robert pushed to zarafa (f21). "Upgrade to 7.1.12"
notifications at fedoraproject.org
notifications at fedoraproject.org
Tue Apr 7 18:37:49 UTC 2015
>From 17841d83c9a5d875bf788bed28173e1a621c7d68 Mon Sep 17 00:00:00 2001
From: Robert Scheck <robert at fedoraproject.org>
Date: Tue, 7 Apr 2015 20:37:32 +0200
Subject: Upgrade to 7.1.12
diff --git a/sources b/sources
index cfbf649..4a70ced 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-7317dd7889303abbbd30e39f04771f10 zcp-7.1.11.tar.gz
+98ceed8b35a68bba669aecccbc7b1f43 zcp-7.1.12.tar.gz
diff --git a/zarafa-7.1.10-ssl_protocols_ciphers.patch b/zarafa-7.1.10-ssl_protocols_ciphers.patch
deleted file mode 100644
index 876df60..0000000
--- a/zarafa-7.1.10-ssl_protocols_ciphers.patch
+++ /dev/null
@@ -1,449 +0,0 @@
-Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa <= 7.1.10 which implements much more
-fine granulated configuration settings for SSL/TLS protocol and cipher enabling and disabling. The
-currently available "ssl_enable_v2" setting allows either to disable SSLv2 (and enables SSLv3 only
-instead) or to enable all, thus SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2 (TLSv1.1 and TLSv1.2 only
-if Zarafa was linked against OpenSSL 1.0.1 or later). Since SSLv2 has known protocol weaknesses it
-never should be enabled - but for Zarafa it currently must be enabled to support TLSv1 and better.
-
-This patch introduces the new setting "ssl_protocols" which replaces "ssl_enable_v2". The default
-is "!SSLv2" to simply disable SSLv2 by default. The setting can be filled either with SSL protocols
-that shall be enabled and/or disabled, e.g. "SSLv3 TLSv1" or "!SSLv2 !SSLv3". However only the more
-usual disable/exclude option should be used as this does not exclude future protocols by default.
-
-Further this patch introduces the completely new setting "ssl_ciphers". This one allows to set SSL
-cipher suites. Right now, all SSL ciphers are accepted which is just weak or might Zarafa even make
-even vulnerable to known SSL attacks. The German Federal Office for Information Security (BSI) says
-that RC4 should not be used anymore - but Zarafa does it by default. And without this patch there
-is also no way for Zarafa administrators to avoid that. Indeed this setting has the risk to get the
-administrators ending up in a cipher mismatch between different systems but this new setting still
-could be declared as officially unsupported and only for the brave ones who know what they do. Thus
-the default is already set to something less weak than before but still below BSI recommendations.
-
-Finally this patch introduces the also new setting "ssl_prefer_server_ciphers". It does what it is
-named after: When choosing a cipher during an SSL/TLS handshake, normally the client's preference
-is used. If this setting is enabled, the server's preference will be used instead. This comes handy
-to administrators for strange cipher orderings required for special configurations and clients - or
-new weaknesses where workarounds are required for the time being.
-
-Testing: Configure zarafa-gateway, zarafa-ical and zarafa-server for cleartext and SSL as usual.
-Try to login via POP3S, IMAPS, CalDAV-SSL and MAPI in SOAP over HTTPS. Change SSL protocols and the
-ciphers to something more weak ("SSLv2" and "LOW") or to something more strong ("TLSv1.2" and e.g.
-"HIGH"). During all my tests I did not figure out any newly introduced issue or Zarafa breakage.
-
-Important: The technical implementation of this patch might be not perfect as I am not really a C/
-C++ developer. The logic and the implementation is heavily based on Dovecot, Postfix and hints from
-https://docs.fedoraproject.org/en-US/Fedora_Security_Team/html/Defensive_Coding/. There should be
-a code review and code clean up by an experienced C/C++ developer before merging into Zarafa core.
-
-This patch should be only applied in conjuction with the POP3 RESP-CODES and AUTH-RESP-CODE patch,
-the POP3 CAPA (CAPABILITIES) patch as well as the POP3 STLS (STARTTLS) patch applied before.
