On 2017-08-07 14:26:07 [+0200], Salvatore Bonaccorso wrote: > Control: severity important
as in SSL not working anymore in unstable for libesmtp. > Hi Jeremy, Hi Salvatore, > Please find attached a (refreshed) patch which is still valid to add > the proper support for TLSv1.1+ Description: Add TLSv1.1 and TLSv1.2 support Origin: vendor Bug-Debian: https://bugs.debian.org/802658 Author: Salvatore Bonaccorso <car...@debian.org> Last-Update: 2015-11-07 --- a/smtp-tls.c +++ b/smtp-tls.c @@ -197,11 +197,24 @@ starttls_create_ctx (smtp_session_t sess ckf_t status; /* The decision not to support SSL v2 and v3 but instead to use only - TLSv1 is deliberate. This is in line with the intentions of RFC + TLSv1.X is deliberate. This is in line with the intentions of RFC 3207. Servers typically support SSL as well as TLS because some versions of Netscape do not support TLS. I am assuming that all currently deployed servers correctly support TLS. */ - ctx = SSL_CTX_new (TLSv1_client_method ()); +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ + !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL) + ctx = SSL_CTX_new (TLS_client_method ()); +#else + ctx = SSL_CTX_new (SSLv23_client_method ()); +#endif + +#ifdef OPENSSL_NO_SSL3 + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); +#endif + +#ifdef OPENSSL_NO_SSL2 + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); +#endif /* Load our keys and certificates. To avoid messing with configuration variables etc, use fixed paths for the certificate store. These are This looks good. I would however just replace TLSv1_client_method() with SSLv23_client_method() (without the version check) and be done with it. Setting the NO_SSLvX thingy is a nop in Debian but upstream might be happy to see it. > Regards, > Salvatore Sebastian