From 6a66c5112bd4b48ff4e4d6c4c28ef4d17f25fa6c Mon Sep 17 00:00:00 2001 From: Robert Scheck Date: Oct 15 2014 01:20:04 +0000 Subject: Merge remote branch 'origin/master' into el5 --- diff --git a/zarafa-7.0.9-rpath.patch b/zarafa-7.0.9-rpath.patch deleted file mode 100644 index 47c5c3b..0000000 --- a/zarafa-7.0.9-rpath.patch +++ /dev/null @@ -1,85 +0,0 @@ -Patch by Robert Scheck for zarafa >= 7.0.9, which works -around the broken libtool of Debian. Multilib/multiarch systems like Fedora or Red -Hat Enterprise Linux are using /usr/lib64 for 64 bit libraries and /usr/lib is used -for 32 bit libraries. That allows to run 32 bit software on 64 bit systems. Debian -systems only use /usr/lib which contains only 32 or 64 bit systems depending on the -architecture. - -Libtool hardcodes the runtime search path in a library (rpath), if the library that -is used for linking is not within the default system library path. The result is, -that if aclocal.m4/configure files are generated by a Debian system, but used on a -Fedora or Red Hat Enterprise Linux 64 bit system for compiling, "-rpath /usr/lib64" -makes it into the binary. - -Fedora and EPEL (for Red Hat Enterprise Linux) do not allow binaries with rpath, as -the Linux dynamic linker is usually smarter than the hardcoded path. - -The fix for this issue is to add the optional /lib64 and /usr/lib64 directories at/ -within libtool in front of the regular /lib and /usr/lib directories at the system -library path. These libtool information are hold in aclocal.m4, which is generated -by running aclocal. As the content of aclocal.m4 is included into configure during -a run of autoconf, aclocal.m4 needs to be modified within the upstream build system -each time after a aclocal run - until Debian's libtool is fixed at Debian upstream. - -Applying the fix is either possible by using the first hunk of the patch (second -hunk is runtime-only if configure file has been already generated) or by running -the following sed command after each aclocal run within the upstream build system: - - sed -e 's@\(# Append ld.so.conf contents to the search path\)@# Add ABI-specific directories to the system library path.\n sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"\n\n \1@' \ - -e 's@/lib /usr/lib $lt_ld_extra@$sys_lib_dlsearch_path_spec $lt_ld_extra@' -i zarafa-6.40.5/aclocal.m4 - -More information regarding this topic can be found for example at: - - - http://osdir.com/ml/bug-libtool-gnu/2009-12/msg00034.html - - http://lists.gnu.org/archive/html/libtool/2009-01/msg00039.html - - http://thread.gmane.org/gmane.comp.gnu.libtool.general/8339/focus=8345 - ---- zarafa-7.0.9/aclocal.m4 2012-08-03 13:58:18.000000000 +0200 -+++ zarafa-7.0.9/aclocal.m4.rpath 2012-08-12 22:57:31.000000000 +0200 -@@ -2485,10 +2485,13 @@ - # before this can be enabled. - hardcode_into_libs=yes - -+ # Add ABI-specific directories to the system library path. -+ sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib" -+ - # Append ld.so.conf contents to the search path - if test -f /etc/ld.so.conf; then - lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '` -- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" -+ sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra" - fi - - # We used to test for /lib/ld.so.1 and disable shared libraries on ---- zarafa-7.0.9/configure 2012-08-03 13:58:18.000000000 +0200 -+++ zarafa-7.0.9/configure.rpath 2012-08-12 22:59:05.000000000 +0200 -@@ -10097,10 +10097,13 @@ - # before this can be enabled. - hardcode_into_libs=yes - -+ # Add ABI-specific directories to the system library path. -+ sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib" -+ - # Append ld.so.conf contents to the search path - if test -f /etc/ld.so.conf; then - lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '` -- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" -+ sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra" - fi - - # We used to test for /lib/ld.so.1 and disable shared libraries on -@@ -15288,10 +15291,13 @@ - # before this can be enabled. - hardcode_into_libs=yes - -+ # Add ABI-specific directories to the system library path. -+ sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib" -+ - # Append ld.so.conf contents to the search path - if test -f /etc/ld.so.conf; then - lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '` -- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" -+ sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra" - fi - - # We used to test for /lib/ld.so.1 and disable shared libraries on diff --git a/zarafa-7.1.10-mariadb.patch b/zarafa-7.1.10-mariadb.patch deleted file mode 100644 index 419017a..0000000 --- a/zarafa-7.1.10-mariadb.patch +++ /dev/null @@ -1,22 +0,0 @@ -Patch by Robert Scheck for zarafa >= 7.1.10 which really (!) adds support for -MariaDB. In theory, Zarafa 7.1.10 supports MariaDB, see https://jira.zarafa.com/browse/ZCP-11934 for some -upstream details. However it poorly fails if really trying it with e.g. MariaDB 5.5.38: - -Jul 10 23:40:40 tux zarafa-server[24633]: SQL [00000002] result failed: BIGINT UNSIGNED value is out of range in '(`zarafa`.`properties`.