Created attachment 191514 [details]
updated version of the patch
r464076 broke the hostname verification of cclient. Therefor TLS validation isn't posible anymore.
My patch fix the original bug without breaking TLS validation. But a memleak is now present. This happend in some error cases.
@riggs & brnrd: Please take a look at this. This targets multiple ports (like php*-imap extension for example.
Caused by: bug #225885 / ports r464076
Confirm. After updating cclient php*_imap cannot connect to hosts without "/novalidate-cert".
Created attachment 198493 [details]
svn diff for mail/cclient
mail/cclient: Properly support OpenSSL 1.1
- Fix hostname CN verification with TLS
Reported by: satanist+freebsd bureaucracy de
Obtained from: Debian packages
This bug is critical for some users, and I see it's been untouched for months - is there any hope of getting it finalized?
Or perhaps more to the point, does anyone know if there is a maintainer for this port? Maintainer address is listed only as "firstname.lastname@example.org", ie. the mailing list, and apparently the original cclient author Mark Crispin has passed away (see comment at https://svnweb.freebsd.org/ports/head/mail/panda-cclient/files/patch-src_osdep_unix_os_bsi.h?view=markup&pathrev=483370), so I wonder.
If there is no maintainer, the fork 'mail/panda-cclient' has already this bug fixed, and AFAICT functions as a perfect drop-in replacement for cclient. Perhaps that suggests a different avenue to pursue? Or at least that the cclient port should be marked as broken and/or unmaintained....
riggs would you please have a look on this, and commit it, if it is right?
A commit references this bug:
Date: Sun Mar 8 00:48:46 UTC 2020
New revision: 527991
Fix hostname verification
Submitted by: email@example.com
Reviewed by: brnrd