Re: Qpopper and openssl on FreeBSD 11.x

[Doug Hardie]

> On 23 March 2018, at 02:40, Matthias Andree  wrote:
> 
> Am 17.02.2018 um 04:22 schrieb Doug Hardie:
>> I have encountered an interesting situation while trying to resolve a PR on 
>> qpopper.  I am unable to build qpopper on 11.1 (and probably 11.0) because 
>> the openssl function SSLv3_server_method has been removed.  I can see where 
>> the SSLv2 functions are disabled in ssl.h, but the SSLv3 functions appear 
>> that they should be there.  nm on libssl shows they are there.  Clang's 
>> linker can't link to them.  One of the qpopper users' indicates that the 
>> problem does not exist on 10.4.  I believe the loss of the SSLv3 methods is 
>> a bug and have filed Bug report.
> 
> It is a deliberate security measure to remove SSLv3 methods, and not a
> bug. The protocol is broken.

Granted those protocols are broken, but removing the calls to disable them 
means that for systems that still support them, you have no real option to 
disable them.  Its like you are pretending they never existed.  However, they 
still do in 10.x which is still supported.

> 
>> Resolution of that PR will obviously take some time.  The question at hand 
>> is what to do in the meantime. I am guessing the packages must be built on 
>> 10.x or there would be a report of the problem.  I can easily change the 
>> code, via a patch, to use SSLv23_server_method in all cases, or the 
>> preferred TLSv1_server_method.  That will eliminate the options to restrict 
>> qpopper to SSLv2 or SSLv3.  This does not appear to be an issue for those 
>> running 11.x.  However, it is for those using 10.x and earlier.  Given the 
>> security issues today, I can't imagine anyone wanting to use those options, 
>> but it is possible someone is using them.  Switching to the 
>> TLSv1_server_method will remove that capability for them.  
> 
> Use SSLv23_server_method(), and use code to block out SSLv2 + SSLv3 on
> those systems that still support them - which depends on the
> OpenSSL/LibreSSL version, however:
> Older OpenSSL and LibreSSL require SSL_OP_NO_SSLv3 and SSL_OP_NO_SSLv2
> set through ..._set_options() on the SSL or CTX,
> newer OpenSSL (1.1.0+) have ..._set_min_proto_version(..., TLS1_VERSION).

The simple approach for 11 is to use SSLv23_server_method() as it handles 
everything and no extra calls are required.  However, that doesn't work for 
10.x  Adding in all the checks you mention is a lot of development and testing 
effort.  I don't have the resources or desire to do all that.  I have not found 
a hardware system that will run 10.x.  Everything I have runs 11 just fine...

-- Doug

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Bug reports commit request

[Yasuhiro KIMURA]

Dear committers,

Would someone please commit following bug reports with maintainer
timeout?

Bug 225570 - security/bruteforceblocker: add patch to handle "fatal: Unable to 
negotiate with" message and update WWW
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=225570

Bug 226089 - japanese/another-htmllint: add www/p5-LWP-Protocol-https to 
RUN_DEPENDS
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226089

Best Regards.

---
Yasuhiro KIMURA
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

INDEX now builds successfully on 10.x

[Ports Index build]

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

INDEX build failed for 10.x

[Ports Index build]

INDEX build failed with errors:
Generating INDEX-10 - please wait..--- describe.accessibility ---
--- describe.arabic ---
--- describe.archivers ---
--- describe.astro ---
--- describe.audio ---
--- describe.benchmarks ---
--- describe.biology ---
--- describe.cad ---
--- describe.chinese ---
--- describe.comms ---
--- describe.converters ---
--- describe.databases ---
--- describe.deskutils ---
--- describe.devel ---
--- describe.dns ---
--- describe.editors ---
--- describe.emulators ---
--- describe.finance ---
--- describe.french ---
--- describe.ftp ---
[...]
--- describe.print ---
--- describe.russian ---
--- describe.science ---
--- describe.security ---
--- describe.shells ---
--- describe.sysutils ---
--- describe.textproc ---
--- describe.ukrainian ---
--- describe.vietnamese ---
--- describe.www ---
--- describe.x11 ---
--- describe.x11-clocks ---
--- describe.x11-drivers ---
--- describe.x11-fm ---
--- describe.x11-fonts ---
--- describe.x11-servers ---
--- describe.x11-themes ---
--- describe.x11-toolkits ---
--- describe.x11-wm ---
 Done.
make_index: /home/indexbuild/tindex/ports/misc/kdeutils-kde4: no entry for 
/home/indexbuild/tindex/ports/sysutils/filelight-kde4

