From 423e99d9b3c7f0a134494c7853150fbd0a5d6efc Mon Sep 17 00:00:00 2001 From: Robert Scheck Date: Mar 05 2015 23:37:52 +0000 Subject: Added small security enhancement --- diff --git a/zarafa-7.1.11-gsoap-sslv3.patch b/zarafa-7.1.11-gsoap-sslv3.patch index e4875ee..877b0e1 100644 --- a/zarafa-7.1.11-gsoap-sslv3.patch +++ b/zarafa-7.1.11-gsoap-sslv3.patch @@ -1,13 +1,14 @@ Patch by Robert Scheck for zarafa >= 7.1.11 which removes the Zarafa- specific override/limitation that forces SSLv3-only SOAP connection between the Zarafa services. The pristine gSOAP library itself uses SSLv23_method() instead and thus allows TLSv1.0, TLSv1.1 -as well as TLSv1.2. +as well as TLSv1.2. Disable SSLv2 and SSLv3 as well as TLS compression explicitly; similar like +the Zarafa Outlook Client which meanwhile only allows TLSv1.0 (and better). Proposed to upstream via e-mail on Wed, 2 Apr 2014 11:35:40 +0200, initial patch was put into the upstream ticket Ticket#2014040210000266. --- zarafa-7.1.11/provider/common/SOAPSock.cpp 2014-09-03 10:45:06.000000000 +0200 -+++ zarafa-7.1.11/provider/common/SOAPSock.cpp.gsoap-sslv3 2015-02-18 01:15:50.000000000 +0100 ++++ zarafa-7.1.11/provider/common/SOAPSock.cpp.gsoap-sslv3 2015-03-04 00:28:25.000000000 +0100 @@ -162,9 +162,6 @@ lpCmd->endpoint = strdup(strServerPath.c_str()); @@ -18,3 +19,18 @@ upstream ticket Ticket#2014040210000266. #ifdef WITH_OPENSSL if (strncmp("https:", lpCmd->endpoint, 6) == 0) { // no need to add certificates to call, since soap also calls SSL_CTX_set_default_verify_paths() +@@ -188,6 +185,14 @@ + lpCmd->soap->fsslverify = ssl_verify_callback_zarafa_silent; + + SSL_CTX_set_verify(lpCmd->soap->ctx, SSL_VERIFY_PEER, lpCmd->soap->fsslverify); ++ ++ // disable SSLv2 (according to RFC 6176) and SSLv3, leaving just TLSv1.0 (and better) ++ SSL_CTX_set_options(lpCmd->soap->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); ++ ++#ifdef SSL_OP_NO_COMPRESSION ++ // disable TLS compression to close the CRIME attack vector (also known as CVE-2012-4929) ++ SSL_CTX_set_options(lpCmd->soap->ctx, SSL_OP_NO_COMPRESSION); ++#endif + } + #endif +