for the expanded CNAME. Therefore, sending the correct SNI
name should not break existing mail flows. Fixed by Viktor
Dukhovni. File: src/tls/tls_client.c.
+
+20200710
+
+ Bugfix (introduced: Postfix 3.0): minor memory leaks in the
+ Postfix TLS library, found during tests. File: tls/tls_misc.c.
+
+20200712
+
+ Bugfix (introduced: Postfix 3.0): 4kbyte per session memory
+ leak in the Postfix TLS library, found during tests. File:
+ tls/tls_misc.c.
+
+20200724
+
+ Workaround for distros that override Postfix protocol
+ settings in a system-wide OpenSSL configuration file, causing
+ interoperability problems after an OS update. File:
+ tls/tls_client.c, tls/tls_server.c.
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20200627"
-#define MAIL_VERSION_NUMBER "3.5.4"
+#define MAIL_RELEASE_DATE "20200724"
+#define MAIL_VERSION_NUMBER "3.5.5"
#ifdef SNAPSHOT
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
off |= tls_bug_bits();
SSL_CTX_set_options(client_ctx, off);
+ /* Enable all supported protocols */
+#if OPENSSL_VERSION_NUMBER >= 0x1010000fUL
+ SSL_CTX_set_min_proto_version(client_ctx, 0);
+#endif
+
/*
* Set the call-back routine for verbose logging.
*/
*/
if (SSL_get_signature_nid(ssl, &nid) && nid != NID_undef)
locl_sig_dgst = OBJ_nid2sn(nid);
+
+ X509_free(cert);
}
/* Signature algorithms for the peer end of the connection */
if ((cert = SSL_get_peer_certificate(ssl)) != 0) {
myfree(TLScontext->peer_cert_fprint);
if (TLScontext->peer_pkey_fprint)
myfree(TLScontext->peer_pkey_fprint);
+ if (TLScontext->kex_name)
+ myfree((void *) TLScontext->kex_name);
+ if (TLScontext->kex_curve)
+ myfree((void *) TLScontext->kex_curve);
+ if (TLScontext->clnt_sig_name)
+ myfree((void *) TLScontext->clnt_sig_name);
+ if (TLScontext->clnt_sig_curve)
+ myfree((void *) TLScontext->clnt_sig_curve);
+ if (TLScontext->clnt_sig_dgst)
+ myfree((void *) TLScontext->clnt_sig_dgst);
+ if (TLScontext->srvr_sig_name)
+ myfree((void *) TLScontext->srvr_sig_name);
+ if (TLScontext->srvr_sig_curve)
+ myfree((void *) TLScontext->srvr_sig_curve);
+ if (TLScontext->srvr_sig_dgst)
+ myfree((void *) TLScontext->srvr_sig_dgst);
if (TLScontext->errorcert)
X509_free(TLScontext->errorcert);
if (TLScontext->untrusted)
SSL_CTX_set_options(server_ctx, off);
+ /* Enable all supported protocols */
+#if OPENSSL_VERSION_NUMBER >= 0x1010000fUL
+ SSL_CTX_set_min_proto_version(server_ctx, 0);
+#endif
+
/*
* Global protocol selection.
*/
projects / thirdparty / postfix.git / commitdiff
