Index: trunk/spamc/libspamc.c =================================================================== --- trunk.orig/spamc/libspamc.c +++ trunk/spamc/libspamc.c @@ -1187,7 +1187,7 @@ int message_filter(struct transport *tp, unsigned int throwaway; SSL_CTX *ctx = NULL; SSL *ssl = NULL; - SSL_METHOD *meth; + const SSL_METHOD *meth; char zlib_on = 0; unsigned char *zlib_buf = NULL; int zlib_bufsiz = 0; @@ -1213,11 +1213,7 @@ int message_filter(struct transport *tp, if (flags & SPAMC_USE_SSL) { #ifdef SPAMC_SSL SSLeay_add_ssl_algorithms(); - if (flags & SPAMC_TLSV1) { - meth = TLSv1_client_method(); - } else { - meth = SSLv3_client_method(); /* default */ - } + meth = SSLv23_client_method(); SSL_load_error_strings(); ctx = SSL_CTX_new(meth); #else @@ -1596,7 +1592,7 @@ int message_tell(struct transport *tp, c int failureval; SSL_CTX *ctx = NULL; SSL *ssl = NULL; - SSL_METHOD *meth; + const SSL_METHOD *meth; assert(tp != NULL); assert(m != NULL); @@ -1604,7 +1600,7 @@ int message_tell(struct transport *tp, c if (flags & SPAMC_USE_SSL) { #ifdef SPAMC_SSL SSLeay_add_ssl_algorithms(); - meth = SSLv3_client_method(); + meth = SSLv23_client_method(); SSL_load_error_strings(); ctx = SSL_CTX_new(meth); #else Index: trunk/spamc/spamc.c =================================================================== --- trunk.orig/spamc/spamc.c +++ trunk/spamc/spamc.c @@ -368,16 +368,11 @@ read_args(int argc, char **argv, case 'S': { flags |= SPAMC_USE_SSL; - if (!spamc_optarg || (strcmp(spamc_optarg,"sslv3") == 0)) { - flags |= SPAMC_SSLV3; - } - else if (strcmp(spamc_optarg,"tlsv1") == 0) { - flags |= SPAMC_TLSV1; - } - else { - libspamc_log(flags, LOG_ERR, "Please specify a legal ssl version (%s)", spamc_optarg); - ret = EX_USAGE; - } + if(spamc_optarg) { + libspamc_log(flags, LOG_ERR, + "Explicit specification of an SSL/TLS version no longer supported."); + ret = EX_USAGE; + } break; } #endif Index: trunk/spamd/spamd.raw =================================================================== --- trunk.orig/spamd/spamd.raw +++ trunk/spamd/spamd.raw @@ -409,7 +409,6 @@ GetOptions( 'sql-config!' => \$opt{'sql-config'}, 'ssl' => \$opt{'ssl'}, 'ssl-port=s' => \$opt{'ssl-port'}, - 'ssl-version=s' => \$opt{'ssl-version'}, 'syslog-socket=s' => \$opt{'syslog-socket'}, 'syslog|s=s' => \$opt{'syslog'}, 'log-timestamp-fmt:s' => \$opt{'log-timestamp-fmt'}, @@ -744,11 +743,6 @@ if ( defined $ENV{'HOME'} ) { # Do whitelist later in tmp dir. Side effect: this will be done as -u user. -my $sslversion = $opt{'ssl-version'} || 'sslv3'; -if ($sslversion !~ /^(?:sslv3|tlsv1)$/) { - die "spamd: invalid ssl-version: $opt{'ssl-version'}\n"; -} - $opt{'server-key'} ||= "$LOCAL_RULES_DIR/certs/server-key.pem"; $opt{'server-cert'} ||= "$LOCAL_RULES_DIR/certs/server-cert.pem"; @@ -899,9 +893,8 @@ sub compose_listen_info_string { $socket_info->{ip_addr}, $socket_info->{port})); } elsif ($socket->isa('IO::Socket::SSL')) { - push(@listeninfo, sprintf("SSL [%s]:%s, ssl version %s", - $socket_info->{ip_addr}, $socket_info->{port}, - $opt{'ssl-version'}||'sslv3')); + push(@listeninfo, sprintf("SSL [%r]:%s", $socket_info->{ip_addr}, + $socket_info->{port})); } } @@ -1072,7 +1065,6 @@ sub server_sock_setup_inet { $sockopt{V6Only} = 1 if $io_socket_module_name eq 'IO::Socket::IP' && IO::Socket::IP->VERSION >= 0.09; %sockopt = (%sockopt, ( - SSL_version => $sslversion, SSL_verify_mode => 0x00, SSL_key_file => $opt{'server-key'}, SSL_cert_file => $opt{'server-cert'}, @@ -1093,7 +1085,8 @@ sub server_sock_setup_inet { if (!$server_inet) { $diag = sprintf("could not create %s socket on [%s]:%s: %s", $ssl ? 'IO::Socket::SSL' : $io_socket_module_name, - $adr, $port, $!); + $adr, $port, $ssl && $IO::Socket::SSL::SSL_ERROR ? + "$!,$IO::Socket::SSL::SSL_ERROR" : $!); push(@diag_fail, $diag); } else { $diag = sprintf("created %s socket on [%s]:%s", @@ -3238,7 +3231,6 @@ Options: -H [dir], --helper-home-dir[=dir] Specify a different HOME directory --ssl Enable SSL on TCP connections --ssl-port port Override --port setting for SSL connections - --ssl-version sslversion Specify SSL protocol version to use --server-key keyfile Specify an SSL keyfile --server-cert certfile Specify an SSL certificate --socketpath=path Listen on a given UNIX domain socket @@ -3727,14 +3719,6 @@ Optionally specifies the port number for SSL connections (default: whatever --port uses). See B<--ssl> for more details. -=item B<--ssl-version>=I - -Specify the SSL