Committers on the hook:
 adridg ale amdmi3 linimon lwhsu tota 

Most recent SVN update was:
Updating '.':
Unet-mgmt/lldpd/Makefile
Udatabases/py-alembic/Makefile
Udatabases/py-alembic/distinfo
Umath/R-cran-NMF/Makefile
Umath/R-cran-NMF/distinfo
Umail/roundcube/Makefile
Umail/roundcube/distinfo
UMOVED
Umisc/kdeutils-kde4/Makefile
Usysutils/filelight/Makefile
Asysutils/filelight-kde4
Asysutils/filelight-kde4/Makefile
Asysutils/filelight-kde4/distinfo
Asysutils/filelight-kde4/pkg-plist
Asysutils/filelight-kde4/pkg-descr
Udevel/R-cran-sfsmisc/Makefile
UU   devel/R-cran-sfsmisc/distinfo
Udevel/eris/Makefile
Udevel/eris/pkg-descr
Dnet-im/ktp-contact-runner
Dnet-im/ktp-accounts-kcm
Dnet-im/ktp-send-file
Dnet-im/ktp-text-ui
Dnet-im/ktp-desktop-applets
Dnet-im/ktp-filetransfer-handler
Dnet-im/ktp-contact-list
Dnet-im/ktp-common-internals
Dnet-im/kde-telepathy
Dnet-im/plasma-applet-ktp
Dnet-im/ktp-auth-handler
Dnet-im/ktp-kded-integration-module
Dnet-im/ktp-approver
Unet-im/Makefile
Anet-im/ktp-accounts-kcm-kde4
Anet-im/ktp-accounts-kcm-kde4/Makefile
Anet-im/ktp-accounts-kcm-kde4/pkg-plist
Anet-im/ktp-accounts-kcm-kde4/distinfo
Anet-im/ktp-accounts-kcm-kde4/pkg-descr
Anet-im/ktp-approver-kde4
Anet-im/ktp-approver-kde4/Makefile
Anet-im/ktp-approver-kde4/distinfo
Anet-im/ktp-approver-kde4/pkg-plist
Anet-im/ktp-approver-kde4/pkg-descr
Anet-im/ktp-auth-handler-kde4
Anet-im/ktp-auth-handler-kde4/Makefile
Anet-im/ktp-auth-handler-kde4/distinfo
Anet-im/ktp-auth-handler-kde4/pkg-plist
Anet-im/ktp-auth-handler-kde4/pkg-descr
Anet-im/ktp-common-internals-kde4
Anet-im/ktp-common-internals-kde4/Makefile
Anet-im/ktp-common-internals-kde4/distinfo
Anet-im/ktp-common-internals-kde4/files
Anet-im/ktp-common-internals-kde4/files/patch-CMakeLists.txt
Anet-im/ktp-common-internals-kde4/pkg-plist
Anet-im/ktp-common-internals-kde4/pkg-descr
Anet-im/ktp-contact-list-kde4
Anet-im/ktp-contact-list-kde4/Makefile
Anet-im/ktp-contact-list-kde4/distinfo
Anet-im/ktp-contact-list-kde4/pkg-plist
Anet-im/ktp-contact-list-kde4/pkg-descr
Anet-im/ktp-contact-runner-kde4
Anet-im/ktp-contact-runner-kde4/Makefile
Anet-im/ktp-contact-runner-kde4/distinfo
Anet-im/ktp-contact-runner-kde4/pkg-plist
Anet-im/ktp-contact-runner-kde4/pkg-descr
Anet-im/ktp-desktop-applets-kde4
Anet-im/ktp-desktop-applets-kde4/Makefile
Anet-im/ktp-desktop-applets-kde4/distinfo
Anet-im/ktp-desktop-applets-kde4/pkg-plist
Anet-im/ktp-desktop-applets-kde4/pkg-descr
Anet-im/ktp-filetransfer-handler-kde4
Anet-im/ktp-filetransfer-handler-kde4/Makefile
Anet-im/ktp-filetransfer-handler-kde4/distinfo
Anet-im/ktp-filetransfer-handler-kde4/pkg-plist
Anet-im/ktp-filetransfer-handler-kde4/pkg-descr
Anet-im/ktp-kded-integration-module-kde4
Anet-im/ktp-kded-integration-module-kde4/Makefile
Anet-im/ktp-kded-integration-module-kde4/distinfo
Anet-im/ktp-kded-integration-module-kde4/pkg-plist
Anet-im/ktp-kded-integration-module-kde4/pkg-descr
Anet-im/ktp-send-file-kde4
Anet-im/ktp-send-file-kde4/Makefile
Anet-im/ktp-send-file-kde4/distinfo
Anet-im/ktp-send-file-kde4/pkg-plist
Anet-im/ktp-send-file-kde4/pkg-descr
Anet-im/ktp-text-ui-kde4
Anet-im/ktp-text-ui-kde4/Makefile
Anet-im/ktp-text-ui-kde4/distinfo
Anet-im/ktp-text-ui-kde4/pkg-plist
Anet-im/ktp-text-ui-kde4/pkg-descr
Anet-im/plasma-applet-ktp-kde4
Anet-im/plasma-applet-ktp-kde4/Makefile
Anet-im/plasma-applet-ktp-kde4/distinfo
Anet-im/plasma-applet-ktp-kde4/pkg-plist
A

Lightning does not work in Seamonkey 2.49.1

[Miroslav Lachman]

I have Seamonkey 2.49.1 installed from my poudrier build. I have 
selected LIGHTNING option but it doesn't work. I don't see calendar and 
tasks anywhere in the menus. I tried installing Lightbird extension but 
it doesn't work too.