-
-Proposed to upstream via e-mail on Sat, 8 Mar 2014 14:30:29 +0100, patch was put into the upstream
-ticket https://jira.zarafa.com/browse/ZCP-12143.
-
---- zarafa-7.1.10/caldav/CalDAV.cpp 2014-05-23 15:56:36.000000000 +0200
-+++ zarafa-7.1.10/caldav/CalDAV.cpp.rsc 2014-08-12 19:45:04.000000000 +0200
-@@ -220,7 +220,9 @@
- { "log_timestamp", "1" },
- { "ssl_private_key_file", "/etc/zarafa/ical/privkey.pem" },
- { "ssl_certificate_file", "/etc/zarafa/ical/cert.pem" },
-- { "ssl_enable_v2", "no" },
-+ { "ssl_protocols", "!SSLv2" },
-+ { "ssl_ciphers", "ALL:!LOW:!SSLv2:!EXP:!aNULL" },
-+ { "ssl_prefer_server_ciphers", "no" },
- { "ssl_verify_client", "no" },
- { "ssl_verify_file", "" },
- { "ssl_verify_path", "" },
---- zarafa-7.1.10/common/ECChannel.cpp 2014-05-23 15:56:36.000000000 +0200
-+++ zarafa-7.1.10/common/ECChannel.cpp.rsc 2014-08-12 19:48:00.000000000 +0200
-@@ -92,6 +92,11 @@
- HRESULT hr = hrSuccess;
- char *szFile = NULL;
- char *szPath = NULL;
-+ char *ssl_protocols = strdup(lpConfig->GetSetting("ssl_protocols"));
-+ char *ssl_ciphers = lpConfig->GetSetting("ssl_ciphers");
-+ char *ssl_name;
-+ int ssl_proto, ssl_op = 0, ssl_include = 0, ssl_exclude = 0;
-+ bool ssl_neg;
-
- if (lpConfig == NULL) {
- hr = MAPI_E_CALL_FAILED;
-@@ -107,11 +112,79 @@
- SSL_load_error_strings();
- lpCTX = SSL_CTX_new(SSLv23_server_method());
- SSL_CTX_set_options(lpCTX, SSL_OP_ALL);
-- SSL_CTX_set_default_verify_paths(lpCTX);
-
-- // disable SSLv2 support
-- if (!parseBool(lpConfig->GetSetting("ssl_enable_v2", "", "no")))
-- SSL_CTX_set_options(lpCTX, SSL_OP_NO_SSLv2);
-+ ssl_name = strtok(ssl_protocols, " ");
-+ while(ssl_name != NULL) {
-+ if (*ssl_name != '!')
-+ ssl_neg = FALSE;
-+ else {
-+ ssl_name++;
-+ ssl_neg = TRUE;
-+ }
-+
-+ if (strcasecmp(ssl_name, SSL_TXT_SSLV2) == 0)
-+ ssl_proto = 0x01;
-+ else if (strcasecmp(ssl_name, SSL_TXT_SSLV3) == 0)
-+ ssl_proto = 0x02;
-+ else if (strcasecmp(ssl_name, SSL_TXT_TLSV1) == 0)
-+ ssl_proto = 0x04;
-+#ifdef SSL_TXT_TLSV1_1
-+ else if (strcasecmp(ssl_name, SSL_TXT_TLSV1_1) == 0)
-+ ssl_proto = 0x08;
-+#endif
-+#ifdef SSL_TXT_TLSV1_2
-+ else if (strcasecmp(ssl_name, SSL_TXT_TLSV1_2) == 0)
-+ ssl_proto = 0x10;
-+#endif
-+ else {
-+ lpLogger->Log(EC_LOGLEVEL_ERROR, "Unknown protocol '%s' in ssl_protocols setting", ssl_name);
-+ hr = MAPI_E_CALL_FAILED;
-+ goto exit;
-+ }
-+
-+ if (ssl_neg)
-+ ssl_exclude |= ssl_proto;
-+ else
-+ ssl_include |= ssl_proto;
-+
-+ ssl_name = strtok(NULL, " ");
-+ }
-+
-+ if (ssl_include != 0) {
-+ // Exclude everything, except those that are included (and let excludes still override those)
-+ ssl_exclude |= 0x1f & ~ssl_include;
-+ }
-+
-+ if ((ssl_exclude & 0x01) != 0)
-+ ssl_op |= SSL_OP_NO_SSLv2;
-+ if ((ssl_exclude & 0x02) != 0)
-+ ssl_op |= SSL_OP_NO_SSLv3;
-+ if ((ssl_exclude & 0x04) != 0)
-+ ssl_op |= SSL_OP_NO_TLSv1;
-+#ifdef SSL_OP_NO_TLSv1_1
-+ if ((ssl_exclude & 0x08) != 0)
-+ ssl_op |= SSL_OP_NO_TLSv1_1;
-+#endif
-+#ifdef SSL_OP_NO_TLSv1_2
-+ if ((ssl_exclude & 0x10) != 0)
