|
|
SA Bugzilla – Full Text Bug Listing |
- Home
- | New
- | Browse
- | Search
- | [?]
- | Reports
- | Help
- | New Account
- | Log In
- | Forgot Password
|
|
|
SA Bugzilla – Full Text Bug Listing |
| Summary: | Bad SSL/TLS Version Default | ||
|---|---|---|---|
| Product: | Spamassassin | Reporter: | Alexander Bluhm <alexander.bluhm> |
| Component: | spamc/spamd | Assignee: | SpamAssassin Developer Mailing List <dev> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | adamw, frodo, jquinn+SAbug, kmcgrail, marc.deslauriers, sidney |
| Priority: | P2 | ||
| Version: | 3.4.1 | ||
| Target Milestone: | 3.4.2 | ||
| Hardware: | PC | ||
| OS: | OpenBSD | ||
| Whiteboard: | |||
| Attachments: |
Patch libspamc.c and spamd.raw to remove SSL version
Proposed patch Proposed Patch (v2) |
||
*** Bug 7093 has been marked as a duplicate of this bug. *** As noted in 7093: "The following commit is incorrect: https://github.com/apache/spamassassin/commit/87caaa37615318eaa8940a5c6f3d6065cedd86d1 This makes spamassassin use SSLv3 by default, and does _not_ do what is documented: "The default, B<sslv3>, is the most flexible, accepting a SSLv3 or higher hello handshake, then negotiating use of SSLv3 or TLSv1 protocol if the client can accept it." See downstream bug report: https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1383415" We're running in to this in Debian right now, too, where openssl has recently dropped support for SSLv3. My inclination is to apply a variant of Alexander's patch here, with additional modification to spamc's command-line processing to abort with an appropriate error message if the user tries to explicitly use SSLv3. Created attachment 5344 [details]
Proposed patch
Updated patch based on Alexander Bluhm's patch. Removes the ability to specify a specific SSL/TLS protocol version on the command line. Updates documentation. Lets IO::Socket::SSL choose the best available TLS version.
I'm trending towards your idea Noah. Any other committers that want to comment? I'll send in a more complete patch against trunk shortly. I missed some documentation and tests in the one here. +1. SSLv3 is insecure. OK, will look for the revised patch and then let's see if we can make this commit! Created attachment 5345 [details]
Proposed Patch (v2)
Here's a more complete patch against trunk. The code changes from the previous patch are included, along with test and documentation updates. The tests that made use of the --ssl-version=(sslv3|tlsv1) are deleted. --help output and documentation has been updated to remove references to the --ssl-version option.
For the record, the patch in comment #9 has been committed to the FreeBSD port. trunk: Bug 7199: Bad SSL/TLS Version Default - applied Proposed Patch v2: support for SSLv3 removed, removed spamd option --ssl-version, removed spamc option --ssl=sslv3 Sending MANIFEST Sending spamc/libspamc.c Sending spamc/spamc.c Sending spamc/spamc.pod Sending spamd/spamd.raw Sending t/spamd_ssl.t Sending t/spamd_ssl_accept_fail.t Sending t/spamd_ssl_tls.t Sending t/spamd_ssl_v3.t Committed revision 1748601. Bug 7199: Bad SSL/TLS Version Default - removed tests t/spamd_ssl_tls.t and t/spamd_ssl_v3.t as no longer relevant (Proposed Patch v2) Deleting t/spamd_ssl_tls.t Deleting t/spamd_ssl_v3.t Committed revision 1748602. Do we want this applied to the 3.4 branch too? I'd say yes, although it may be incompatible with some old installations still relying on SSLv3. (In reply to Mark Martinec from comment #12) > Do we want this applied to the 3.4 branch too? > > I'd say yes, although it may be incompatible with some > old installations still relying on SSLv3. you have my +1 to apply. +1 SSL3 has been deprecated for almost exactly a year now. +1 SSLv3 is not just deprec (sorry bumped the trackpad and clicked Send on from comment #15) +1 SSLv3 is not just deprecated, it is a security hole that should not be used. It is the right thing to do to take it out completely like this before we release 3.4.2. 3.4: Sending MANIFEST Sending spamc/libspamc.c Sending spamc/spamc.c Sending spamc/spamc.pod Sending spamd/spamd.raw Sending t/spamd_ssl.t Sending t/spamd_ssl_accept_fail.t Sending t/spamd_ssl_tls.t Sending t/spamd_ssl_v3.t Committed revision 1749346. Deleting t/spamd_ssl_tls.t Deleting t/spamd_ssl_v3.t Committed revision 1749347. |
Created attachment 5303 [details] Patch libspamc.c and spamd.raw to remove SSL version In OpenBSD-current with LibreSSL the regression tests of SpamAssassin fail. SSLv3 has been deprecated because of the poodle attack, so the SSL versions used by spamc and spamd do not work anymore. The SSLv3_client_method() allows only SSLv3 while SSLv23_client_method() chooses a suitable version. As noted before, SSLv3 is insecure and does not work anymore. I would recommend to remove the whole sslv3/tlsv1 commandline switch from spamc as it does not allow newer TLSv1_1 or TLSv1_2 protocols. My patch is only a minimal change to get SSL working again. The ssl-version in spamd also does not make sense anymore. SSLv3 is obsolete and TLSv1 is the weakest protocol available. Please do not try to set it, but let IO::Socket::SSL choose a sane default. Again I only provide a minimal diff, I think it would make sense to remove the commandline option ssl-version completelty. Finally I added some error message to debug the SSL problems.