Hello community, here is the log from the commit of package postfix for openSUSE:Factory checked in at 2020-06-23 21:03:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/postfix (Old) and /work/SRC/openSUSE:Factory/.postfix.new.2956 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "postfix" Tue Jun 23 21:03:04 2020 rev:185 rq:815876 version:3.5.3 Changes: -------- --- /work/SRC/openSUSE:Factory/postfix/postfix.changes 2020-05-20 18:37:08.184189724 +0200 +++ /work/SRC/openSUSE:Factory/.postfix.new.2956/postfix.changes 2020-06-23 21:03:27.689623223 +0200 @@ -1,0 +2,11 @@ +Mon Jun 15 16:09:57 UTC 2020 - Michael Ströder <[email protected]> + +- Update to 3.5.3: + * TLS handshake failure in the Postfix SMTP server during SNI + processing, after the server-side TLS engine sent a TLSv1.3 + HelloRetryRequest (HRR) to a remote SMTP client. + * The command "postfix tls deploy-server-cert" did not handle a + missing optional argument. This bug was introduced in Postfix + 3.1. + +------------------------------------------------------------------- Old: ---- postfix-3.5.2.tar.gz New: ---- postfix-3.5.3.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ postfix.spec ++++++ --- /var/tmp/diff_new_pack.884oNS/_old 2020-06-23 21:03:30.269631524 +0200 +++ /var/tmp/diff_new_pack.884oNS/_new 2020-06-23 21:03:30.269631524 +0200 @@ -53,7 +53,7 @@ %bcond_with libnsl %endif Name: postfix -Version: 3.5.2 +Version: 3.5.3 Release: 0 Summary: A fast, secure, and flexible mailer License: IPL-1.0 OR EPL-2.0 ++++++ postfix-3.5.2.tar.gz -> postfix-3.5.3.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.2/HISTORY new/postfix-3.5.3/HISTORY --- old/postfix-3.5.2/HISTORY 2020-05-16 22:25:11.000000000 +0200 +++ new/postfix-3.5.3/HISTORY 2020-06-10 23:08:14.000000000 +0200 @@ -24737,3 +24737,19 @@ session may cause a false 'lost connection' error for a concurrent TLS session in the same tlsproxy process. File: tlsproxy/tlsproxy.c. + +20200530 + + Bugfix (introduced: Postfix 3.1): "postfix tls deploy-server-cert" + did not handle a missing optional argument. File: + conf/postfix-tls-script. + +20200610 + + Bugfix (introduced: Postfix 3.4): in the Postfix SMTP server, + the SNI callback reported an error when it was called a + second time. This happened after the server-side TLS engine + sent a TLSv1.3 HelloRetryRequest (HRR) to a remote SMTP + client. Reported by Ján Máté, fixed by Viktor Dukhovni. + File: tls/tls_misc.c. + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.2/conf/postfix-tls-script new/postfix-3.5.3/conf/postfix-tls-script --- old/postfix-3.5.2/conf/postfix-tls-script 2017-02-19 02:58:20.000000000 +0100 +++ new/postfix-3.5.3/conf/postfix-tls-script 2020-05-30 16:37:04.000000000 +0200 @@ -777,7 +777,7 @@ deploy_server_cert() { certfile=$1; shift keyfile=$1; shift - deploy=$1; shift + case $# in 0) deploy=;; *) deploy=$1; shift;; esac # Sets key_algo, key_param and cert_param check_key "$keyfile" || return 1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.2/src/global/mail_version.h new/postfix-3.5.3/src/global/mail_version.h --- old/postfix-3.5.2/src/global/mail_version.h 2020-05-16 23:43:20.000000000 +0200 +++ new/postfix-3.5.3/src/global/mail_version.h 2020-06-14 22:52:23.000000000 +0200 @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20200516" -#define MAIL_VERSION_NUMBER "3.5.2" +#define MAIL_RELEASE_DATE "20200614" +#define MAIL_VERSION_NUMBER "3.5.3" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.2/src/tls/tls_misc.c new/postfix-3.5.3/src/tls/tls_misc.c --- old/postfix-3.5.2/src/tls/tls_misc.c 2019-06-26 23:42:43.000000000 +0200 +++ new/postfix-3.5.3/src/tls/tls_misc.c 2020-06-10 21:04:03.000000000 +0200 @@ -686,6 +686,27 @@ TLScontext->namaddr, sni); return SSL_TLSEXT_ERR_NOACK; } + + /* + * With TLS 1.3, when the client's proposed key share is not supported by + * the server, the server may issue a HelloRetryRequest (HRR), and the + * client will then retry with a new key share on a curve supported by + * the server. This results in the SNI callback running twice for the + * same connection. + * + * When that happens, The client MUST send the essentially the same hello + * message, including the SNI name, and since we've already loaded our + * certificate chain, we don't need to do it again! Therefore, if we've + * already recorded the peer SNI name, just check that it has not + * changed, and return success. + */ + if (TLScontext->peer_sni) { + if (strcmp(sni, TLScontext->peer_sni) == 0) + return SSL_TLSEXT_ERR_OK; + msg_warn("TLS SNI changed from %s initially %s, %s after hello retry", + TLScontext->namaddr, TLScontext->peer_sni, sni); + return SSL_TLSEXT_ERR_NOACK; + } do { /* Don't silently skip maps opened with the wrong flags. */ pem = maps_file_find(tls_server_sni_maps, cp, 0);