protocol version to use, one of B or B. -The default, B, is the most flexible, accepting a SSLv3 or -higher hello handshake, then negotiating use of SSLv3 or TLSv1 -protocol if the client can accept it. Specifying B<--ssl-version> -implies B<--ssl>. - =item B<--server-key> I Specify the SSL key file to use for SSL connections. Index: trunk/spamc/spamc.pod =================================================================== --- trunk.orig/spamc/spamc.pod +++ trunk/spamc/spamc.pod @@ -177,12 +177,10 @@ The default is 1 time (ie. one attempt a Sleep for I seconds between failed spamd filtering attempts. The default is 1 second. -=item B<-S>, B<--ssl>, B<--ssl>=I +=item B<-S>, B<--ssl>, B<--ssl> If spamc was built with support for SSL, encrypt data to and from the spamd process with SSL; spamd must support SSL as well. -I specifies the SSL protocol version to use, either -C, or C. The default, is C. =item B<-t> I, B<--timeout>=I Index: trunk/t/spamd_ssl_tls.t =================================================================== --- trunk.orig/t/spamd_ssl_tls.t +++ /dev/null @@ -1,28 +0,0 @@ -#!/usr/bin/perl - -use lib '.'; use lib 't'; -use SATest; sa_t_init("spamd_ssl_tls"); -use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9); - -exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE); - -# --------------------------------------------------------------------------- - -%patterns = ( - -q{ Return-Path: sb55sb55@yahoo.com}, 'firstline', -q{ Subject: There yours for FREE!}, 'subj', -q{ X-Spam-Status: Yes, score=}, 'status', -q{ X-Spam-Flag: YES}, 'flag', -q{ X-Spam-Level: **********}, 'stars', -q{ TEST_ENDSNUMS}, 'endsinnums', -q{ TEST_NOREALNAME}, 'noreal', -q{ This must be the very last line}, 'lastline', - - -); - -ok (sdrun ("-L --ssl --ssl-version=tlsv1 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert", - "--ssl=tlsv1 < data/spam/001", - \&patterns_run_cb)); -ok_all_patterns(); Index: trunk/t/spamd_ssl_v3.t =================================================================== --- trunk.orig/t/spamd_ssl_v3.t +++ /dev/null @@ -1,28 +0,0 @@ -#!/usr/bin/perl - -use lib '.'; use lib 't'; -use SATest; sa_t_init("spamd_sslv3"); -use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9); - -exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE); - -# --------------------------------------------------------------------------- - -%patterns = ( - -q{ Return-Path: sb55sb55@yahoo.com}, 'firstline', -q{ Subject: There yours for FREE!}, 'subj', -q{ X-Spam-Status: Yes, score=}, 'status', -q{ X-Spam-Flag: YES}, 'flag', -q{ X-Spam-Level: **********}, 'stars', -q{ TEST_ENDSNUMS}, 'endsinnums', -q{ TEST_NOREALNAME}, 'noreal', -q{ This must be the very last line}, 'lastline', - - -); - -ok (sdrun ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert", - "--ssl=sslv3 < data/spam/001", - \&patterns_run_cb)); -ok_all_patterns(); Index: trunk/t/spamd_ssl_accept_fail.t =================================================================== --- trunk.orig/t/spamd_ssl_accept_fail.t +++ trunk/t/spamd_ssl_accept_fail.t @@ -23,9 +23,9 @@ q{ This must be the very last line}, 'la ); -ok (start_spamd ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert")); +ok (start_spamd ("-L --ssl --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert")); ok (spamcrun ("< data/spam/001", \&patterns_run_cb)); -ok (spamcrun ("--ssl=sslv3 < data/spam/001", \&patterns_run_cb)); +ok (spamcrun ("--ssl < data/spam/001", \&patterns_run_cb)); ok (stop_spamd ()); ok_all_patterns(); Index: trunk/t/spamd_ssl.t =================================================================== --- trunk.orig/t/spamd_ssl.t +++ trunk/t/spamd_ssl.t @@ -2,10 +2,7 @@ use lib '.'; use lib 't'; use SATest; sa_t_init("spamd_ssl"); -use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9), - onfail => sub { - warn "\n\nNote: This may not be a SpamAssassin bug, as some platforms require that you" . - "\nspecify a protocol in spamc --ssl option, and possibly in spamd --ssl-version.\n\n" }; +use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9); exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE); Index: trunk/MANIFEST =================================================================== --- trunk.orig/MANIFEST +++ trunk/MANIFEST @@ -513,8 +513,6 @@ t/spamd_report_ifspam.t t/spamd_sql_prefs.t t/spamd_ssl.t t/spamd_ssl_accept_fail.t -t/spamd_ssl_tls.t -t/spamd_ssl_v3.t t/spamd_stop.t t/spamd_symbols.t t/spamd_syslog.t