View | Details | Raw Unified | Return to bug 7199
Collapse All | Expand All

(-)trunk/spamc/libspamc.c (-8 / +4 lines)
Lines 1187-1193 int message_filter(struct transport *tp, Link Here
1187
    unsigned int throwaway;
1187
    unsigned int throwaway;
1188
    SSL_CTX *ctx = NULL;
1188
    SSL_CTX *ctx = NULL;
1189
    SSL *ssl = NULL;
1189
    SSL *ssl = NULL;
1190
    SSL_METHOD *meth;
1190
    const SSL_METHOD *meth;
1191
    char zlib_on = 0;
1191
    char zlib_on = 0;
1192
    unsigned char *zlib_buf = NULL;
1192
    unsigned char *zlib_buf = NULL;
1193
    int zlib_bufsiz = 0;
1193
    int zlib_bufsiz = 0;
Lines 1213-1223 int message_filter(struct transport *tp, Link Here
1213
    if (flags & SPAMC_USE_SSL) {
1213
    if (flags & SPAMC_USE_SSL) {
1214
#ifdef SPAMC_SSL
1214
#ifdef SPAMC_SSL
1215
	SSLeay_add_ssl_algorithms();
1215
	SSLeay_add_ssl_algorithms();
1216
	if (flags & SPAMC_TLSV1) {
1216
	meth = SSLv23_client_method();
1217
	    meth = TLSv1_client_method();
1218
	} else {
1219
	    meth = SSLv3_client_method(); /* default */
1220
	}
1221
	SSL_load_error_strings();
1217
	SSL_load_error_strings();
1222
	ctx = SSL_CTX_new(meth);
1218
	ctx = SSL_CTX_new(meth);
1223
#else
1219
#else
Lines 1596-1602 int message_tell(struct transport *tp, c Link Here
1596
    int failureval;
1592
    int failureval;
1597
    SSL_CTX *ctx = NULL;
1593
    SSL_CTX *ctx = NULL;
1598
    SSL *ssl = NULL;
1594
    SSL *ssl = NULL;
1599
    SSL_METHOD *meth;
1595
    const SSL_METHOD *meth;
1600
1596
1601
    assert(tp != NULL);
1597
    assert(tp != NULL);
1602
    assert(m != NULL);
1598
    assert(m != NULL);
Lines 1604-1610 int message_tell(struct transport *tp, c Link Here
1604
    if (flags & SPAMC_USE_SSL) {
1600
    if (flags & SPAMC_USE_SSL) {
1605
#ifdef SPAMC_SSL
1601
#ifdef SPAMC_SSL
1606
	SSLeay_add_ssl_algorithms();
1602
	SSLeay_add_ssl_algorithms();
1607
	meth = SSLv3_client_method();
1603
	meth = SSLv23_client_method();
1608
	SSL_load_error_strings();
1604
	SSL_load_error_strings();
1609
	ctx = SSL_CTX_new(meth);
1605
	ctx = SSL_CTX_new(meth);
1610
#else
1606
#else
(-)trunk/spamc/spamc.c (-10 / +5 lines)
Lines 368-383 read_args(int argc, char **argv, Link Here
368
            case 'S':
368
            case 'S':
369
            {
369
            {
370
                flags |= SPAMC_USE_SSL;
370
                flags |= SPAMC_USE_SSL;
371
		if (!spamc_optarg || (strcmp(spamc_optarg,"sslv3") == 0)) {
371
                if(spamc_optarg) {
372
		    flags |= SPAMC_SSLV3;
372
                    libspamc_log(flags, LOG_ERR,
373
		}
373
                        "Explicit specification of an SSL/TLS version no longer supported.");
374
		else if (strcmp(spamc_optarg,"tlsv1") == 0) {
374
                    ret = EX_USAGE;
375
		    flags |= SPAMC_TLSV1;
375
                }
376
		}
377
		else {
378
		    libspamc_log(flags, LOG_ERR, "Please specify a legal ssl version (%s)", spamc_optarg);
379
		    ret = EX_USAGE;
380
		}
381
                break;
376
                break;
382
            }
377
            }
383
#endif
378
#endif
(-)trunk/spamd/spamd.raw (-20 / +4 lines)
Lines 409-415 GetOptions( Link Here
409
  'sql-config!'              => \$opt{'sql-config'},
409
  'sql-config!'              => \$opt{'sql-config'},