-+ ssl_op |= SSL_OP_NO_TLSv1_2;
-+#endif
-+
-+ if (ssl_protocols) {
-+ SSL_CTX_set_options(lpCTX, ssl_op);
-+ }
-+
-+ if (ssl_ciphers && SSL_CTX_set_cipher_list(lpCTX, ssl_ciphers) != 1) {
-+ lpLogger->Log(EC_LOGLEVEL_ERROR, "Can not set SSL cipher list to '%s': %s", ssl_ciphers, ERR_error_string(ERR_get_error(), 0));
-+ hr = MAPI_E_CALL_FAILED;
-+ goto exit;
-+ }
-+
-+ if (parseBool(lpConfig->GetSetting("ssl_prefer_server_ciphers"))) {
-+ SSL_CTX_set_options(lpCTX, SSL_OP_CIPHER_SERVER_PREFERENCE);
-+ }
-+
-+ SSL_CTX_set_default_verify_paths(lpCTX);
-
- if (SSL_CTX_use_certificate_chain_file(lpCTX, lpConfig->GetSetting("ssl_certificate_file")) != 1) {
- lpLogger->Log(EC_LOGLEVEL_ERROR, "SSL CTX certificate file error: %s", ERR_error_string(ERR_get_error(), 0));
---- zarafa-7.1.10/doc/manual.xml 2014-05-23 15:01:13.000000000 +0200
-+++ zarafa-7.1.10/doc/manual.xml.rsc 2014-08-12 19:45:04.000000000 +0200
-@@ -4226,11 +4226,33 @@
- </varlistentry>
-
- <varlistentry>
-- <term><option>server_ssl_enable_v2</option></term>
-+ <term><option>server_ssl_protocols</option></term>
- <listitem>
-- <para>Incoming SSL connections normally are v3.</para>
-- <para>Default: <replaceable>no</replaceable>
-- </para>
-+ <para>Disabled or enabled protocol names. Supported protocol names
-+ are <replaceable>SSLv2</replaceable>, <replaceable>SSLv3</replaceable>
-+ and <replaceable>TLSv1</replaceable>. If Zarafa was linked against
-+ OpenSSL 1.0.1 or later there is additional support for the new protocols
-+ <replaceable>TLSv1.1</replaceable> and <replaceable>TLSv1.2</replaceable>.
-+ To exclude both, SSLv2 and SSLv3 set <option>server_ssl_protocols</option>
-+ to <replaceable>!SSLv2 !SSLv3</replaceable>. SSLv2 is considered unsafe
-+ and these connections should not be accepted.</para>
-+ <para>Default: <replaceable>!SSLv2</replaceable></para>
-+ </listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term><option>server_ssl_ciphers</option></term>
-+ <listitem>
-+ <para>SSL ciphers to use, set to <replaceable>ALL</replaceable> for backward compatibility.</para>
-+ <para>Default: <replaceable>ALL:!LOW:!SSLv2:!EXP:!aNULL</replaceable></para>
-+ </listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term><option>server_ssl_prefer_server_ciphers</option></term>
-+ <listitem>
-+ <para>Prefer the server's order of SSL ciphers over client's.</para>
-+ <para>Default: <replaceable>no</replaceable></para>
- </listitem>
- </varlistentry>
-
-@@ -8070,11 +8092,32 @@
- </varlistentry>
-
- <varlistentry>
-- <term><option>ssl_enable_v2</option></term>
-+ <term><option>ssl_protocols</option></term>
-+ <listitem>
-+ <para>Disabled or enabled protocol names. Supported protocol names
-+ are <replaceable>SSLv2</replaceable>, <replaceable>SSLv3</replaceable>
-+ and <replaceable>TLSv1</replaceable>. If Zarafa was linked against
-+ OpenSSL 1.0.1 or later there is additional support for the new protocols
-+ <replaceable>TLSv1.1</replaceable> and <replaceable>TLSv1.2</replaceable>.
