https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7267
--- Comment #7 from Curtis Villamizar <[email protected]> --- Created attachment 5353 --> https://bz.apache.org/SpamAssassin/attachment.cgi?id=5353&action=edit patch to spamc/libspamc.c All changes are inside #ifdef SPAMC_SSL / #endif pairs. Two functions are added. Each function is called in two places where a few lines are replaced. It helps to look at the replaced code first. The SSLv3_client_method() and TLSv1_client_method() functions require exact match to SSLv3 or TLSv1, rather than "or better". Since "or better" is assumed to have been the intent, SSLv23_client_method() is used in the new code, with SSL_CTX_set_options used to restrict the version negotiation (SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3). The first new function replaced code did some init and "ctx = SSL_CTX_new(meth);". The new code just replaces the code restricting which SSL/TLS versions are allowed. The second function supports the new options. First the CA certs are loaded if provided on the command line. Then the client cert and key are loaded if provided on the command line and then checked. The rest is like the original code but with a bit of error checking. The "ssl = SSL_new(ctx);" is run and "ssl" is copied back to the caller. Then "SSL_set_fd(ssl, sock)" is done, only this code checks the error return and logs. Then "SSL_connect(ssl)" is run, again with error checking (which in this case is disabled). The return value of SSL_connect(ssl) was ignored in the original code so it is ignored here. Maybe that should change. -- You are receiving this mail because: You are the assignee for the bug.
