1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107
|
Description: Enable all SSL/TLS versions supported by NSS
Origin: vendor, http://pkgs.fedoraproject.org/cgit/evolution-data-server.git/tree/evolution-data-server-3.10.4-poodle-enable-tls-for-ssl.patch?h=f20
Author: Milan Crha <mcrha@redhat.com>
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/evolution-data-server/+bug/1382133
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765838
--- a/camel/camel-network-service.c
+++ b/camel/camel-network-service.c
@@ -87,7 +87,8 @@
stream = camel_tcp_stream_ssl_new (
session, host,
CAMEL_TCP_STREAM_SSL_ENABLE_SSL2 |
- CAMEL_TCP_STREAM_SSL_ENABLE_SSL3);
+ CAMEL_TCP_STREAM_SSL_ENABLE_SSL3 |
+ CAMEL_TCP_STREAM_SSL_ENABLE_TLS);
break;
default:
--- a/camel/camel-tcp-stream-ssl.c
+++ b/camel/camel-tcp-stream-ssl.c
@@ -43,6 +43,8 @@
#include <sslerr.h>
#include "nss.h" /* Don't use <> here or it will include the system nss.h instead */
#include <ssl.h>
+#include <sslt.h>
+#include <sslproto.h>
#include <cert.h>
#include <certdb.h>
#include <pk11func.h>
@@ -662,6 +664,9 @@
PRFileDesc *fd)
{
PRFileDesc *ssl_fd;
+#if NSS_VMAJOR > 3 || (NSS_VMAJOR == 3 && NSS_VMINOR >= 14)
+ SSLVersionRange versionStreamSup, versionStream;
+#endif
g_assert (fd != NULL);
@@ -679,6 +684,7 @@
SSL_OptionSet (ssl_fd, SSL_V2_COMPATIBLE_HELLO, PR_FALSE);
}
+#if NSS_VMAJOR < 3 || (NSS_VMAJOR == 3 && NSS_VMINOR < 14)
if (ssl->priv->flags & CAMEL_TCP_STREAM_SSL_ENABLE_SSL3)
SSL_OptionSet (ssl_fd, SSL_ENABLE_SSL3, PR_TRUE);
else
@@ -689,6 +695,29 @@
else
SSL_OptionSet (ssl_fd, SSL_ENABLE_TLS, PR_FALSE);
+#else
+ SSL_VersionRangeGetSupported (ssl_variant_stream, &versionStreamSup);
+
+ if (ssl->priv->flags & CAMEL_TCP_STREAM_SSL_ENABLE_SSL3)
+ versionStream.min = SSL_LIBRARY_VERSION_3_0;
+ else
+ versionStream.min = SSL_LIBRARY_VERSION_TLS_1_0;
+
+ if (ssl->priv->flags & CAMEL_TCP_STREAM_SSL_ENABLE_TLS)
+ versionStream.max = versionStreamSup.max;
+ else
+ versionStream.max = SSL_LIBRARY_VERSION_3_0;
+
+ if (versionStream.max < versionStream.min) {
+ PRUint16 tmp;
+
+ tmp = versionStream.max;
+ versionStream.max = versionStream.min;
+ versionStream.min = tmp;
+ }
+
+ SSL_VersionRangeSet (ssl_fd, &versionStream);
+#endif
SSL_SetURL (ssl_fd, ssl->priv->expected_host);
/* NSS provides a default implementation for the SSL_GetClientAuthDataHook callback
--- a/camel/camel.c
+++ b/camel/camel.c
@@ -99,6 +99,9 @@
gchar *nss_sql_configdir = NULL;
SECStatus status = SECFailure;
PRUint16 indx;
+#if NSS_VMAJOR > 3 || (NSS_VMAJOR == 3 && NSS_VMINOR >= 14)
+ SSLVersionRange versionStream;
+#endif
if (nss_initlock == NULL) {
PR_Init (PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 10);
@@ -189,9 +192,15 @@
}
SSL_OptionSetDefault (SSL_ENABLE_SSL2, PR_TRUE);
- SSL_OptionSetDefault (SSL_ENABLE_SSL3, PR_TRUE);
- SSL_OptionSetDefault (SSL_ENABLE_TLS, PR_TRUE);
SSL_OptionSetDefault (SSL_V2_COMPATIBLE_HELLO, PR_TRUE /* maybe? */);
+#if NSS_VMAJOR < 3 || (NSS_VMAJOR == 3 && NSS_VMINOR < 14)
+ SSL_OptionSetDefault (SSL_ENABLE_SSL3, PR_TRUE);
+ SSL_OptionSetDefault (SSL_ENABLE_TLS, PR_TRUE); /* Enable TLSv1.0 */
+#else
+ /* Enable all SSL/TLS versions supported by NSS (this API is for SSLv3 and newer). */
+ SSL_VersionRangeGetSupported (ssl_variant_stream, &versionStream);
+ SSL_VersionRangeSetDefault (ssl_variant_stream, &versionStream);
+#endif
g_free (nss_configdir);
g_free (nss_sql_configdir);
|