From f5bf6fdcf53721b857f00dbb3ac4c4f56b1ded24 Mon Sep 17 00:00:00 2001 From: Wietse Venema Date: Sat, 10 Nov 2018 00:00:00 -0500 Subject: [PATCH] postfix-3.2.7-RC2 --- postfix/HISTORY | 11 ++++++++--- postfix/html/postconf.5.html | 12 ++++++++---- postfix/man/man5/postconf.5 | 12 ++++++++---- postfix/proto/postconf.proto | 12 ++++++++---- postfix/src/global/mail_version.h | 4 ++-- postfix/src/tls/tls.h | 3 ++- postfix/src/tls/tls_dane.c | 25 ++++++++++++------------- postfix/src/tls/tls_misc.c | 19 ++++++++++--------- postfix/src/tls/tls_server.c | 25 +++++++++++++------------ 9 files changed, 71 insertions(+), 52 deletions(-) diff --git a/postfix/HISTORY b/postfix/HISTORY index 9cd2f09ff..78641566d 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -23098,7 +23098,7 @@ Apologies for any names omitted. Bugfix (introduced: Postfix 2.11): minor memory leak when minting issuer certs. This affects a tiny minority of use cases. Viktor Dukhovni, based on a fix by Juan Altmayer - Pizzorno for the ssl_dane library. + Pizzorno for the ssl_dane library. File: tls/tls_dane.c. 20181104 @@ -23107,5 +23107,10 @@ Apologies for any names omitted. tickets, and to allow OpenSSL >= 1.1.0 run-time micro version bumps without complaining about library version mismatches. Viktor Dukhovni. Files: proto/postconf.proto, - proto/TLS_README.html, tls/tls.h, tls/tls_dane.c, - tls/tls_server.c, tls/tls_misc.c. + proto/TLS_README.html, tls/tls.h, tls/tls_server.c, + tls/tls_misc.c. + +20181110 + + Documentation: update documentation for Postfix versions + that support disabling TLS 1.3. File: proto/postconf.proto. diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 95c472af0..ed7093f6c 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -12408,7 +12408,8 @@ disabled except by also disabling "TLSv1" (typically leaving just versions of Postfix ≥ 2.10 can explicitly disable support for "TLSv1.1" or "TLSv1.2".

-

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ≥ 3.4, +

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix +≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be disabled, if need be, via "!TLSv1.3".

At the dane and @@ -12740,7 +12741,8 @@ and "TLSv1.2". The latest patch levels of Postfix ≥ 2.6, and all versions of Postfix ≥ 2.10 can explicitly disable support for "TLSv1.1" or "TLSv1.2"

-

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ≥ 3.4, +

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix +≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be disabled, if need be, via "!TLSv1.3".

To include a protocol list its name, to exclude it, prefix the name @@ -16849,7 +16851,8 @@ disabled. The latest patch levels of Postfix ≥ 2.6, and all versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or "TLSv1.2".

-

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ≥ 3.4, +

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix +≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be disabled, if need be, via "!TLSv1.3".

Example:

@@ -16883,7 +16886,8 @@ and "TLSv1.2". The latest patch levels of Postfix ≥ 2.6, and all versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or "TLSv1.2".

-

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ≥ 3.4, +

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix +≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be disabled, if need be, via "!TLSv1.3".

To include a protocol list its name, to exclude it, prefix the name diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index dd0efa69a..84e7c534c 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -7976,7 +7976,8 @@ disabled except by also disabling "TLSv1" (typically leaving just versions of Postfix >= 2.10 can explicitly disable support for "TLSv1.1" or "TLSv1.2". .PP -OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix >= 3.4, +OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix +>= 3.4 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be disabled, if need be, via "!TLSv1.3". .PP At the dane and @@ -8295,7 +8296,8 @@ and "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all versions of Postfix >= 2.10 can explicitly disable support for "TLSv1.1" or "TLSv1.2" .PP -OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix >= 3.4, +OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix +>= 3.4 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be disabled, if need be, via "!TLSv1.3". .PP To include a protocol list its name, to exclude it, prefix the name @@ -11570,7 +11572,8 @@ disabled. The latest patch levels of Postfix >= 2.6, and all versions of Postfix >= 2.10 can disable support for "TLSv1.1" or "TLSv1.2". .PP -OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix >= 3.4, +OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix +>= 3.4 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be disabled, if need be, via "!TLSv1.3". .PP Example: @@ -11602,7 +11605,8 @@ and "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all versions of Postfix >= 2.10 can disable support for "TLSv1.1" or "TLSv1.2". .PP -OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix >= 3.4, +OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix +>= 3.4 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be disabled, if need be, via "!TLSv1.3". .PP To include a protocol list its name, to exclude it, prefix the name diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 85d534cb5..6f4dbda83 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -11166,7 +11166,8 @@ disabled except by also disabling "TLSv1" (typically leaving just versions of Postfix ≥ 2.10 can explicitly disable support for "TLSv1.1" or "TLSv1.2".