-+ To exclude both, SSLv2 and SSLv3 set <option>ssl_protocols</option>
-+ to <replaceable>!SSLv2 !SSLv3</replaceable>. SSLv2 is considered unsafe
-+ and these connections should not be accepted.</para>
-+ <para>Default: <replaceable>!SSLv2</replaceable></para>
-+ </listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term><option>ssl_ciphers</option></term>
-+ <listitem>
-+ <para>SSL ciphers to use, set to <replaceable>ALL</replaceable> for backward compatibility.</para>
-+ <para>Default: <replaceable>ALL:!LOW:!SSLv2:!EXP:!aNULL</replaceable></para>
-+ </listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term><option>ssl_prefer_server_ciphers</option></term>
- <listitem>
-- <para>Accept SSLv2 only connections. SSLv2 is considered
-- unsafe, and these connections should not be
-- accepted.</para>
-+ <para>Prefer the server's order of SSL ciphers over client's.</para>
- <para>Default: <replaceable>no</replaceable></para>
- </listitem>
- </varlistentry>
-@@ -10075,11 +10118,32 @@
- </varlistentry>
-
- <varlistentry>
-- <term><option>ssl_enable_v2</option></term>
-+ <term><option>ssl_protocols</option></term>
-+ <listitem>
-+ <para>Disabled or enabled protocol names. Supported protocol names
-+ are <replaceable>SSLv2</replaceable>, <replaceable>SSLv3</replaceable>
-+ and <replaceable>TLSv1</replaceable>. If Zarafa was linked against
-+ OpenSSL 1.0.1 or later there is additional support for the new protocols
-+ <replaceable>TLSv1.1</replaceable> and <replaceable>TLSv1.2</replaceable>.
-+ To exclude both, SSLv2 and SSLv3 set <option>ssl_protocols</option>
-+ to <replaceable>!SSLv2 !SSLv3</replaceable>. SSLv2 is considered unsafe
-+ and these connections should not be accepted.</para>
-+ <para>Default: <replaceable>!SSLv2</replaceable></para>
-+ </listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term><option>ssl_ciphers</option></term>
-+ <listitem>
-+ <para>SSL ciphers to use, set to <replaceable>ALL</replaceable> for backward compatibility.</para>
-+ <para>Default: <replaceable>ALL:!LOW:!SSLv2:!EXP:!aNULL</replaceable></para>
-+ </listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term><option>ssl_prefer_server_ciphers</option></term>
- <listitem>
-- <para>Accept SSLv2 only connections. SSLv2 is considered
-- unsafe, and these connections should not be
-- accepted.</para>
-+ <para>Prefer the server's order of SSL ciphers over client's.</para>
- <para>Default: <replaceable>no</replaceable></para>
- </listitem>
- </varlistentry>
---- zarafa-7.1.10/gateway/Gateway.cpp 2014-05-23 15:56:37.000000000 +0200
-+++ zarafa-7.1.10/gateway/Gateway.cpp.rsc 2014-08-12 19:45:04.000000000 +0200
-@@ -365,7 +365,9 @@
- { "ssl_verify_client", "no" },
- { "ssl_verify_file", "" },
- { "ssl_verify_path", "" },
-- { "ssl_enable_v2", "no" },
-+ { "ssl_protocols", "!SSLv2" },
-+ { "ssl_ciphers", "ALL:!LOW:!SSLv2:!EXP:!aNULL" },
-+ { "ssl_prefer_server_ciphers", "no" },
- { "log_method", "file" },
- { "log_file", "-" },
- { "log_level", "2", CONFIGSETTING_RELOADABLE },
---- zarafa-7.1.10/installer/linux/gateway.cfg 2014-05-23 15:03:19.000000000 +0200
-+++ zarafa-7.1.10/installer/linux/gateway.cfg.rsc 2014-08-12 19:45:04.000000000 +0200
-@@ -84,8 +84,14 @@
- ssl_verify_file =
- ssl_verify_path =
-
--# Accept SSLv2 only incoming connections
--ssl_enable_v2 = no
-+# SSL protocols to use, set to '!SSLv2' for 'ssl_enable_v2 = no'
-+ssl_protocols = !SSLv2
-+
