Bug 226621

Summary: mail/cclient: hostname verification broken
Product: Ports & Packages Reporter: satanist+freebsd
Component: Individual Port(s)Assignee: Bernard Spil <brnrd>
Status: In Progress ---    
Severity: Affects Only Me CC: adam, brnrd, daniel, erik5, freebsd, i.dani, jonaspalm, riggs, w.schwarzenfeld
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   
Description Flags
updated version of the patch
svn diff for mail/cclient brnrd: maintainer-approval?

Description satanist+freebsd 2018-03-15 07:21:57 UTC
Created attachment 191514 [details]
updated version of the patch

r464076 broke the hostname verification of cclient. Therefor TLS validation isn't posible anymore.

My patch fix the original bug without breaking TLS validation. But a memleak is now present. This happend in some error cases.
Comment 1 Dani 2018-03-27 05:16:09 UTC
@riggs & brnrd: Please take a look at this. This targets multiple ports (like php*-imap extension for example.

Caused by: bug #225885 / ports r464076
Comment 2 freebsd 2018-03-27 08:09:44 UTC
Confirm. After updating cclient php*_imap cannot connect to hosts without "/novalidate-cert".
Comment 3 Bernard Spil freebsd_committer 2018-10-23 13:00:51 UTC
Created attachment 198493 [details]
svn diff for mail/cclient

mail/cclient: Properly support OpenSSL 1.1

 - Fix hostname CN verification with TLS

PR:		226621
Reported by:	satanist+freebsd bureaucracy de
Obtained from:	Debian packages
Comment 4 Adam Bernstein 2019-04-18 20:34:43 UTC
This bug is critical for some users, and I see it's been untouched for months - is there any hope of getting it finalized?

Or perhaps more to the point, does anyone know if there is a maintainer for this port? Maintainer address is listed only as "ports@freebsd.org", ie. the mailing list, and apparently the original cclient author Mark Crispin has passed away (see comment at https://svnweb.freebsd.org/ports/head/mail/panda-cclient/files/patch-src_osdep_unix_os_bsi.h?view=markup&pathrev=483370), so I wonder.

If there is no maintainer, the fork 'mail/panda-cclient' has already this bug fixed, and AFAICT functions as a perfect drop-in replacement for cclient. Perhaps that suggests a different avenue to pursue? Or at least that the cclient port should be marked as broken and/or unmaintained....
Comment 5 Walter Schwarzenfeld freebsd_triage 2019-08-15 14:27:18 UTC
riggs would you please have a look on this, and commit it, if it is right?