`tag` - 0x8501)', Query: "SELECT 0,properties.tag,properties.type,properties.val_ulong,properties.val_string,properties.val_binary,properties.val_double,properties.val_longint,properties.val_hi,properties.val_lo, hierarchyid, names.nameid, names.namestring, names.guid FROM properties FORCE INDEX (PRIMARY) LEFT JOIN names ON (properties.tag-0x8501)=names.id WHERE hierarchyid=3 AND (tag <= 0x8500 OR names.id IS NOT NULL)" -Jul 10 23:40:40 tux zarafa-server[24633]: SQL [00000004] result failed: BIGINT UNSIGNED value is out of range in '(`zarafa`.`properties`.`tag` - 0x8501)', Query: "SELECT 0,properties.tag,properties.type,properties.val_ulong,properties.val_string,properties.val_binary,properties.val_double,properties.val_longint,properties.val_hi,properties.val_lo, hierarchyid, names.nameid, names.namestring, names.guid FROM properties FORCE INDEX (PRIMARY) LEFT JOIN names ON (properties.tag-0x8501)=names.id WHERE hierarchyid=4 AND (tag <= 0x8500 OR names.id IS NOT NULL)" -Jul 10 23:40:40 tux zarafa-server[24633]: SQL [00000006] result failed: BIGINT UNSIGNED value is out of range in '(`zarafa`.`properties`.`tag` - 0x8501)', Query: "SELECT 0,properties.tag,properties.type,properties.val_ulong,properties.val_string,properties.val_binary,properties.val_double,properties.val_longint,properties.val_hi,properties.val_lo, hierarchyid, names.nameid, names.namestring, names.guid FROM properties FORCE INDEX (PRIMARY) LEFT JOIN names ON (properties.tag-0x8501)=names.id WHERE hierarchyid=4 AND (tag <= 0x8500 OR names.id IS NOT NULL)" - -Even this might not be a clean solution it at least makes Zarafa usable with MariaDB - which is important -nowadays as Red Hat Enterprise Linux and CentOS 7 are only shipping MariaDB by default rather MySQL. - ---- zarafa-7.1.10/provider/libserver/ECDatabaseMySQL.cpp 2014-05-23 15:56:38.000000000 +0200 -+++ zarafa-7.1.10/provider/libserver/ECDatabaseMySQL.cpp.mariadb 2014-07-10 23:44:19.000000000 +0200 -@@ -628,7 +628,7 @@ - - if (m_lpMySQL.server_version && m_lpMySQL.server_version[0] >= '5') { - // this option was introduced in mysql 5.0, so let's not even try on 4.1 servers -- strQuery = "SET SESSION sql_mode = 'STRICT_ALL_TABLES'"; -+ strQuery = "SET SESSION sql_mode = 'STRICT_ALL_TABLES,NO_UNSIGNED_SUBTRACTION'"; - Query(strQuery); // ignore error - } - diff --git a/zarafa-7.1.10-ssl_protocols_ciphers.patch b/zarafa-7.1.10-ssl_protocols_ciphers.patch new file mode 100644 index 0000000..756d2fd --- /dev/null +++ b/zarafa-7.1.10-ssl_protocols_ciphers.patch @@ -0,0 +1,446 @@ +Patch by Robert Scheck for Zarafa <= 7.1.10 which implements much more +fine granulated configuration settings for SSL/TLS protocol and cipher enabling and disabling. The +currently available "ssl_enable_v2" setting allows either to disable SSLv2 (and enables SSLv3 only +instead) or to enable all, thus SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2 (TLSv1.1 and TLSv1.2 only +if Zarafa was linked against OpenSSL 1.0.1 or later). Since SSLv2 has known protocol weaknesses it +never should be enabled - but for Zarafa it currently must be enabled to support TLSv1 and better. + +This patch introduces the new setting "ssl_protocols" which replaces "ssl_enable_v2". The default +is "!SSLv2" to simply disable SSLv2 by default. The setting can be filled either with SSL protocols +that shall be enabled and/or disabled, e.g. "SSLv3 TLSv1" or "!SSLv2 !SSLv3". However only the more +usual disable/exclude option should be used as this does not exclude future protocols by default. + +Further this patch introduces the completely new setting "ssl_ciphers". This one allows to set SSL +cipher suites. Right now, all SSL ciphers are accepted which is just weak or might Zarafa even make +even vulnerable to known SSL attacks. The German Federal Office for Information Security (BSI) says +that RC4 should not be used anymore - but Zarafa does it by default. And without this patch there +is also no way for Zarafa administrators to avoid that. Indeed this setting has the risk to get the +administrators ending up in a cipher mismatch between different systems but this new setting still +could be declared as officially unsupported and only for the brave ones who know what they do. Thus +the default is already set to something less weak than before but still below BSI recommendations. + +Finally this patch introduces the also new setting "ssl_prefer_server_ciphers". It does what it is +named after: When choosing a cipher during an SSL/TLS handshake, normally the client's preference +is used. If this setting is enabled, the server's preference will be used instead. This comes handy +to administrators for strange cipher orderings required for special configurations and clients - or +new weaknesses where workarounds are required for the time being. + +Testing: Configure zarafa-gateway, zarafa-ical and zarafa-server for cleartext and SSL as usual. +Try to login via POP3S, IMAPS, CalDAV-SSL and MAPI in SOAP over HTTPS. Change SSL protocols and the +ciphers to something more weak ("SSLv2" and "LOW") or to something more strong ("TLSv1.2" and e.g. +"HIGH"). During all my tests I did not figure out any newly introduced issue or Zarafa breakage. + +Important: The technical implementation of this patch might be not perfect as I am not really a C/ +C++ developer. The logic and the implementation is heavily based on Dovecot, Postfix and hints from +https://docs.fedoraproject.org/en-US/Fedora_Security_Team/html/Defensive_Coding/. There should be +a code review and code clean up by an experienced C/C++ developer before merging into Zarafa core. + +This patch should be only applied in conjuction with the POP3 RESP-CODES and AUTH-RESP-CODE patch, +the POP3 CAPA (CAPABILITIES) patch as well as the POP3 STLS (STARTTLS) patch applied before. + +--- zarafa-7.1.10/caldav/CalDAV.cpp 2014-05-23 15:56:36.000000000 +0200 ++++ zarafa-7.1.10/caldav/CalDAV.cpp.rsc 2014-08-12 19:45:04.000000000 +0200 +@@ -220,7 +220,9 @@ + { "log_timestamp", "1" }, + { "ssl_private_key_file", "/etc/zarafa/ical/privkey.pem" }, + { "ssl_certificate_file", "/etc/zarafa/ical/cert.pem" }, +- { "ssl_enable_v2", "no" }, ++ { "ssl_protocols", "!SSLv2" }, ++ { "ssl_ciphers", "ALL:!LOW:!SSLv2:!EXP:!aNULL" }, ++ { "ssl_prefer_server_ciphers", "no" }, + { "ssl_verify_client", "no" }, + { "ssl_verify_file", "" }, + { "ssl_verify_path", "" }, +--- zarafa-7.1.10/common/ECChannel.cpp 2014-05-23 15:56:36.000000000 +0200 ++++ zarafa-7.1.10/common/ECChannel.cpp.rsc 2014-08-12 19:48:00.000000000 +0200 +@@ -92,6 +92,11 @@ + HRESULT hr = hrSuccess; + char *szFile = NULL; + char *szPath = NULL; ++ char *ssl_protocols = strdup(lpConfig->GetSetting("ssl_protocols")); ++ char *ssl_ciphers = lpConfig->GetSetting("ssl_ciphers"); ++ char *ssl_name; ++ int ssl_proto, ssl_op = 0, ssl_include = 0, ssl_exclude = 0; ++ bool ssl_neg; + + if (lpConfig == NULL) { + hr = MAPI_E_CALL_FAILED; +@@ -107,11 +112,79 @@ + SSL_load_error_strings(); + lpCTX = SSL_CTX_new(SSLv23_server_method()); + SSL_CTX_set_options(lpCTX, SSL_OP_ALL); +- SSL_CTX_set_default_verify_paths(lpCTX); + +- // disable SSLv2 support +- if (!parseBool(lpConfig->GetSetting("ssl_enable_v2", "", "no"))) +- SSL_CTX_set_options(lpCTX, SSL_OP_NO_SSLv2); ++ ssl_name = strtok(ssl_protocols, " "); ++ while(ssl_name != NULL) { ++ if (*ssl_name != '!') ++ ssl_neg = FALSE; ++ else { ++ ssl_name++; ++ ssl_neg = TRUE; ++ } ++ ++ if (strcasecmp(ssl_name, SSL_TXT_SSLV2) == 0) ++ ssl_proto = 0x01; ++ else if (strcasecmp(ssl_name, SSL_TXT_SSLV3) == 0) ++ ssl_proto = 0x02; ++ else if (strcasecmp(ssl_name, SSL_TXT_TLSV1) == 0) ++ ssl_proto = 0x04; ++#ifdef SSL_TXT_TLSV1_1 ++ else if (strcasecmp(ssl_name, SSL_TXT_TLSV1_1) == 0) ++ ssl_proto = 0x08; ++#endif ++#ifdef SSL_TXT_TLSV1_2 ++ else if (strcasecmp(ssl_name, SSL_TXT_TLSV1_2) == 0) ++ ssl_proto = 0x10; ++#endif ++ else { ++ lpLogger->Log(EC_LOGLEVEL_ERROR, "Unknown protocol '%s' in ssl_protocols setting", ssl_name); ++ hr = MAPI_E_CALL_FAILED; ++ goto exit; ++ } ++ ++ if (ssl_neg) ++ ssl_exclude |= ssl_proto; ++ else ++ ssl_include |= ssl_proto; ++ ++ ssl_name = strtok(NULL, " "); ++ } ++ ++ if (ssl_include != 0) { ++ // Exclude everything, except those that are included (and let excludes still override those) ++ ssl_exclude |= 0x1f & ~ssl_include; ++ } ++ ++ if ((ssl_exclude & 0x01) != 0) ++ ssl_op |= SSL_OP_NO_SSLv2; ++ if ((ssl_exclude & 0x02) != 0) ++ ssl_op |= SSL_OP_NO_SSLv3; ++ if ((ssl_exclude & 0x04) != 0) ++ ssl_op |= SSL_OP_NO_TLSv1; ++#ifdef SSL_OP_NO_TLSv1_1 ++ if ((ssl_exclude & 0x08) != 0) ++ ssl_op |= SSL_OP_NO_TLSv1_1; ++#endif ++#ifdef SSL_OP_NO_TLSv1_2 ++ if ((ssl_exclude & 0x10) != 0) ++ ssl_op |= SSL_OP_NO_TLSv1_2; ++#endif ++ ++ if (ssl_protocols) { ++ SSL_CTX_set_options(lpCTX, ssl_op); ++ } ++ ++ if (ssl_ciphers && SSL_CTX_set_cipher_list(lpCTX, ssl_ciphers) != 1) { ++ lpLogger->Log(EC_LOGLEVEL_ERROR, "Can not set SSL cipher list to '%s': %s", ssl_ciphers, ERR_error_string(ERR_get_error(), 0)); ++ hr = MAPI_E_CALL_FAILED; ++ goto exit; ++ } ++ ++ if (parseBool(lpConfig->GetSetting("ssl_prefer_server_ciphers"))) { ++ SSL_CTX_set_options(lpCTX, SSL_OP_CIPHER_SERVER_PREFERENCE); ++ } ++ ++ SSL_CTX_set_default_verify_paths(lpCTX); + + if (SSL_CTX_use_certificate_chain_file(lpCTX, lpConfig->GetSetting("ssl_certificate_file")) != 1) { + lpLogger->Log(EC_LOGLEVEL_ERROR, "SSL CTX certificate file error: %s", ERR_error_string(ERR_get_error(), 0)); +--- zarafa-7.1.10/doc/manual.xml 2014-05-23 15:01:13.000000000 +0200 ++++ zarafa-7.1.10/doc/manual.xml.rsc 2014-08-12 19:45:04.000000000 +0200 +@@ -4226,11 +4226,33 @@ + + + +- ++ + +- Incoming SSL connections normally are v3. +- Default: no +- ++ Disabled or enabled protocol names. Supported protocol names ++ are SSLv2, SSLv3 ++ and TLSv1. If Zarafa was linked against ++ OpenSSL 1.0.1 or later there is additional support for the new protocols ++ TLSv1.1 and TLSv1.2. ++ To exclude both, SSLv2 and SSLv3 set ++ to !SSLv2 !SSLv3. SSLv2 is considered unsafe ++ and these connections should not be accepted. ++ Default: !SSLv2 ++ ++ ++ ++ ++ ++ ++ SSL ciphers to use, set to ALL for backward compatibility. ++ Default: ALL:!LOW:!SSLv2:!EXP:!aNULL ++ ++ ++ ++ ++ ++ ++ Prefer the server's order of SSL ciphers over client's. ++ Default: no + + + +@@ -8070,11 +8092,32 @@ + + + +- ++ ++ ++ Disabled or enabled protocol names. Supported protocol names ++ are SSLv2, SSLv3 ++ and TLSv1. If Zarafa was linked against ++ OpenSSL 1.0.1 or later there is additional support for the new protocols ++ TLSv1.1 and