be implemented, however he's supplying the wrong structure argument in his example. The SSL_CIPHER_get_version() function has the following prototype: char *SSL_CIPHER_get_version(const SSL_CIPHER *c); But, the proper replacement function has the following prototype: const char *SSL_get_version(const SSL *s); So, after examining the sendmail/tls.c source code and taking the proper structure arguments into consideration, here is the recommended fix: .... s = SSL_CIPHER_get_version(ssl); if (s == NULL) s = "UNKNOWN"; macdefine(mac, A_TEMP, macid("{tls_version}"), s); .... I have also attached a proposed patch file and updated Spec file for the build. Tested as an update to sendmail-8.14.4-9.el6_8.1.src.rpm. I request that serious consideration is given to classifying this patch as an important security fix and that it be included in a future Production 2 Phase Release for Red Hat Enterprise Linux 6. Created attachment 1300995 [details]
Backported fix
Thanks for info. I am afraid it will not classify as a important/security fix for product in production 2 phase, but feel free to escalate this problem through the support channel. I am cloning this bug to RHEL-7. Red Hat Enterprise Linux 6 transitioned to the Production 3 Phase on May 10, 2017. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available. The official life cycle policy can be reviewed here: http://redhat.com/rhel/lifecycle This issue does not appear to meet the inclusion criteria for the Production Phase 3 and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL: https://access.redhat.com |