the system-wide OpenSSL configuration of allowed TLS protocol
versions, for sessions where the remote SMTP client sends
SNI. It's better to be safe than sorry. File: tls/tls_server.c.
+
+20200821
+
+ Bugfix (introduced: Postfix 3.4, already fixed in Postfix
+ 3.6): tlsproxy(8) was using the wrong DANE macro for
+ connections with DANE trust anchors or with non-DANE trust
+ anchors (WTF: Thorsten Habich found this bug in the use
+ case that has nothing to do with DANE). This resulted in a
+ global certificate verify function pointer race, between
+ TLS handshakes that use TLS trust achors and handshakes
+ that use PKI. No memory was corrupted in the course of all
+ this. Viktor Dukhovni. File: tlsproxy/tlsproxy.c.
+
+ Cleanup: the posttls-finger '-X' option reported a false
+ conflict with '-r'. File: posttls-finger/posttls-finger.c.
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20200726"
-#define MAIL_VERSION_NUMBER "3.4.16"
+#define MAIL_RELEASE_DATE "20200830"
+#define MAIL_VERSION_NUMBER "3.4.17"
#ifdef SNAPSHOT
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
state->client_start_props->fd = state->ciphertext_fd;
/* These predicates and warning belong inside tls_client_start(). */
if (!tls_dane_avail() /* mandatory side effects!! */
- &&TLS_DANE_BASED(state->client_start_props->tls_level))
- msg_warn("%s: DANE requested, but not available",
+
+ /*
+ * Why not test for TLS_DANE_BASED()? Because the tlsproxy(8) client has
+ * already converted its DANE TLSA records into trust anchors, and
+ * therefore TLS_DANE_HASTA() will be true instead. That exercises the
+ * code path that updates the shared SSL_CTX with custom X.509
+ * verification callbacks for trust anchors.
+ */
+ &&TLS_DANE_HASTA(state->client_start_props->dane))
+ msg_warn("%s: DANE or local trust anchor based chain"
+ " verification requested, but not available",
state->client_start_props->namaddr);
else
state->tls_context = tls_client_start(state->client_start_props);
}
state->appl_state = tlsp_client_init(state->tls_params,
state->client_init_props,
- TLS_DANE_BASED(state->client_start_props->tls_level));
+
+ /*
+ * Why not test for TLS_DANE_BASED()? Because the tlsproxy(8) client
+ * has already converted its DANE TLSA records into trust anchors,
+ * and therefore TLS_DANE_HASTA() will be true instead. That
+ * exercises the code path that updates the shared SSL_CTX with
+ * custom X.509 verification callbacks for trust anchors.
+ */
+ TLS_DANE_HASTA(state->client_start_props->dane) != 0);
ready = state->appl_state != 0;
break;
case TLS_PROXY_FLAG_ROLE_SERVER:
projects / thirdparty / postfix.git / commitdiff