TLSv1.2. ++ To exclude both, SSLv2 and SSLv3 set ++ to !SSLv2 !SSLv3. SSLv2 is considered unsafe ++ and these connections should not be accepted. ++ Default: !SSLv2 ++ ++ ++ ++ ++ ++ ++ SSL ciphers to use, set to ALL for backward compatibility. ++ Default: ALL:!LOW:!SSLv2:!EXP:!aNULL ++ ++ ++ ++ ++ + +- Accept SSLv2 only connections. SSLv2 is considered +- unsafe, and these connections should not be +- accepted. ++ Prefer the server's order of SSL ciphers over client's. + Default: no + + +@@ -10075,11 +10118,32 @@ + + + +- ++ ++ ++ Disabled or enabled protocol names. Supported protocol names ++ are SSLv2, SSLv3 ++ and TLSv1. If Zarafa was linked against ++ OpenSSL 1.0.1 or later there is additional support for the new protocols ++ TLSv1.1 and TLSv1.2. ++ To exclude both, SSLv2 and SSLv3 set ++ to !SSLv2 !SSLv3. SSLv2 is considered unsafe ++ and these connections should not be accepted. ++ Default: !SSLv2 ++ ++ ++ ++ ++ ++ ++ SSL ciphers to use, set to ALL for backward compatibility. ++ Default: ALL:!LOW:!SSLv2:!EXP:!aNULL ++ ++ ++ ++ ++ + +- Accept SSLv2 only connections. SSLv2 is considered +- unsafe, and these connections should not be +- accepted. ++ Prefer the server's order of SSL ciphers over client's. + Default: no + + +--- zarafa-7.1.10/gateway/Gateway.cpp 2014-05-23 15:56:37.000000000 +0200 ++++ zarafa-7.1.10/gateway/Gateway.cpp.rsc 2014-08-12 19:45:04.000000000 +0200 +@@ -365,7 +365,9 @@ + { "ssl_verify_client", "no" }, + { "ssl_verify_file", "" }, + { "ssl_verify_path", "" }, +- { "ssl_enable_v2", "no" }, ++ { "ssl_protocols", "!SSLv2" }, ++ { "ssl_ciphers", "ALL:!LOW:!SSLv2:!EXP:!aNULL" }, ++ { "ssl_prefer_server_ciphers", "no" }, + { "log_method", "file" }, + { "log_file", "-" }, + { "log_level", "2", CONFIGSETTING_RELOADABLE }, +--- zarafa-7.1.10/installer/linux/gateway.cfg 2014-05-23 15:03:19.000000000 +0200 ++++ zarafa-7.1.10/installer/linux/gateway.cfg.rsc 2014-08-12 19:45:04.000000000 +0200 +@@ -84,8 +84,14 @@ + ssl_verify_file = + ssl_verify_path = + +-# Accept SSLv2 only incoming connections +-ssl_enable_v2 = no ++# SSL protocols to use, set to '!SSLv2' for 'ssl_enable_v2 = no' ++ssl_protocols = !SSLv2 ++ ++# SSL ciphers to use, set to 'ALL' for backward compatibility ++ssl_ciphers = ALL:!LOW:!SSLv2:!EXP:!aNULL ++ ++# Prefer the server's order of SSL ciphers over client's ++ssl_prefer_server_ciphers = no + + # Process model, using pthreads (thread) or processes (fork) + process_model = fork +--- zarafa-7.1.10/installer/linux/ical.cfg 2014-05-23 15:03:19.000000000 +0200 ++++ zarafa-7.1.10/installer/linux/ical.cfg.rsc 2014-08-12 19:45:04.000000000 +0200 +@@ -66,8 +66,14 @@ + ssl_verify_file = + ssl_verify_path = + +-# Accept SSLv2 only incoming connections +-ssl_enable_v2 = no ++# SSL protocols to use, set to '!SSLv2' for 'ssl_enable_v2 = no' ++ssl_protocols = !SSLv2 ++ ++# SSL ciphers to use, set to 'ALL' for backward compatibility ++ssl_ciphers = ALL:!LOW:!SSLv2:!EXP:!aNULL ++ ++# Prefer the server's order of SSL ciphers over client's ++ssl_prefer_server_ciphers = no + + ############################################################## + # OTHER ICAL SETTINGS +--- zarafa-7.1.10/installer/linux/server.cfg 2014-05-23 15:03:19.000000000 +0200 ++++ zarafa-7.1.10/installer/linux/server.cfg.rsc 2014-08-12 19:45:04.000000000 +0200 +@@ -154,8 +154,14 @@ + # Path with CA certificates, e.g. /etc/ssl/certs + server_ssl_ca_path = + +-# Accept SSLv2 only connections. Normally v3 connections are used. +-server_ssl_enable_v2 = no ++# SSL protocols to use, set to '!SSLv2' for 'server_ssl_enable_v2 = no' ++server_ssl_protocols = !SSLv2 ++ ++# SSL ciphers to use, set to 'ALL' for backward compatibility ++server_ssl_ciphers = ALL:!LOW:!SSLv2:!EXP:!aNULL ++ ++# Prefer the server's order of SSL ciphers over client's ++server_ssl_prefer_server_ciphers = no + + # Path of SSL Public keys of clients + sslkeys_path = /etc/zarafa/sslkeys +--- zarafa-7.1.10/provider/server/ECServer.cpp 2014-05-23 15:56:37.000000000 +0200 ++++ zarafa-7.1.10/provider/server/ECServer.cpp.rsc 2014-08-12 19:45:04.000000000 +0200 +@@ -919,7 +919,9 @@ + { "server_ssl_key_pass", "server", CONFIGSETTING_EXACT }, + { "server_ssl_ca_file", "/etc/zarafa/ssl/cacert.pem" }, + { "server_ssl_ca_path", "" }, +- { "server_ssl_enable_v2", "no" }, ++ { "server_ssl_protocols", "!SSLv2" }, ++ { "server_ssl_ciphers", "ALL:!LOW:!SSLv2:!EXP:!aNULL" }, ++ { "server_ssl_prefer_server_ciphers", "no" }, + { "sslkeys_path", "/etc/zarafa/sslkeys" }, // login keys + // Database options + { "database_engine", "mysql" }, +--- zarafa-7.1.10/provider/server/ECSoapServerConnection.cpp 2014-05-23 15:56:37.000000000 +0200 ++++ zarafa-7.1.10/provider/server/ECSoapServerConnection.cpp.rsc 2014-08-12 19:45:04.000000000 +0200 +@@ -240,6 +240,11 @@ + ECRESULT er = erSuccess; + int socket = SOAP_INVALID_SOCKET; + struct soap *lpsSoap = NULL; ++ char *server_ssl_protocols = strdup(m_lpConfig->GetSetting("server_ssl_protocols")); ++ char *server_ssl_ciphers = m_lpConfig->GetSetting("server_ssl_ciphers"); ++ char *ssl_name; ++ int ssl_proto, ssl_op = 0, ssl_include = 0, ssl_exclude = 0; ++ bool ssl_neg; + + if(lpServerName == NULL) { + er = ZARAFA_E_INVALID_PARAMETER; +@@ -270,10 +275,79 @@ + goto