Created attachment 168521 [details] patch-bug7199 Make spamc/spamd work if SSLv3 has been disabled in openssl. Patch obtained from: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7199#c9 I've been running this in production for several weeks without seeing any problems. But to be honest, i never tried what happens if openssl is compiled with SSLv3. I think it shouldn't make a difference.
This hasn't been committed upstream yet. I'm hesitant to commit this to FreeBSD until it's been committed upstream.
Upstream seems quite slow these days to fix or release anything :( The patch was proposed by the maintainer of the Debian package who also added it to package in the unstable branch (see http://http.debian.net/debian/pool/main/s/spamassassin/spamassassin_3.4.1-3.debian.tar.xz). So it may already have quite and amount of users but this is mere speculation. That being said, i understand your point.
After thinking about it more, I'm become more in favour of committing this patch. It's not just removing tests against SSLv3, it's allowing TLSv1.2. Should it be an option, so that people can re-enable ssl3 if they need it for their installation? I believe the OpenSSL in base still supports SSLv3, which is a decision far above my pay grade.
Yeah. I'm going to commit this patch. I'm not providing a configurable OPTION to re-enable SSLv3 because I can't think of a scenario where that is a responsible choice. To anybody who came to this PR looking to re-enable it, just delete /usr/ports/mail/spamassassin/files/patch-bug7199 and rebuild/reinstall spamassassin.
A commit references this bug: Author: adamw Date: Mon Apr 4 17:05:31 UTC 2016 New revision: 412519 URL: https://svnweb.freebsd.org/changeset/ports/412519 Log: Disable SSLv3 and enable TLSv1.1 and TLSv1.2. This is a patch make by Debian's own Noah Meyerhans that disables SSLv3, fixes or removes the tests that choke without SSLv3, and lets IO::Socket::SSL choose the best TLS level rather than forcing it at TLSv1. I can't think of a responsible reason to allow re-enabling it as an OPTION, so add a note to UPDATING warning people of the change and referencing the below PR. PORTREVISION bump. PR: 208225 Submitted by: Sascha Holzleiter Obtained from: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7199 MFH: 2016Q2 Changes: head/UPDATING head/japanese/spamassassin/Makefile head/mail/spamassassin/Makefile head/mail/spamassassin/files/patch-bug7199
Committed, along with a note in UPDATING. Keeping this PR open pending a MFH request. Thank you for submitting this and doing the legwork on the research, Sascha!
A commit references this bug: Author: adamw Date: Tue Apr 5 18:34:36 UTC 2016 New revision: 412582 URL: https://svnweb.freebsd.org/changeset/ports/412582 Log: MFH: r412519 Fix build/test without SSLv3, and enable TLSv1.1 and TLSv1.2. This is a patch made by Debian's own Noah Meyerhans that fixes or removes the tests that choke when OpenSSL is built without SSLv3 support (and in all current versions of LibreSSL), and lets IO::Socket::SSL choose the best TLS level rather than forcing it at TLSv1. PORTREVISION bump. PR: 208225 Submitted by: Sascha Holzleiter Obtained from: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7199 Approved by: ports-secteam (feld) Changes: _U branches/2016Q2/ branches/2016Q2/UPDATING branches/2016Q2/japanese/spamassassin/Makefile branches/2016Q2/mail/spamassassin/Makefile branches/2016Q2/mail/spamassassin/files/patch-bug7199
Merged to 2016Q2; closing PR. Thanks again, Sascha.