410
  'ssl'                      => \$opt{'ssl'},
410
  'ssl'                      => \$opt{'ssl'},
411
  'ssl-port=s'               => \$opt{'ssl-port'},
411
  'ssl-port=s'               => \$opt{'ssl-port'},
412
  'ssl-version=s'            => \$opt{'ssl-version'},
413
  'syslog-socket=s'          => \$opt{'syslog-socket'},
412
  'syslog-socket=s'          => \$opt{'syslog-socket'},
414
  'syslog|s=s'               => \$opt{'syslog'},
413
  'syslog|s=s'               => \$opt{'syslog'},
415
  'log-timestamp-fmt:s'      => \$opt{'log-timestamp-fmt'},
414
  'log-timestamp-fmt:s'      => \$opt{'log-timestamp-fmt'},
Lines 744-754 if ( defined $ENV{'HOME'} ) { Link Here
744
743
745
# Do whitelist later in tmp dir. Side effect: this will be done as -u user.
744
# Do whitelist later in tmp dir. Side effect: this will be done as -u user.
746
745
747
my $sslversion = $opt{'ssl-version'} || 'sslv3';
748
if ($sslversion !~ /^(?:sslv3|tlsv1)$/) {
749
  die "spamd: invalid ssl-version: $opt{'ssl-version'}\n";
750
}
751
752
$opt{'server-key'}  ||= "$LOCAL_RULES_DIR/certs/server-key.pem";
746
$opt{'server-key'}  ||= "$LOCAL_RULES_DIR/certs/server-key.pem";
753
$opt{'server-cert'} ||= "$LOCAL_RULES_DIR/certs/server-cert.pem";
747
$opt{'server-cert'} ||= "$LOCAL_RULES_DIR/certs/server-cert.pem";
754
748
Lines 899-907 sub compose_listen_info_string { Link Here
899
                      $socket_info->{ip_addr}, $socket_info->{port}));
893
                      $socket_info->{ip_addr}, $socket_info->{port}));
900
894
901
    } elsif ($socket->isa('IO::Socket::SSL')) {
895
    } elsif ($socket->isa('IO::Socket::SSL')) {
902
      push(@listeninfo, sprintf("SSL [%s]:%s, ssl version %s",
896
      push(@listeninfo, sprintf("SSL [%r]:%s", $socket_info->{ip_addr},
903
                      $socket_info->{ip_addr}, $socket_info->{port},
897
                      $socket_info->{port}));
904
                      $opt{'ssl-version'}||'sslv3'));
905
    }
898
    }
906
  }
899
  }
907
900
Lines 1072-1078 sub server_sock_setup_inet { Link Here
1072
    $sockopt{V6Only} = 1  if $io_socket_module_name eq 'IO::Socket::IP'
1065
    $sockopt{V6Only} = 1  if $io_socket_module_name eq 'IO::Socket::IP'
1073
                             && IO::Socket::IP->VERSION >= 0.09;
1066
                             && IO::Socket::IP->VERSION >= 0.09;
1074
    %sockopt = (%sockopt, (
1067
    %sockopt = (%sockopt, (
1075
      SSL_version     => $sslversion,
1076
      SSL_verify_mode => 0x00,
1068
      SSL_verify_mode => 0x00,
1077
      SSL_key_file    => $opt{'server-key'},
1069
      SSL_key_file    => $opt{'server-key'},
1078
      SSL_cert_file   => $opt{'server-cert'},
1070
      SSL_cert_file   => $opt{'server-cert'},
Lines 1093-1099 sub server_sock_setup_inet { Link Here
1093
    if (!$server_inet) {
1085
    if (!$server_inet) {
1094
      $diag = sprintf("could not create %s socket on [%s]:%s: %s",
1086
      $diag = sprintf("could not create %s socket on [%s]:%s: %s",
1095
                      $ssl ? 'IO::Socket::SSL' : $io_socket_module_name,
1087
                      $ssl ? 'IO::Socket::SSL' : $io_socket_module_name,
1096
                      $adr, $port, $!);
1088
                      $adr, $port, $ssl && $IO::Socket::SSL::SSL_ERROR ?