exit; + } + +- // disable SSLv2 support +- if (!parseBool(m_lpConfig->GetSetting("server_ssl_enable_v2", "", "no"))) +- SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_NO_SSLv2); +- ++ SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_ALL); ++ ++ ssl_name = strtok(server_ssl_protocols, " "); ++ while(ssl_name != NULL) { ++ if (*ssl_name != '!') ++ ssl_neg = FALSE; ++ else { ++ ssl_name++; ++ ssl_neg = TRUE; ++ } ++ ++ if (strcasecmp(ssl_name, SSL_TXT_SSLV2) == 0) ++ ssl_proto = 0x01; ++ else if (strcasecmp(ssl_name, SSL_TXT_SSLV3) == 0) ++ ssl_proto = 0x02; ++ else if (strcasecmp(ssl_name, SSL_TXT_TLSV1) == 0) ++ ssl_proto = 0x04; ++#ifdef SSL_TXT_TLSV1_1 ++ else if (strcasecmp(ssl_name, SSL_TXT_TLSV1_1) == 0) ++ ssl_proto = 0x08; ++#endif ++#ifdef SSL_TXT_TLSV1_2 ++ else if (strcasecmp(ssl_name, SSL_TXT_TLSV1_2) == 0) ++ ssl_proto = 0x10; ++#endif ++ else { ++ m_lpLogger->Log(EC_LOGLEVEL_FATAL, "Unknown protocol '%s' in server_ssl_protocols setting", ssl_name); ++ er = ZARAFA_E_CALL_FAILED; ++ goto exit; ++ } ++ ++ if (ssl_neg) ++ ssl_exclude |= ssl_proto; ++ else ++ ssl_include |= ssl_proto; ++ ++ ssl_name = strtok(NULL, " "); ++ } ++ ++ if (ssl_include != 0) { ++ // Exclude everything, except those that are included (and let excludes still override those) ++ ssl_exclude |= 0x1f & ~ssl_include; ++ } ++ ++ if ((ssl_exclude & 0x01) != 0) ++ ssl_op |= SSL_OP_NO_SSLv2; ++ if ((ssl_exclude & 0x02) != 0) ++ ssl_op |= SSL_OP_NO_SSLv3; ++ if ((ssl_exclude & 0x04) != 0) ++ ssl_op |= SSL_OP_NO_TLSv1; ++#ifdef SSL_OP_NO_TLSv1_1 ++ if ((ssl_exclude & 0x08) != 0) ++ ssl_op |= SSL_OP_NO_TLSv1_1; ++#endif ++#ifdef SSL_OP_NO_TLSv1_2 ++ if ((ssl_exclude & 0x10) != 0) ++ ssl_op |= SSL_OP_NO_TLSv1_2; ++#endif ++ ++ if (server_ssl_protocols) { ++ SSL_CTX_set_options(lpsSoap->ctx, ssl_op); ++ } ++ ++ if (server_ssl_ciphers && SSL_CTX_set_cipher_list(lpsSoap->ctx, server_ssl_ciphers) != 1) { ++ m_lpLogger->Log(EC_LOGLEVEL_FATAL, "Can not set SSL cipher list to '%s': %s", server_ssl_ciphers, ERR_error_string(ERR_get_error(), 0)); ++ er = ZARAFA_E_CALL_FAILED; ++ goto exit; ++ } ++ ++ if (parseBool(m_lpConfig->GetSetting("server_ssl_prefer_server_ciphers"))) { ++ SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); ++ } ++ + // request certificate from client, is OK if not present. + SSL_CTX_set_verify(lpsSoap->ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, NULL); + diff --git a/zarafa-7.1.11-php-unbundle.patch b/zarafa-7.1.11-php-unbundle.patch new file mode 100644 index 0000000..0934c0e --- /dev/null +++ b/zarafa-7.1.11-php-unbundle.patch @@ -0,0 +1,39 @@ +Patch by Robert Scheck for zarafa >= 7.1.11 which removes the bundled PHP PEAR files/libraries +and replaces them by files and libraries shipped by the distribution. From file server/PEAR/JSON.php only the function +json_decode() is used, which can be provided by the php-json RPM package. The file server/PEAR/XML/Unserializer.php can +be provided by the php-pear-XML-Serializer RPM package. The rest of the PHP PEAR files/libraries are only dependencies of +these two files mentioned before (which are satisfied by the two newly required RPM packages). + +--- zarafa-7.1.11.rsc/php-webclient-ajax/config.php.dist 2014-09-03 09:56:49.000000000 +0200 ++++ zarafa-7.1.11.rsc/php-webclient-ajax/config.php.dist.php-unbundle 2014-09-07 18:24:28.000000000 +0200 +@@ -56,7 +56,7 @@ + + // Define the server paths + set_include_path(BASE_PATH. PATH_SEPARATOR . +- BASE_PATH."server/PEAR/" . PATH_SEPARATOR . ++ "/usr/share/pear/" . PATH_SEPARATOR . + "/usr/share/php/"); + + // Define the relative URL for dialogs, this string is appended with HTTP GET arguments +--- zarafa-7.1.11.rsc/php-webclient-ajax/zarafa.php 2014-09-03 10:45:06.000000000 +0200 ++++ zarafa-7.1.11.rsc/php-webclient-ajax/zarafa.php.php-unbundle 2014-09-07 18:21:36.000000000 +0200 +@@ -59,7 +59,7 @@ + include("config.php"); + include("defaults.php"); + include("server/util.php"); +- require("server/PEAR/JSON.php"); ++ @include("server/PEAR/JSON.php"); + + require("mapi/mapi.util.php"); + require("mapi/mapicode.php"); +--- zarafa-7.1.11.rsc/php-webclient-ajax/server/core/class.xmlparser.php 2014-09-03 10:45:06.000000000 +0200 ++++ zarafa-7.1.11.rsc/php-webclient-ajax/server/core/class.xmlparser.php.php-unbundle 2014-09-07 18:22:40.000000000 +0200 +@@ -50,7 +50,7 @@ + + ?> + for Zarafa <= 7.1.11 which enhances my earlier +this year implemented "disable_plaintext_auth" feature (new option in Zarafa >= 7.1.10 to disable +all plaintext authentications unless SSL/TLS is used), https://jira.zarafa.com/browse/ZCP-12142 +contains the initial implementation and a more verbose feature description. + +Given that there are unfortunately still Zarafa systems around using saslauthd without pam_mapi +but rimap instead the "disable_plaintext_auth" feature prevents them from enabling this option as +rimap doesn't support SSL/TLS; https://jira.zarafa.com/browse/ZCP-12473 contains an example report +by a Zarafa customer. Thus this patch adds an exception if the source IPv4 address is "127.0.0.1" +and allows even if "disable_plaintext_auth" is enabled a cleartext authentication. It was a design +decision to check only for 127.0.0.1/32 rather 127.0.0.0/8 