settings in a system-wide OpenSSL configuration file, causing
interoperability problems after an OS update. File:
tls/tls_client.c, tls/tls_server.c.
+
+20200726
+
+ Bugfix (introduced: Postfix 3.4.15): part of a memory leak
+ fix was backported to the wrong place. File: tls/tls_misc.c.
+
+ The Postfix 3.4.15 workaround did not explictly override
+ the system-wide OpenSSL configuration of allowed TLS protocol
+ versions, for sessions where the remote SMTP client sends
+ SNI. It's better to be safe than sorry. File: tls/tls_server.c.
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20200724"
-#define MAIL_VERSION_NUMBER "3.4.15"
+#define MAIL_RELEASE_DATE "20200726"
+#define MAIL_VERSION_NUMBER "3.4.16"
#ifdef SNAPSHOT
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
*/
if (SSL_get_signature_nid(ssl, &nid) && nid != NID_undef)
locl_sig_dgst = OBJ_nid2sn(nid);
-
- X509_free(cert);
}
/* Signature algorithms for the peer end of the connection */
if ((cert = SSL_get_peer_certificate(ssl)) != 0) {
*/
if (SSL_get_peer_signature_nid(ssl, &nid) && nid != NID_undef)
peer_sig_dgst = OBJ_nid2sn(nid);
+
+ X509_free(cert);
}
if (kex_name) {
TLScontext->kex_name = mystrdup(kex_name);
/* Enable all supported protocols */
#if OPENSSL_VERSION_NUMBER >= 0x1010000fUL
SSL_CTX_set_min_proto_version(server_ctx, 0);
+ SSL_CTX_set_min_proto_version(sni_ctx, 0);
#endif
/*
projects / thirdparty / postfix.git / commitdiff