1089
                      "$!,$IO::Socket::SSL::SSL_ERROR" : $!);
1097
      push(@diag_fail, $diag);
1090
      push(@diag_fail, $diag);
1098
    } else {
1091
    } else {
1099
      $diag = sprintf("created %s socket on [%s]:%s",
1092
      $diag = sprintf("created %s socket on [%s]:%s",
Lines 3238-3244 Options: Link Here
3238
 -H [dir], --helper-home-dir[=dir] Specify a different HOME directory
3231
 -H [dir], --helper-home-dir[=dir] Specify a different HOME directory
3239
 --ssl                             Enable SSL on TCP connections
3232
 --ssl                             Enable SSL on TCP connections
3240
 --ssl-port port                   Override --port setting for SSL connections
3233
 --ssl-port port                   Override --port setting for SSL connections
3241
 --ssl-version sslversion          Specify SSL protocol version to use
3242
 --server-key keyfile              Specify an SSL keyfile
3234
 --server-key keyfile              Specify an SSL keyfile
3243
 --server-cert certfile            Specify an SSL certificate
3235
 --server-cert certfile            Specify an SSL certificate
3244
 --socketpath=path                 Listen on a given UNIX domain socket
3236
 --socketpath=path                 Listen on a given UNIX domain socket
Lines 3727-3740 Optionally specifies the port number for Link Here
3727
SSL connections (default: whatever --port uses).  See B<--ssl> for
3719
SSL connections (default: whatever --port uses).  See B<--ssl> for
3728
more details.
3720
more details.
3729
3721
3730
=item B<--ssl-version>=I<sslversion>
3731
3732
Specify the SSL protocol version to use, one of B<sslv3> or B<tlsv1>.
3733
The default, B<sslv3>, is the most flexible, accepting a SSLv3 or
3734
higher hello handshake, then negotiating use of SSLv3 or TLSv1
3735
protocol if the client can accept it.  Specifying B<--ssl-version>
3736
implies B<--ssl>.
3737
3738
=item B<--server-key> I<keyfile>
3722
=item B<--server-key> I<keyfile>
3739
3723
3740
Specify the SSL key file to use for SSL connections.
3724
Specify the SSL key file to use for SSL connections.
(-)trunk/spamc/spamc.pod (-3 / +1 lines)
Lines 177-188 The default is 1 time (ie. one attempt a Link Here
177
Sleep for I<sleep> seconds between failed spamd filtering attempts.
177
Sleep for I<sleep> seconds between failed spamd filtering attempts.
178
The default is 1 second.
178
The default is 1 second.
179
179
180
=item B<-S>, B<--ssl>, B<--ssl>=I<sslversion>
180
=item B<-S>, B<--ssl>, B<--ssl>
181
181
182
If spamc was built with support for SSL, encrypt data to and from the
182
If spamc was built with support for SSL, encrypt data to and from the
183
spamd process with SSL; spamd must support SSL as well.
183
spamd process with SSL; spamd must support SSL as well.
184
I<sslversion> specifies the SSL protocol version to use, either
185
C<sslv3>, or C<tlsv1>. The default, is C<sslv3>.