because there seem to be systems where +the loopback network except 127.0.0.1/32 is routable?! + +Important: The technical implementation of this patch might be not perfect as I am not really a C/ +C++ developer. There should be a code review by an experienced C/C++ developer before merging into +Zarafa core. + +--- zarafa-7.1.11/gateway/IMAP.cpp 2014-09-03 10:45:06.000000000 +0200 ++++ zarafa-7.1.11/gateway/IMAP.cpp.plaintext_auth_localhost 2014-09-24 01:29:10.000000000 +0200 +@@ -757,7 +757,7 @@ + if (!lpChannel->UsingSsl() && lpChannel->sslctx()) + strCapabilities += " STARTTLS"; + +- if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0) ++ if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && strcmp(lpChannel->GetIPAddress().c_str(), "127.0.0.1") != 0) + strCapabilities += " LOGINDISABLED"; + else + strCapabilities += " AUTH=PLAIN"; +@@ -923,7 +923,7 @@ + char *plain = lpConfig->GetSetting("disable_plaintext_auth"); + + // If plaintext authentication was disabled any authentication attempt must be refused very soon +- if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0) { ++ if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && strcmp(lpChannel->GetIPAddress().c_str(), "127.0.0.1") != 0) { + hr2 = HrResponse(RESP_TAGGED_NO, strTag, "[PRIVACYREQUIRED] Plaintext authentication disallowed on non-secure " + "(SSL/TLS) connections."); + if (hr2 != hrSuccess) +@@ -1002,7 +1002,7 @@ + } + + // If plaintext authentication was disabled any login attempt must be refused very soon +- if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0) { ++ if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && strcmp(lpChannel->GetIPAddress().c_str(), "127.0.0.1") != 0) { + hr2 = HrResponse(RESP_UNTAGGED, "BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but your client " + "did it anyway. If anyone was listening, the password was exposed."); + if (hr2 != hrSuccess) +--- zarafa-7.1.11/gateway/POP3.cpp 2014-09-03 10:45:06.000000000 +0200 ++++ zarafa-7.1.11/gateway/POP3.cpp.plaintext_auth_localhost 2014-09-24 01:30:41.000000000 +0200 +@@ -320,7 +320,7 @@ + if (!lpChannel->UsingSsl() && lpChannel->sslctx()) + strCapabilities += "STLS\r\n"; + +- if (!(!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0)) ++ if (!(!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && strcmp(lpChannel->GetIPAddress().c_str(), "127.0.0.1") != 0)) + strCapabilities += "USER\r\n"; + } + +@@ -402,7 +402,7 @@ + HRESULT hr = hrSuccess; + char *plain = lpConfig->GetSetting("disable_plaintext_auth"); + +- if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0) { ++ if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && strcmp(lpChannel->GetIPAddress().c_str(), "127.0.0.1") != 0) { + hr = HrResponse(POP3_RESP_AUTH_ERROR, "Plaintext authentication disallowed on non-secure (SSL/TLS) connections"); + lpLogger->Log(EC_LOGLEVEL_ERROR, "Aborted login from %s with username \"%s\" (tried to use disallowed plaintext auth)", + lpChannel->GetIPAddress().c_str(), strUser.c_str()); +@@ -431,7 +431,7 @@ + HRESULT hr = hrSuccess; + char *plain = lpConfig->GetSetting("disable_plaintext_auth"); + +- if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0) { ++ if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && strcmp(lpChannel->GetIPAddress().c_str(), "127.0.0.1") != 0) { + hr = HrResponse(POP3_RESP_AUTH_ERROR, "Plaintext authentication disallowed on non-secure (SSL/TLS) connections"); + if(szUser.empty()) + lpLogger->Log(EC_LOGLEVEL_ERROR, "Aborted login from %s without username (tried to use disallowed " +--- zarafa-7.1.11/doc/manual.xml 2014-09-03 09:56:28.000000000 +0200 ++++ zarafa-7.1.11/doc/manual.xml.plaintext_auth_localhost 2014-10-15 01:22:14.000000000 +0200 +@@ -8024,7 +8024,9 @@ + + + Disable all plaintext POP3 and IMAP authentications unless +- SSL/TLS is used. Obviously this requires at least ++ SSL/TLS is used (except for connections originating from ++ 127.0.0.1 to allow saslauthd with rimap). ++ Obviously enabling this configuration option requires at least + ssl_private_key_file and + ssl_certificate_file to take effect. + Default: no diff --git a/zarafa-7.1.11-rpath.patch b/zarafa-7.1.11-rpath.patch new file mode 100644 index 0000000..88ac16f --- /dev/null +++ b/zarafa-7.1.11-rpath.patch @@ -0,0 +1,85 @@ +Patch by Robert Scheck for zarafa >= 7.1.11, which works +around the broken libtool of Debian. Multilib/multiarch systems like Fedora or Red +Hat Enterprise Linux are using /usr/lib64 for 64 bit libraries and /usr/lib is used +for 32 bit libraries. That allows to run 32 bit software on 64 bit systems. Debian +systems only use /usr/lib which contains only 32 or 64 bit systems depending on the +architecture. + +Libtool hardcodes the runtime search path in a library (rpath), if the library that +is used for linking is not within the default system library path. The result is, +that if aclocal.m4/configure files are generated by a Debian system, but used on a +Fedora or Red Hat Enterprise Linux 64 bit system for compiling, "-rpath /usr/lib64" +makes it into the binary. + +Fedora and EPEL (for Red Hat Enterprise Linux) do not allow binaries with rpath, as +the Linux dynamic linker is usually smarter than the hardcoded path. + +The fix