-

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ≥ 3.4, +

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix +≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be disabled, if need be, via "!TLSv1.3".

At the dane and @@ -11366,7 +11367,8 @@ disabled. The latest patch levels of Postfix ≥ 2.6, and all versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or "TLSv1.2".

-

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ≥ 3.4, +

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix +≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be disabled, if need be, via "!TLSv1.3".

Example:

@@ -12527,7 +12529,8 @@ and "TLSv1.2". The latest patch levels of Postfix ≥ 2.6, and all versions of Postfix ≥ 2.10 can explicitly disable support for "TLSv1.1" or "TLSv1.2"

-

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ≥ 3.4, +

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix +≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be disabled, if need be, via "!TLSv1.3".

To include a protocol list its name, to exclude it, prefix the name @@ -12562,7 +12565,8 @@ and "TLSv1.2". The latest patch levels of Postfix ≥ 2.6, and all versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or "TLSv1.2".

-

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ≥ 3.4, +

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix +≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be disabled, if need be, via "!TLSv1.3".

To include a protocol list its name, to exclude it, prefix the name diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 6a191461b..4e452e390 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20181104" -#define MAIL_VERSION_NUMBER "3.2.7-RC1" +#define MAIL_RELEASE_DATE "20181110" +#define MAIL_VERSION_NUMBER "3.2.7-RC2" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff --git a/postfix/src/tls/tls.h b/postfix/src/tls/tls.h index a3d2cd885..dfd2cbc75 100644 --- a/postfix/src/tls/tls.h +++ b/postfix/src/tls/tls.h @@ -378,7 +378,8 @@ extern void tls_param_init(void); #endif /* - * OpenSSL 1.1.1 does not define a TXT macro for TLS 1.3, so we roll our own. + * OpenSSL 1.1.1 does not define a TXT macro for TLS 1.3, so we roll our + * own. */ #define TLS_PROTOCOL_TXT_TLSV1_3 "TLSv1.3" diff --git a/postfix/src/tls/tls_dane.c b/postfix/src/tls/tls_dane.c index f56d272a2..512bc7da9 100644 --- a/postfix/src/tls/tls_dane.c +++ b/postfix/src/tls/tls_dane.c @@ -868,7 +868,6 @@ static int parse_tlsa_rr(DNS_RR *rr, filter_ctx *ctx) return (FILTER_RR_DROP); } } - /*- * Drop unsupported usages. * Note: NO SUPPORT for usages 0/1 which do not apply to SMTP. @@ -1345,7 +1344,7 @@ int tls_dane_match(TLS_SESS_STATE *TLScontext, int usage, static int add_ext(X509 *issuer, X509 *subject, int ext_nid, char *ext_val) { - int ret = 0; + int ret = 0; X509V3_CTX v3ctx; X509_EXTENSION *ext; @@ -1449,8 +1448,8 @@ static int set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid, X509_NAME *subj) X509_NAME *name = akid_issuer_name(akid); /* - * If subject's akid specifies an authority key identifier issuer name, we - * must use that. + * If subject's akid specifies an authority key identifier issuer name, + * we must use that. */ if (name) return (X509_set_issuer_name(cert, name)); @@ -1798,30 +1797,30 @@ void tls_dane_set_callback(SSL_CTX *ctx, TLS_SESS_STATE *TLScontext) static int verify_chain(SSL *ssl, x509_stack_t *chain, TLS_SESS_STATE *tctx) { - int ret; - X509 *cert; + int ret; + X509 *cert; X509_STORE_CTX *store_ctx; SSL_CTX *ssl_ctx = SSL_get_SSL_CTX(ssl); X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx); - int store_ctx_idx = SSL_get_ex_data_X509_STORE_CTX_idx(); + int store_ctx_idx = SSL_get_ex_data_X509_STORE_CTX_idx(); cert = sk_X509_value(chain, 0); if ((store_ctx = X509_STORE_CTX_new()) == NULL) { - SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN, ERR_R_MALLOC_FAILURE); - return 0; + SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN, ERR_R_MALLOC_FAILURE); + return 0; } if (!X509_STORE_CTX_init(store_ctx, store, cert, chain)) { - X509_STORE_CTX_free(store_ctx); - return 0; + X509_STORE_CTX_free(store_ctx); + return 0; } X509_STORE_CTX_set_ex_data(store_ctx, store_ctx_idx, ssl); X509_STORE_CTX_set_default(store_ctx, "ssl_server"); X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(store_ctx), - SSL_get0_param(ssl)); + SSL_get0_param(ssl)); if (SSL_get_verify_callback(ssl)) - X509_STORE_CTX_set_verify_cb(store_ctx, SSL_get_verify_callback(ssl)); + X509_STORE_CTX_set_verify_cb(store_ctx, SSL_get_verify_callback(ssl)); ret = dane_cb(store_ctx, tctx); diff --git a/postfix/src/tls/tls_misc.c b/postfix/src/tls/tls_misc.c index c131a5c97..351f576cc 100644 --- a/postfix/src/tls/tls_misc.c +++ b/postfix/src/tls/tls_misc.c @@ -362,15 +362,16 @@ static const LONG_NAME_MASK ssl_bug_tweaks[] = { NAMEBUG(TLSEXT_PADDING), #if 0 - /* - * XXX: New with OpenSSL 1.1.1, this is turned on implicitly in SSL_CTX_new() - * and is not included in SSL_OP_ALL. Allowing users to disable this would - * thus a code change that would clearing bug work-around bits in SSL_CTX, - * after setting SSL_OP_ALL. Since this is presumably required for TLS 1.3 on - * today's Internet, the code change will be done separately later. For now - * this implicit bug work-around cannot be disabled via supported Postfix - * mechanisms. - */ + + /* + * XXX: New with OpenSSL 1.1.1, this is turned on implicitly in + * SSL_CTX_new() and is not included in SSL_OP_ALL. Allowing users to + * disable this would thus a code change that would clearing bug + * work-around bits in SSL_CTX, after setting SSL_OP_ALL. Since this is + * presumably required for TLS 1.3 on today's Internet, the code change + * will be done separately later. For now this implicit bug work-around + * cannot be disabled via supported Postfix mechanisms. + */ #ifndef SSL_OP_ENABLE_MIDDLEBOX_COMPAT #define SSL_OP_ENABLE_MIDDLEBOX_COMPAT 0 #endif diff --git a/postfix/src/tls/tls_server.c b/postfix/src/tls/tls_server.c index 19abedb96..ee715c07f 100644 --- a/postfix/src/tls/tls_server.c +++ b/postfix/src/tls/tls_server.c @@ -504,18 +504,19 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props) } if (ticketable) { SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, ticket_cb); - /* - * OpenSSL 1.1.1 introduces support for TLS 1.3, which can issue more - * than one ticket per handshake. While this may be appropriate for - * communication between browsers and webservers, it is not terribly - * useful for MTAs, many of which other than Postfix don't do TLS - * session caching at all, and Postfix has no mechanism for storing - * multiple session tickets, if more than one sent, the second clobbers - * the first. OpenSSL 1.1.1 servers default to issuing two tickets for - * non-resumption handshakes, we reduce this to one. Our ticket - * decryption callback already (since 2.11) asks OpenSSL to avoid - * issuing new tickets when the presented ticket is re-usable. - */ + + /* + * OpenSSL 1.1.1 introduces support for TLS 1.3, which can issue more + * than one ticket per handshake. While this may be appropriate for + * communication between browsers and webservers, it is not terribly + * useful for MTAs, many of which other than Postfix don't do TLS + * session caching at all, and Postfix has no mechanism for storing + * multiple session tickets, if more than one sent, the second + * clobbers the first. OpenSSL 1.1.1 servers default to issuing two + * tickets for non-resumption handshakes, we reduce this to one. Our + * ticket decryption callback already (since 2.11) asks OpenSSL to + * avoid issuing new tickets when the presented ticket is re-usable. + */ SSL_CTX_set_num_tickets(server_ctx, 1); } #endif -- 2.47.3