Hello community, here is the log from the commit of package dovecot23 for openSUSE:Factory checked in at 2020-05-07 14:55:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dovecot23 (Old) and /work/SRC/openSUSE:Factory/.dovecot23.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dovecot23" Thu May 7 14:55:28 2020 rev:28 rq:800837 version:2.3.10 Changes: -------- --- /work/SRC/openSUSE:Factory/dovecot23/dovecot23.changes 2020-03-16 10:19:49.119623414 +0100 +++ /work/SRC/openSUSE:Factory/.dovecot23.new.2738/dovecot23.changes 2020-05-07 14:55:34.206410488 +0200 @@ -1,0 +2,8 @@ +Wed Apr 29 21:25:30 UTC 2020 - Marcus Rueckert <[email protected]> + +- add allow-tls1.3-only.patch: + Allow setting TLSv1.3 as minimum TLS version + + https://github.com/dovecot/core/pull/126 + +------------------------------------------------------------------- New: ---- allow-tls1.3-only.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dovecot23.spec ++++++ --- /var/tmp/diff_new_pack.Z9TPT6/_old 2020-05-07 14:55:36.214414035 +0200 +++ /var/tmp/diff_new_pack.Z9TPT6/_new 2020-05-07 14:55:36.214414035 +0200 @@ -143,6 +143,8 @@ Source12: dovecot23.keyring Patch: dovecot-2.3.0-dont_use_etc_ssl_certs.patch Patch1: dovecot-2.3.0-better_ssl_defaults.patch +# https://github.com/dovecot/core/pull/126 +Patch2: allow-tls1.3-only.patch Summary: IMAP and POP3 Server Written Primarily with Security in Mind License: BSD-3-Clause AND LGPL-2.1-or-later AND MIT Group: Productivity/Networking/Email/Servers @@ -322,6 +324,7 @@ %setup -q -n %{pkg_name}-%{dovecot_version} -a 1 %patch -p1 %patch1 -p1 +%patch2 -p1 gzip -9v ChangeLog # Fix plugins dir. sed -i 's|#mail_plugin_dir = /usr/lib/dovecot|mail_plugin_dir = %{_libdir}/dovecot/modules|' doc/example-config/conf.d/10-mail.conf ++++++ allow-tls1.3-only.patch ++++++ Index: dovecot-2.3.10/src/config/old-set-parser.c =================================================================== --- dovecot-2.3.10.orig/src/config/old-set-parser.c +++ dovecot-2.3.10/src/config/old-set-parser.c @@ -171,7 +171,7 @@ static int ssl_protocols_to_min_protocol const char **error_r) { static const char *protocol_versions[] = { - "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", + "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3", }; /* Array where -1 = disable, 0 = not found, 1 = enable */ int protos[N_ELEMENTS(protocol_versions)]; Index: dovecot-2.3.10/src/lib-ssl-iostream/iostream-openssl-common.c =================================================================== --- dovecot-2.3.10.orig/src/lib-ssl-iostream/iostream-openssl-common.c +++ dovecot-2.3.10/src/lib-ssl-iostream/iostream-openssl-common.c @@ -9,6 +9,16 @@ #include <openssl/err.h> #include <arpa/inet.h> +/* + * SSL_TXT_TLSV1_3 is not defined in the openssl headers up to 1.1.1g. + * Define it here as no other part of the code uses those defines. + * + * https://github.com/openssl/openssl/pull/6720 + */ +#ifndef SSL_TXT_TLSV1_3 +#define SSL_TXT_TLSV1_3 "TLSv1.3" +#endif + /* openssl_min_protocol_to_options() scans this array for name and returns version and opt. opt is used with SSL_set_options() and version is used with SSL_set_min_proto_version(). Using either method should enable the same @@ -23,6 +33,8 @@ static const struct { { SSL_TXT_TLSV1_1, TLS1_1_VERSION, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 }, { SSL_TXT_TLSV1_2, TLS1_2_VERSION, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 }, + { SSL_TXT_TLSV1_3, TLS1_3_VERSION, + SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 }, }; int openssl_min_protocol_to_options(const char *min_protocol, long *opt_r, int *version_r)