Is there anybody with working calendar in Seamonkey?

FreeBSD 10.4-RELEASE-p5 amd64 GENERIC


seamonkey-2.49.1_7
Name   : seamonkey
Version: 2.49.1_7
Installed on   : Fri Mar 23 02:00:15 2018 CET
Origin : www/seamonkey
Architecture   : FreeBSD:10:amd64
Prefix : /usr/local
Categories : mail irc news ipv6 editors www
Licenses   :
Maintainer : ge...@freebsd.org
WWW: http://www.mozilla.org/projects/seamonkey/
Comment: The open source, standards compliant web browser
Options:
ALSA   : on
BUNDLED_CAIRO  : off
CANBERRA   : on
DBUS   : on
DEBUG  : off
DTRACE : on
FFMPEG : on
GCONF  : on
GTK2   : off
GTK3   : on
INTEGER_SAMPLES: off
JACK   : on
LDAP   : off
LIBPROXY   : off
LIGHTNING  : on
OPTIMIZED_CFLAGS: on
PROFILE: off
PULSEAUDIO : on
RUST   : off
SNDIO  : off
TEST   : off
Shared Libs required:

libhunspell-1.6.so.0
libevent-2.1.so.6
libvpx.so.4
libplc4.so
libXcomposite.so.1
libxcb.so.1
libgdk_pixbuf-2.0.so.0
libgio-2.0.so.0
libssl3.so
libXfixes.so.3
libnss3.so
libogg.so.0
libv4l2.so.0
libgobject-2.0.so.0
libnssutil3.so
libplds4.so
libharfbuzz.so.0
libstartup-notification-1.so.0
libX11.so.6
libdbus-1.so.3
libXdamage.so.1
libnspr4.so
libXt.so.6
libgraphite2.so.3
libicuuc.so.60
libpng16.so.16
libicui18n.so.60
libvorbis.so.0
libglib-2.0.so.0
libfontconfig.so.1
libsmime3.so
libgdk-x11-2.0.so.0
libgdk-3.so.0
libXrender.so.1
Annotations:
FreeBSD_version: 1004000
cpe: 
cpe:2.3:a:mozilla:seamonkey:2.49.1:freebsd10:x64:7

no_provide_shlib: yes
repo_type  : binary
repository : codelab
Flat size  : 126MiB


Kind regards
Miroslav Lachman

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Qpopper and openssl on FreeBSD 11.x

[Matthias Andree]

Am 17.02.2018 um 04:22 schrieb Doug Hardie:
> I have encountered an interesting situation while trying to resolve a PR on 
> qpopper.  I am unable to build qpopper on 11.1 (and probably 11.0) because 
> the openssl function SSLv3_server_method has been removed.  I can see where 
> the SSLv2 functions are disabled in ssl.h, but the SSLv3 functions appear 
> that they should be there.  nm on libssl shows they are there.  Clang's 
> linker can't link to them.  One of the qpopper users' indicates that the 
> problem does not exist on 10.4.  I believe the loss of the SSLv3 methods is a 
> bug and have filed Bug report.

It is a deliberate security measure to remove SSLv3 methods, and not a
bug. The protocol is broken.

> Resolution of that PR will obviously take some time.  The question at hand is 
> what to do in the meantime. I am guessing the packages must be built on 10.x 
> or there would be a report of the problem.  I can easily change the code, via 
> a patch, to use SSLv23_server_method in all cases, or the preferred 
> TLSv1_server_method.  That will eliminate the options to restrict qpopper to 
> SSLv2 or SSLv3.  This does not appear to be an issue for those running 11.x.  
> However, it is for those using 10.x and earlier.  Given the security issues 
> today, I can't imagine anyone wanting to use those options, but it is 
> possible someone is using them.  Switching to the TLSv1_server_method will 
> remove that capability for them.  

Use SSLv23_server_method(), and use code to block out SSLv2 + SSLv3 on
those systems that still support them - which depends on the
OpenSSL/LibreSSL version, however:
Older OpenSSL and LibreSSL require SSL_OP_NO_SSLv3 and SSL_OP_NO_SSLv2
set through ..._set_options() on the SSL or CTX,
newer OpenSSL (1.1.0+) have ..._set_min_proto_version(..., TLS1_VERSION).

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"