Bug 226621 - mail/cclient: hostname verification broken
Summary: mail/cclient: hostname verification broken
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Thomas Zander
Keywords: patch, patch-ready
Depends on:
Reported: 2018-03-15 07:21 UTC by satanist+freebsd
Modified: 2020-03-08 00:50 UTC (History)
9 users (show)

See Also:

updated version of the patch (1.90 KB, text/plain)
2018-03-15 07:21 UTC, satanist+freebsd
no flags Details
svn diff for mail/cclient (4.08 KB, patch)
2018-10-23 13:00 UTC, Bernard Spil
brnrd: maintainer-approval?
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description satanist+freebsd 2018-03-15 07:21:57 UTC
Created attachment 191514 [details]
updated version of the patch

r464076 broke the hostname verification of cclient. Therefor TLS validation isn't posible anymore.

My patch fix the original bug without breaking TLS validation. But a memleak is now present. This happend in some error cases.
Comment 1 Dani 2018-03-27 05:16:09 UTC
@riggs & brnrd: Please take a look at this. This targets multiple ports (like php*-imap extension for example.

Caused by: bug #225885 / ports r464076
Comment 2 freebsd 2018-03-27 08:09:44 UTC
Confirm. After updating cclient php*_imap cannot connect to hosts without "/novalidate-cert".
Comment 3 Bernard Spil freebsd_committer 2018-10-23 13:00:51 UTC
Created attachment 198493 [details]
svn diff for mail/cclient

mail/cclient: Properly support OpenSSL 1.1

 - Fix hostname CN verification with TLS

PR:		226621
Reported by:	satanist+freebsd bureaucracy de
Obtained from:	Debian packages
Comment 4 Adam Bernstein 2019-04-18 20:34:43 UTC
This bug is critical for some users, and I see it's been untouched for months - is there any hope of getting it finalized?

Or perhaps more to the point, does anyone know if there is a maintainer for this port? Maintainer address is listed only as "ports@freebsd.org", ie. the mailing list, and apparently the original cclient author Mark Crispin has passed away (see comment at https://svnweb.freebsd.org/ports/head/mail/panda-cclient/files/patch-src_osdep_unix_os_bsi.h?view=markup&pathrev=483370), so I wonder.

If there is no maintainer, the fork 'mail/panda-cclient' has already this bug fixed, and AFAICT functions as a perfect drop-in replacement for cclient. Perhaps that suggests a different avenue to pursue? Or at least that the cclient port should be marked as broken and/or unmaintained....
Comment 5 Walter Schwarzenfeld freebsd_triage 2019-08-15 14:27:18 UTC
riggs would you please have a look on this, and commit it, if it is right?
Comment 6 commit-hook freebsd_committer 2020-03-08 00:49:40 UTC
A commit references this bug:

Author: riggs
Date: Sun Mar  8 00:48:46 UTC 2020
New revision: 527991
URL: https://svnweb.freebsd.org/changeset/ports/527991

  Fix hostname verification

  PR:		226621
  Submitted by:	satanist+freebsd@bureaucracy.de
  Reviewed by:	brnrd