for this issue is to add the optional /lib64 and /usr/lib64 directories at/ +within libtool in front of the regular /lib and /usr/lib directories at the system +library path. These libtool information are hold in aclocal.m4, which is generated +by running aclocal. As the content of aclocal.m4 is included into configure during +a run of autoconf, aclocal.m4 needs to be modified within the upstream build system +each time after a aclocal run - until Debian's libtool is fixed at Debian upstream. + +Applying the fix is either possible by using the first hunk of the patch (second +hunk is runtime-only if configure file has been already generated) or by running +the following sed command after each aclocal run within the upstream build system: + + sed -e 's@\(# Append ld.so.conf contents to the search path\)@# Add ABI-specific directories to the system library path.\n sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"\n\n \1@' \ + -e 's@/lib /usr/lib $lt_ld_extra@$sys_lib_dlsearch_path_spec $lt_ld_extra@' -i zarafa-7.1.11/aclocal.m4 + +More information regarding this topic can be found for example at: + + - http://osdir.com/ml/bug-libtool-gnu/2009-12/msg00034.html + - http://lists.gnu.org/archive/html/libtool/2009-01/msg00039.html + - http://thread.gmane.org/gmane.comp.gnu.libtool.general/8339/focus=8345 + +--- zarafa-7.1.11/aclocal.m4 2014-09-03 09:56:52.000000000 +0200 ++++ zarafa-7.1.11/aclocal.m4.rpath 2014-09-07 17:20:37.000000000 +0200 +@@ -2672,10 +2672,13 @@ + # before this can be enabled. + hardcode_into_libs=yes + ++ # Add ABI-specific directories to the system library path. ++ sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib" ++ + # Append ld.so.conf contents to the search path + if test -f /etc/ld.so.conf; then + lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '` +- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" ++ sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra" + fi + + # We used to test for /lib/ld.so.1 and disable shared libraries on +--- zarafa-7.1.11/configure 2014-09-03 09:56:53.000000000 +0200 ++++ zarafa-7.1.11/configure.rpath 2014-09-07 17:28:07.000000000 +0200 +@@ -10983,10 +10983,13 @@ + # before this can be enabled. + hardcode_into_libs=yes + ++ # Add ABI-specific directories to the system library path. ++ sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib" ++ + # Append ld.so.conf contents to the search path + if test -f /etc/ld.so.conf; then + lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '` +- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" ++ sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra" + fi + + # We used to test for /lib/ld.so.1 and disable shared libraries on +@@ -16025,10 +16028,13 @@ + # before this can be enabled. + hardcode_into_libs=yes + ++ # Add ABI-specific directories to the system library path. ++ sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib" ++ + # Append ld.so.conf contents to the search path + if test -f /etc/ld.so.conf; then + lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '` +- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" ++ sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra" + fi + + # We used to test for /lib/ld.so.1 and disable shared libraries on diff --git a/zarafa-7.1.9-ssl_ecdhe.patch b/zarafa-7.1.9-ssl_ecdhe.patch new file mode 100644 index 0000000..f1a1a8e --- /dev/null +++ b/zarafa-7.1.9-ssl_ecdhe.patch @@ -0,0 +1,82 @@ +Patch by Robert Scheck for Zarafa <= 7.1.9 which implements ECDHE (elliptic +curve diffie-hellman key exchange) support. http://en.wikipedia.org/wiki/Elliptic_curve_cryptography is +providing more information about elliptic curves. + +Suggestions for testing; run the following openssl(1) commands before and after applying this patch: + +1. echo QUIT | openssl s_client -connect :110 -starttls pop3 2>&1 | grep Cipher +2. echo QUIT | openssl s_client -connect :143 -starttls imap 2>&1 | grep Cipher +3. echo QUIT | openssl s_client -connect :237 2>&1 | grep Cipher +4. echo QUIT | openssl s_client -connect :993 2>&1 | grep Cipher +5. echo QUIT | openssl s_client -connect :995 2>&1 | grep Cipher +6. echo QUIT | openssl s_client -connect :8443 2>&1 | grep Cipher + +After applying this patch the output should contain e.g. "ECDHE-RSA-AES256-GCM-SHA384" on a Red Hat +Enterprise Linux 6.5 (only RHEL >= 6.5 has support for elliptic curve). Without this patch the result +is e.g. "AES256-GCM-SHA384". + +Important: The technical implementation of this patch might be not perfect as I am not really a C/C++ +developer. The logic and the implementation is heavily based on Sendmail. There should be a code review +by an experienced C/C++ and OpenSSL developer before merging into Zarafa core. + +This patch should be only applied after ZCP-12143 and its dependencies. However this patch might maybe +not directly apply due to some previous merge issues as mentioned in Ticket#2014030810000131. + +--- zarafa-7.1.9/common/ECChannel.cpp 2014-04-13 23:46:59.000000000 +0200 ++++ zarafa-7.1.9/common/ECChannel.cpp.ssl_ecdhe 2014-04-13 23:59:43.000000000 +0200 +@@ -97,6 +97,9 @@ + char *ssl_name; + int ssl_proto, ssl_op = 0, ssl_include = 0, ssl_exclude = 0; + bool