Bug 226621 - mail/cclient: hostname verification broken
Summary: mail/cclient: hostname verification broken
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Thomas Zander
URL:
Keywords: patch, patch-ready
Depends on:
Blocks:
 
Reported: 2018-03-15 07:21 UTC by satanist+freebsd
Modified: 2020-03-08 00:50 UTC (History)
9 users (show)

See Also:

Attachments
updated version of the patch (1.90 KB, text/plain)
2018-03-15 07:21 UTC, satanist+freebsd 		no flags Details
svn diff for mail/cclient (4.08 KB, patch)
2018-10-23 13:00 UTC, Bernard Spil 		brnrd: maintainer-approval?
Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description satanist+freebsd 2018-03-15 07:21:57 UTC 
Created attachment 191514 [details]
updated version of the patch

r464076 broke the hostname verification of cclient. Therefor TLS validation isn't posible anymore.

My patch fix the original bug without breaking TLS validation. But a memleak is now present. This happend in some error cases.
Comment 1 Dani I. 2018-03-27 05:16:09 UTC 
@riggs & brnrd: Please take a look at this. This targets multiple ports (like php*-imap extension for example.

Caused by: bug #225885 / ports r464076
Comment 2 Alexey Koscheev 2018-03-27 08:09:44 UTC 
Confirm. After updating cclient php*_imap cannot connect to hosts without "/novalidate-cert".
Comment 3 Bernard Spil freebsd_committer freebsd_triage 2018-10-23 13:00:51 UTC 
Created attachment 198493 [details]
svn diff for mail/cclient

```
mail/cclient: Properly support OpenSSL 1.1

 - Fix hostname CN verification with TLS

PR:		226621
Reported by:	satanist+freebsd bureaucracy de
Obtained from:	Debian packages
```
Comment 4 Adam Bernstein 2019-04-18 20:34:43 UTC 
This bug is critical for some users, and I see it's been untouched for months - is there any hope of getting it finalized?

Or perhaps more to the point, does anyone know if there is a maintainer for this port? Maintainer address is listed only as "ports@freebsd.org", ie. the mailing list, and apparently the original cclient author Mark Crispin has passed away (see comment at https://svnweb.freebsd.org/ports/head/mail/panda-cclient/files/patch-src_osdep_unix_os_bsi.h?view=markup&pathrev=483370), so I wonder.

If there is no maintainer, the fork 'mail/panda-cclient' has already this bug fixed, and AFAICT functions as a perfect drop-in replacement for cclient. Perhaps that suggests a different avenue to pursue? Or at least that the cclient port should be marked as broken and/or unmaintained....
Comment 5 Walter Schwarzenfeld freebsd_triage 2019-08-15 14:27:18 UTC 
riggs would you please have a look on this, and commit it, if it is right?
Comment 6 commit-hook freebsd_committer freebsd_triage 2020-03-08 00:49:40 UTC 
A commit references this bug:

Author: riggs
Date: Sun Mar  8 00:48:46 UTC 2020
New revision: 527991
URL: https://svnweb.freebsd.org/changeset/ports/527991

Log:
  Fix hostname verification

  PR:		226621
  Submitted by:	satanist+freebsd@bureaucracy.de
  Reviewed by:	brnrd

Changes:
  head/mail/cclient/Makefile
  head/mail/cclient/files/patch-src_osdep_unix_ssl__unix.c