|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
ce0e017 |
Patch by Robert Scheck <robert@fedoraproject.org> for zarafa >= 7.1.11 which removes the Zarafa-
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
ce0e017 |
specific override/limitation that forces SSLv3-only SOAP connection between the Zarafa services.
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
ce0e017 |
The pristine gSOAP library itself uses SSLv23_method() instead and thus allows TLSv1.0, TLSv1.1
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
423e99d |
as well as TLSv1.2. Disable SSLv2 and SSLv3 as well as TLS compression explicitly; similar like
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
423e99d |
the Zarafa Outlook Client which meanwhile only allows TLSv1.0 (and better).
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
ce0e017 |
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
ce0e017 |
Proposed to upstream via e-mail on Wed, 2 Apr 2014 11:35:40 +0200, initial patch was put into the
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
ce0e017 |
upstream ticket Ticket#2014040210000266.
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
ce0e017 |
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
ce0e017 |
--- zarafa-7.1.11/provider/common/SOAPSock.cpp 2014-09-03 10:45:06.000000000 +0200
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
423e99d |
+++ zarafa-7.1.11/provider/common/SOAPSock.cpp.gsoap-sslv3 2015-03-04 00:28:25.000000000 +0100
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
ce0e017 |
@@ -162,9 +162,6 @@
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
ce0e017 |
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
ce0e017 |
lpCmd->endpoint = strdup(strServerPath.c_str());
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
ce0e017 |
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
ce0e017 |
- // override the gsoap default v23 method to the force safer v3 only method.
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
ce0e017 |
- lpCmd->soap->ctx = SSL_CTX_new(SSLv3_method());
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
ce0e017 |
-
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
ce0e017 |
#ifdef WITH_OPENSSL
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
ce0e017 |
if (strncmp("https:", lpCmd->endpoint, 6) == 0) {
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
ce0e017 |
// no need to add certificates to call, since soap also calls SSL_CTX_set_default_verify_paths()
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
423e99d |
@@ -188,6 +185,14 @@
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
423e99d |
lpCmd->soap->fsslverify = ssl_verify_callback_zarafa_silent;
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
423e99d |
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
423e99d |
SSL_CTX_set_verify(lpCmd->soap->ctx, SSL_VERIFY_PEER, lpCmd->soap->fsslverify);
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
423e99d |
+
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
423e99d |
+ // disable SSLv2 (according to RFC 6176) and SSLv3, leaving just TLSv1.0 (and better)
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
423e99d |
+ SSL_CTX_set_options(lpCmd->soap->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
423e99d |
+
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
423e99d |
+#ifdef SSL_OP_NO_COMPRESSION
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
423e99d |
+ // disable TLS compression to close the CRIME attack vector (also known as CVE-2012-4929)
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
423e99d |
+ SSL_CTX_set_options(lpCmd->soap->ctx, SSL_OP_NO_COMPRESSION);
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
423e99d |
+#endif
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
423e99d |
}
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
423e99d |
#endif
|
|
![](https://seccdn.libravatar.org/avatar/ea064b89e87b1895a84759a4950a139e0016ae503bf0eb4304a2a809343a9d75?s=16&d=retro) |
423e99d |
|