186
184
187
=item B<-t> I<timeout>, B<--timeout>=I<timeout>
185
=item B<-t> I<timeout>, B<--timeout>=I<timeout>
188
186
(-)trunk/t/spamd_ssl_tls.t (-28 lines)
Lines 1-28 Link Here
1
#!/usr/bin/perl
2
3
use lib '.'; use lib 't';
4
use SATest; sa_t_init("spamd_ssl_tls");
5
use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9);
6
7
exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE);
8
9
# ---------------------------------------------------------------------------
10
11
%patterns = (
12
13
q{ Return-Path: sb55sb55@yahoo.com}, 'firstline',
14
q{ Subject: There yours for FREE!}, 'subj',
15
q{ X-Spam-Status: Yes, score=}, 'status',
16
q{ X-Spam-Flag: YES}, 'flag',
17
q{ X-Spam-Level: **********}, 'stars',
18
q{ TEST_ENDSNUMS}, 'endsinnums',
19
q{ TEST_NOREALNAME}, 'noreal',
20
q{ This must be the very last line}, 'lastline',
21
22
23
);
24
25
ok (sdrun ("-L --ssl --ssl-version=tlsv1 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert",
26
           "--ssl=tlsv1 < data/spam/001",
27
           \&patterns_run_cb));
28
ok_all_patterns();
(-)trunk/t/spamd_ssl_v3.t (-28 lines)
Lines 1-28 Link Here
1
#!/usr/bin/perl
2
3
use lib '.'; use lib 't';
4
use SATest; sa_t_init("spamd_sslv3");
5
use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9);
6
7
exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE);
8
9
# ---------------------------------------------------------------------------
10
11
%patterns = (
12
13
q{ Return-Path: sb55sb55@yahoo.com}, 'firstline',
14
q{ Subject: There yours for FREE!}, 'subj',
15
q{ X-Spam-Status: Yes, score=}, 'status',
16
q{ X-Spam-Flag: YES}, 'flag',
17
q{ X-Spam-Level: **********}, 'stars',
18
q{ TEST_ENDSNUMS}, 'endsinnums',
19
q{ TEST_NOREALNAME}, 'noreal',
20
q{ This must be the very last line}, 'lastline',
21
22
23
);
24
25
ok (sdrun ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert",
26
           "--ssl=sslv3 < data/spam/001",
27
           \&patterns_run_cb));
28
ok_all_patterns();
(-)trunk/t/spamd_ssl_accept_fail.t (-2 / +2 lines)
Lines 23-31 q{ This must be the very last line}, 'la Link Here
23
23
24
);
24
);
25
25
26
ok (start_spamd ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert"));
26
ok (start_spamd ("-L --ssl --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert"));
27
ok (spamcrun ("< data/spam/001", \&patterns_run_cb));
27
ok (spamcrun ("< data/spam/001", \&patterns_run_cb));
28
ok (spamcrun ("--ssl=sslv3  < data/spam/001", \&patterns_run_cb));
28
ok (spamcrun ("--ssl < data/spam/001", \&patterns_run_cb));
29
ok (stop_spamd ());
29
ok (stop_spamd ());
30
30
31
ok_all_patterns();
31
ok_all_patterns();
(-)trunk/t/spamd_ssl.t (-4 / +1 lines)
Lines 2-11 Link Here
2
2
3
use lib '.'; use lib 't';
3
use lib '.'; use lib 't';
4
use SATest; sa_t_init("spamd_ssl");
4
use SATest; sa_t_init("spamd_ssl");
5
use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9),
5
use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9);
6
    onfail => sub {
7
	warn "\n\nNote: This may not be a SpamAssassin bug, as some platforms require that you" .
8
	    "\nspecify a protocol in spamc --ssl option, and possibly in spamd --ssl-version.\n\n" };
9
6
10
exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE);
7
exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE);
11
8
(-)trunk/MANIFEST (-2 lines)
Lines 513-520 t/spamd_report_ifspam.t Link Here
513
t/spamd_sql_prefs.t
513
t/spamd_sql_prefs.t
514
t/spamd_ssl.t
514
t/spamd_ssl.t
515
t/spamd_ssl_accept_fail.t
515
t/spamd_ssl_accept_fail.t
516
t/spamd_ssl_tls.t
517
t/spamd_ssl_v3.t
518
t/spamd_stop.t
516
t/spamd_stop.t
519
t/spamd_symbols.t
517
t/spamd_symbols.t
520
t/spamd_syslog.t
518
t/spamd_syslog.t

Return to bug 7199