|Summary:||mail/cclient: hostname verification broken|
|Product:||Ports & Packages||Reporter:||satanist+freebsd|
|Component:||Individual Port(s)||Assignee:||Bernard Spil <brnrd>|
|Status:||In Progress ---|
|Severity:||Affects Only Me||CC:||adam, brnrd, daniel, erik5, freebsd, i.dani, jonaspalm, riggs, w.schwarzenfeld|
Description satanist+freebsd 2018-03-15 07:21:57 UTC
Created attachment 191514 [details] updated version of the patch r464076 broke the hostname verification of cclient. Therefor TLS validation isn't posible anymore. My patch fix the original bug without breaking TLS validation. But a memleak is now present. This happend in some error cases.
Comment 1 Dani 2018-03-27 05:16:09 UTC
@riggs & brnrd: Please take a look at this. This targets multiple ports (like php*-imap extension for example. Caused by: bug #225885 / ports r464076
Comment 2 freebsd 2018-03-27 08:09:44 UTC
Confirm. After updating cclient php*_imap cannot connect to hosts without "/novalidate-cert".
Comment 3 Bernard Spil 2018-10-23 13:00:51 UTC
Created attachment 198493 [details] svn diff for mail/cclient ``` mail/cclient: Properly support OpenSSL 1.1 - Fix hostname CN verification with TLS PR: 226621 Reported by: satanist+freebsd bureaucracy de Obtained from: Debian packages ```
Comment 4 Adam Bernstein 2019-04-18 20:34:43 UTC
This bug is critical for some users, and I see it's been untouched for months - is there any hope of getting it finalized? Or perhaps more to the point, does anyone know if there is a maintainer for this port? Maintainer address is listed only as "email@example.com", ie. the mailing list, and apparently the original cclient author Mark Crispin has passed away (see comment at https://svnweb.freebsd.org/ports/head/mail/panda-cclient/files/patch-src_osdep_unix_os_bsi.h?view=markup&pathrev=483370), so I wonder. If there is no maintainer, the fork 'mail/panda-cclient' has already this bug fixed, and AFAICT functions as a perfect drop-in replacement for cclient. Perhaps that suggests a different avenue to pursue? Or at least that the cclient port should be marked as broken and/or unmaintained....
Comment 5 Walter Schwarzenfeld 2019-08-15 14:27:18 UTC
riggs would you please have a look on this, and commit it, if it is right?