fetchmail: use legacy certificate verification
beck's shiny new validator found its first victim. bluhm saw warnings from fetchmail's verify callback and once we investigated, it was quick to segfault since it doesn't bother to check return values. Failures are more visible to the callback than they previously were. Fixing this mess is more work than it's worth, so let it use the old garbage. with & ok beck, tested & ok bluhm
This commit is contained in:
parent
5c76c1d5b1
commit
6ef422d1bd
@ -1,9 +1,10 @@
|
||||
# $OpenBSD: Makefile,v 1.158 2020/09/13 19:01:23 tb Exp $
|
||||
# $OpenBSD: Makefile,v 1.159 2020/09/14 15:14:55 tb Exp $
|
||||
|
||||
COMMENT= mail retrieval utility for POP2, POP3, KPOP, IMAP and more
|
||||
|
||||
DISTNAME= fetchmail-6.4.12
|
||||
EXTRACT_SUFX= .tar.xz
|
||||
REVISION= 0
|
||||
|
||||
CATEGORIES= mail
|
||||
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=fetchmail/}
|
||||
|
@ -1,4 +1,4 @@
|
||||
$OpenBSD: patch-socket_c,v 1.12 2020/09/07 09:40:53 tb Exp $
|
||||
$OpenBSD: patch-socket_c,v 1.13 2020/09/14 15:14:55 tb Exp $
|
||||
|
||||
Index: socket.c
|
||||
--- socket.c.orig
|
||||
@ -12,3 +12,28 @@ Index: socket.c
|
||||
/* OSSL_proto_version_logic for OpenSSL 1.0.x and LibreSSL */
|
||||
static int OSSL10X_proto_version_logic(int sock, const char **myproto, int *avoid_ssl_versions)
|
||||
{
|
||||
@@ -1149,6 +1149,10 @@ int SSLOpen(int sock, char *mycert, char *mykey, const
|
||||
/* Check which trusted X.509 CA certificate store(s) to load */
|
||||
{
|
||||
char *tmp;
|
||||
+#if defined(X509_V_FLAG_LEGACY_VERIFY)
|
||||
+ X509_VERIFY_PARAM *param;
|
||||
+ int flags;
|
||||
+#endif
|
||||
int want_default_cacerts = 0;
|
||||
|
||||
/* Load user locations if any is given */
|
||||
@@ -1162,6 +1166,13 @@ int SSLOpen(int sock, char *mycert, char *mykey, const
|
||||
if (want_default_cacerts || (tmp && tmp[0])) {
|
||||
SSL_CTX_set_default_verify_paths(_ctx[sock]);
|
||||
}
|
||||
+#if defined(X509_V_FLAG_LEGACY_VERIFY)
|
||||
+ if ((param = SSL_CTX_get0_param(_ctx[sock])) != NULL) {
|
||||
+ flags = X509_VERIFY_PARAM_get_flags(param);
|
||||
+ flags |= X509_V_FLAG_LEGACY_VERIFY;
|
||||
+ X509_VERIFY_PARAM_set_flags(param, flags);
|
||||
+ }
|
||||
+#endif
|
||||
}
|
||||
|
||||
_ssl_context[sock] = SSL_new(_ctx[sock]);
|
||||
|
Loading…
Reference in New Issue
Block a user