-+# SSL ciphers to use, set to 'ALL' for backward compatibility
-+ssl_ciphers = ALL:!LOW:!SSLv2:!EXP:!aNULL
-+
-+# Prefer the server's order of SSL ciphers over client's
-+ssl_prefer_server_ciphers = no
-
- # Process model, using pthreads (thread) or processes (fork)
- process_model = fork
---- zarafa-7.1.10/installer/linux/ical.cfg 2014-05-23 15:03:19.000000000 +0200
-+++ zarafa-7.1.10/installer/linux/ical.cfg.rsc 2014-08-12 19:45:04.000000000 +0200
-@@ -66,8 +66,14 @@
- ssl_verify_file =
- ssl_verify_path =
-
--# Accept SSLv2 only incoming connections
--ssl_enable_v2 = no
-+# SSL protocols to use, set to '!SSLv2' for 'ssl_enable_v2 = no'
-+ssl_protocols = !SSLv2
-+
-+# SSL ciphers to use, set to 'ALL' for backward compatibility
-+ssl_ciphers = ALL:!LOW:!SSLv2:!EXP:!aNULL
-+
-+# Prefer the server's order of SSL ciphers over client's
-+ssl_prefer_server_ciphers = no
-
- ##############################################################
- # OTHER ICAL SETTINGS
---- zarafa-7.1.10/installer/linux/server.cfg 2014-05-23 15:03:19.000000000 +0200
-+++ zarafa-7.1.10/installer/linux/server.cfg.rsc 2014-08-12 19:45:04.000000000 +0200
-@@ -154,8 +154,14 @@
- # Path with CA certificates, e.g. /etc/ssl/certs
- server_ssl_ca_path =
-
--# Accept SSLv2 only connections. Normally v3 connections are used.
--server_ssl_enable_v2 = no
-+# SSL protocols to use, set to '!SSLv2' for 'server_ssl_enable_v2 = no'
-+server_ssl_protocols = !SSLv2
-+
-+# SSL ciphers to use, set to 'ALL' for backward compatibility
-+server_ssl_ciphers = ALL:!LOW:!SSLv2:!EXP:!aNULL
-+
-+# Prefer the server's order of SSL ciphers over client's
-+server_ssl_prefer_server_ciphers = no
-
- # Path of SSL Public keys of clients
- sslkeys_path = /etc/zarafa/sslkeys
---- zarafa-7.1.10/provider/server/ECServer.cpp 2014-05-23 15:56:37.000000000 +0200
-+++ zarafa-7.1.10/provider/server/ECServer.cpp.rsc 2014-08-12 19:45:04.000000000 +0200
-@@ -919,7 +919,9 @@
- { "server_ssl_key_pass", "server", CONFIGSETTING_EXACT },
- { "server_ssl_ca_file", "/etc/zarafa/ssl/cacert.pem" },
- { "server_ssl_ca_path", "" },
-- { "server_ssl_enable_v2", "no" },
-+ { "server_ssl_protocols", "!SSLv2" },
-+ { "server_ssl_ciphers", "ALL:!LOW:!SSLv2:!EXP:!aNULL" },
-+ { "server_ssl_prefer_server_ciphers", "no" },
- { "sslkeys_path", "/etc/zarafa/sslkeys" }, // login keys
- // Database options
- { "database_engine", "mysql" },
---- zarafa-7.1.10/provider/server/ECSoapServerConnection.cpp 2014-05-23 15:56:37.000000000 +0200
-+++ zarafa-7.1.10/provider/server/ECSoapServerConnection.cpp.rsc 2014-08-12 19:45:04.000000000 +0200
-@@ -240,6 +240,11 @@
- ECRESULT er = erSuccess;
- int socket = SOAP_INVALID_SOCKET;
- struct soap *lpsSoap = NULL;
-+ char *server_ssl_protocols = strdup(m_lpConfig->GetSetting("server_ssl_protocols"));
-+ char *server_ssl_ciphers = m_lpConfig->GetSetting("server_ssl_ciphers");
-+ char *ssl_name;
-+ int ssl_proto, ssl_op = 0, ssl_include = 0, ssl_exclude = 0;
-+ bool ssl_neg;
-
- if(lpServerName == NULL) {
- er = ZARAFA_E_INVALID_PARAMETER;
-@@ -270,10 +275,79 @@
- goto exit;
- }
-
-- // disable SSLv2 support
-- if (!parseBool(m_lpConfig->GetSetting("server_ssl_enable_v2", "", "no")))
-- SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_NO_SSLv2);
--
-+ SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_ALL);
-+
-+ ssl_name = strtok(server_ssl_protocols, " ");
-+ while(ssl_name != NULL) {
-+ if (*ssl_name != '!')
