Bug 208225 - [PATCH] mail/spamassassin: SABug 7199 - No SSLv3 fix
Summary: [PATCH] mail/spamassassin: SABug 7199 - No SSLv3 fix
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Adam Weinberger
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2016-03-23 00:20 UTC by Sascha Holzleiter
Modified: 2016-04-05 18:36 UTC (History)
0 users

See Also:
adamw: maintainer-feedback+
adamw: merge-quarterly+


Attachments
patch-bug7199 (8.85 KB, patch)
2016-03-23 00:20 UTC, Sascha Holzleiter
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sascha Holzleiter 2016-03-23 00:20:30 UTC
Created attachment 168521 [details]
patch-bug7199

Make spamc/spamd work if SSLv3 has been disabled in openssl. Patch obtained from:

  https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7199#c9

I've been running this in production for several weeks without seeing any problems. But to be honest, i never tried what happens if openssl is compiled with SSLv3. I think it shouldn't make a difference.
Comment 1 Adam Weinberger freebsd_committer 2016-04-02 16:40:58 UTC
This hasn't been committed upstream yet. I'm hesitant to commit this to FreeBSD until it's been committed upstream.
Comment 2 Sascha Holzleiter 2016-04-02 19:37:55 UTC
Upstream seems quite slow these days to fix or release anything :(
The patch was proposed by the maintainer of the Debian package who also added it to package in the unstable branch (see http://http.debian.net/debian/pool/main/s/spamassassin/spamassassin_3.4.1-3.debian.tar.xz). So it may already have quite and amount of users but this is mere speculation. That being said, i understand your point.
Comment 3 Adam Weinberger freebsd_committer 2016-04-04 15:50:54 UTC
After thinking about it more, I'm become more in favour of committing this patch. It's not just removing tests against SSLv3, it's allowing TLSv1.2.

Should it be an option, so that people can re-enable ssl3 if they need it for their installation? I believe the OpenSSL in base still supports SSLv3, which is a decision far above my pay grade.
Comment 4 Adam Weinberger freebsd_committer 2016-04-04 16:59:36 UTC
Yeah. I'm going to commit this patch. I'm not providing a configurable OPTION to re-enable SSLv3 because I can't think of a scenario where that is a responsible choice.

To anybody who came to this PR looking to re-enable it, just delete
  /usr/ports/mail/spamassassin/files/patch-bug7199
and rebuild/reinstall spamassassin.
Comment 5 commit-hook freebsd_committer 2016-04-04 17:06:03 UTC
A commit references this bug:

Author: adamw
Date: Mon Apr  4 17:05:31 UTC 2016
New revision: 412519
URL: https://svnweb.freebsd.org/changeset/ports/412519

Log:
  Disable SSLv3 and enable TLSv1.1 and TLSv1.2.

  This is a patch make by Debian's own Noah Meyerhans that disables SSLv3,
  fixes or removes the tests that choke without SSLv3, and lets
  IO::Socket::SSL choose the best TLS level rather than forcing it at
  TLSv1.

  I can't think of a responsible reason to allow re-enabling it as an
  OPTION, so add a note to UPDATING warning people of the change and
  referencing the below PR.

  PORTREVISION bump.

  PR:		208225
  Submitted by:	Sascha Holzleiter
  Obtained from:	https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7199
  MFH:		2016Q2

Changes:
  head/UPDATING
  head/japanese/spamassassin/Makefile
  head/mail/spamassassin/Makefile
  head/mail/spamassassin/files/patch-bug7199
Comment 6 Adam Weinberger freebsd_committer 2016-04-04 17:08:07 UTC
Committed, along with a note in UPDATING. Keeping this PR open pending a MFH request.

Thank you for submitting this and doing the legwork on the research, Sascha!
Comment 7 commit-hook freebsd_committer 2016-04-05 18:35:08 UTC
A commit references this bug:

Author: adamw
Date: Tue Apr  5 18:34:36 UTC 2016
New revision: 412582
URL: https://svnweb.freebsd.org/changeset/ports/412582

Log:
  MFH: r412519

  Fix build/test without SSLv3, and enable TLSv1.1 and TLSv1.2.

  This is a patch made by Debian's own Noah Meyerhans that fixes or
  removes the tests that choke when OpenSSL is built without SSLv3
  support (and in all current versions of LibreSSL), and lets
  IO::Socket::SSL choose the best TLS level rather than forcing it at
  TLSv1.

  PORTREVISION bump.

  PR:		208225
  Submitted by:	Sascha Holzleiter
  Obtained from:	https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7199

  Approved by:	ports-secteam (feld)

Changes:
_U  branches/2016Q2/
  branches/2016Q2/UPDATING
  branches/2016Q2/japanese/spamassassin/Makefile
  branches/2016Q2/mail/spamassassin/Makefile
  branches/2016Q2/mail/spamassassin/files/patch-bug7199
Comment 8 Adam Weinberger freebsd_committer 2016-04-05 18:36:19 UTC
Merged to 2016Q2; closing PR.

Thanks again, Sascha.