ssl_neg; ++#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1) ++ EC_KEY *ecdh; ++#endif + + if (lpConfig == NULL) { + hr = MAPI_E_CALL_FAILED; +@@ -113,6 +116,16 @@ + lpCTX = SSL_CTX_new(SSLv23_server_method()); + SSL_CTX_set_options(lpCTX, SSL_OP_ALL); + ++#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1) ++ ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); ++ ++ if (ecdh != NULL) { ++ SSL_CTX_set_options(lpCTX, SSL_OP_SINGLE_ECDH_USE); ++ SSL_CTX_set_tmp_ecdh(lpCTX, ecdh); ++ EC_KEY_free(ecdh); ++ } ++#endif ++ + ssl_name = strtok(ssl_protocols, " "); + while(ssl_name != NULL) { + if (*ssl_name != '!') +--- zarafa-7.1.9/provider/server/ECSoapServerConnection.cpp 2014-04-13 23:46:59.000000000 +0200 ++++ zarafa-7.1.9/provider/server/ECSoapServerConnection.cpp.ssl_ecdhe 2014-04-14 00:00:54.000000000 +0200 +@@ -245,6 +245,9 @@ + char *ssl_name; + int ssl_proto, ssl_op = 0, ssl_include = 0, ssl_exclude = 0; + bool ssl_neg; ++#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1) ++ EC_KEY *ecdh; ++#endif + + if(lpServerName == NULL) { + er = ZARAFA_E_INVALID_PARAMETER; +@@ -277,6 +280,16 @@ + + SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_ALL); + ++#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1) ++ ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); ++ ++ if (ecdh != NULL) { ++ SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_SINGLE_ECDH_USE); ++ SSL_CTX_set_tmp_ecdh(lpsSoap->ctx, ecdh); ++ EC_KEY_free(ecdh); ++ } ++#endif ++ + ssl_name = strtok(server_ssl_protocols, " "); + while(ssl_name != NULL) { + if (*ssl_name != '!') diff --git a/zarafa.spec b/zarafa.spec index 2750d7f..6801a2b 100644 --- a/zarafa.spec +++ b/zarafa.spec @@ -1,6 +1,6 @@ %global beta_or_rc 0 -%global actual_release 4 -%global svnrevision 44973 +%global actual_release 1 +%global svnrevision 46050 %global with_search 1 %global with_ldap 1 %global with_xmlto 1 @@ -10,6 +10,7 @@ %global with_gsoap 0 %endif %global no_multiupload 1 +%global no_bundled_php 1 %global php_apiver %((echo 0; php -i 2>/dev/null | sed -n 's/^PHP API => //p') | tail -1) %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))") @@ -30,9 +31,9 @@ Summary: Open Source Edition of the Zarafa Collaboration Platform Name: zarafa -Version: 7.1.10 +Version: 7.1.11 %if %{beta_or_rc} -Release: 0.%{actual_release}.svn%{svnrevision}%{?dist}.1 +Release: 0.%{actual_release}.svn%{svnrevision}%{?dist} %else Release: %{actual_release}%{?dist} %endif @@ -53,9 +54,12 @@ Source1: %{name}.ini Source2: %{name}.logrotate Source3: %{name}-webaccess.conf -Patch0: zarafa-7.0.9-rpath.patch -Patch1: zarafa-7.1.10-kyotocabinet.patch -Patch2: zarafa-7.1.10-mariadb.patch +Patch0: zarafa-7.1.11-rpath.patch +Patch1: zarafa-7.1.11-php-unbundle.patch +Patch2: zarafa-7.1.10-kyotocabinet.patch +Patch3: zarafa-7.1.10-ssl_protocols_ciphers.patch +Patch4: zarafa-7.1.9-ssl_ecdhe.patch +Patch5: zarafa-7.1.11-plaintext_auth_localhost.patch BuildRequires: bison BuildRequires: gcc-c++ @@ -315,6 +319,9 @@ Requires: mod_php >= 4.3 %else Requires: php >= 4.3, php-openssl %endif +%if %{no_bundled_php} +Requires: php-json, php-pear-XML-Serializer +%endif %if 0%{?rhel}%{?fedora} > 5 BuildArch: noarch %endif @@ -377,8 +384,13 @@ to interact with Zarafa. %setup -q %patch0 -p1 -b .rpath touch -c -r aclocal.m4.rpath aclocal.m4 -%patch1 -p1 -b .kyotocabinet -%patch2 -p1 -b .mariadb +%if %{no_bundled_php} +%patch1 -p1 -b .php-unbundle +%endif +%patch2 -p1 -b .kyotocabinet +%patch3 -p1 -b .ssl_protocols_ciphers +%patch4 -p1 -b .ssl_ecdhe +%patch5 -p1 -b .disable_plaintext_auth-localhost %build %if 0%{?rhel}%{?fedora} < 6 @@ -522,7 +534,7 @@ mkdir -p $RPM_BUILD_ROOT%{_datadir}/%{name}-webaccess/plugins/ # Remove unwanted language connectors and webaccess files rm -f $RPM_BUILD_ROOT%{_datadir}/%{name}-webaccess/client/widgets/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.{cfm,pl} -rm -f $RPM_BUILD_ROOT%{_datadir}/%{name}-webaccess/{.htaccess,%{name}-webaccess.conf} +rm -f $RPM_BUILD_ROOT%{_datadir}/%{name}-webaccess/{.htaccess,%{name}-webaccess.conf,senddocument.php} # Remove flash-based multi-attachment upload (missing source) %if %{no_multiupload} @@ -533,6 +545,12 @@ mv -f $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/webaccess/config.php{.new,} rm -rf $RPM_BUILD_ROOT%{_datadir}/%{name}-webaccess/client/widgets/swfupload/ %endif +# Remove bundled PHP PEAR files/libraries +%if %{no_bundled_php} +rm -rf $RPM_BUILD_ROOT%{_datadir}/%{name}-webaccess/server/PEAR +rm -f $RPM_BUILD_ROOT%{_datadir}/%{name}-webaccess/{.,server/core}/*.php-unbundle +%endif + # Remove files only required by proprietary web services rm -rf $RPM_BUILD_ROOT{%{_sysconfdir}/%{name}/ws.cfg,%{_datadir}/zarafa/timezones} @@ -916,6 +934,16 @@ fi %{python_sitearch}/* %changelog +* Wed Oct 15 2014 Robert Scheck 7.1.11-1 +- Upgrade to 7.1.11 (#1139442) +- Removed bundled PHP PEAR files/libraries +- Added patch to allow mitigation of SSLv3/POODLE vulnerability +- Added patch to implement ECDHE support (depending on OpenSSL) +- Added patch to allow plaintext authentication from 127.0.0.1 + +* Tue Aug 26 2014 David Tardon - 7.1.10-5 +- rebuild for ICU 53.1 + * Mon Aug 25 2014 Robert Scheck 7.1.10-4 - Fixed multiple incorrect default permissions (#1133439)