-+ ssl_neg = FALSE;
-+ else {
-+ ssl_name++;
-+ ssl_neg = TRUE;
-+ }
-+
-+ if (strcasecmp(ssl_name, SSL_TXT_SSLV2) == 0)
-+ ssl_proto = 0x01;
-+ else if (strcasecmp(ssl_name, SSL_TXT_SSLV3) == 0)
-+ ssl_proto = 0x02;
-+ else if (strcasecmp(ssl_name, SSL_TXT_TLSV1) == 0)
-+ ssl_proto = 0x04;
-+#ifdef SSL_TXT_TLSV1_1
-+ else if (strcasecmp(ssl_name, SSL_TXT_TLSV1_1) == 0)
-+ ssl_proto = 0x08;
-+#endif
-+#ifdef SSL_TXT_TLSV1_2
-+ else if (strcasecmp(ssl_name, SSL_TXT_TLSV1_2) == 0)
-+ ssl_proto = 0x10;
-+#endif
-+ else {
-+ m_lpLogger->Log(EC_LOGLEVEL_FATAL, "Unknown protocol '%s' in server_ssl_protocols setting", ssl_name);
-+ er = ZARAFA_E_CALL_FAILED;
-+ goto exit;
-+ }
-+
-+ if (ssl_neg)
-+ ssl_exclude |= ssl_proto;
-+ else
-+ ssl_include |= ssl_proto;
-+
-+ ssl_name = strtok(NULL, " ");
-+ }
-+
-+ if (ssl_include != 0) {
-+ // Exclude everything, except those that are included (and let excludes still override those)
-+ ssl_exclude |= 0x1f & ~ssl_include;
-+ }
-+
-+ if ((ssl_exclude & 0x01) != 0)
-+ ssl_op |= SSL_OP_NO_SSLv2;
-+ if ((ssl_exclude & 0x02) != 0)
-+ ssl_op |= SSL_OP_NO_SSLv3;
-+ if ((ssl_exclude & 0x04) != 0)
-+ ssl_op |= SSL_OP_NO_TLSv1;
-+#ifdef SSL_OP_NO_TLSv1_1
-+ if ((ssl_exclude & 0x08) != 0)
-+ ssl_op |= SSL_OP_NO_TLSv1_1;
-+#endif
-+#ifdef SSL_OP_NO_TLSv1_2
-+ if ((ssl_exclude & 0x10) != 0)
-+ ssl_op |= SSL_OP_NO_TLSv1_2;
-+#endif
-+
-+ if (server_ssl_protocols) {
-+ SSL_CTX_set_options(lpsSoap->ctx, ssl_op);
-+ }
-+
-+ if (server_ssl_ciphers && SSL_CTX_set_cipher_list(lpsSoap->ctx, server_ssl_ciphers) != 1) {
-+ m_lpLogger->Log(EC_LOGLEVEL_FATAL, "Can not set SSL cipher list to '%s': %s", server_ssl_ciphers, ERR_error_string(ERR_get_error(), 0));
-+ er = ZARAFA_E_CALL_FAILED;
-+ goto exit;
-+ }
-+
-+ if (parseBool(m_lpConfig->GetSetting("server_ssl_prefer_server_ciphers"))) {
-+ SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
-+ }
-+
- // request certificate from client, is OK if not present.
- SSL_CTX_set_verify(lpsSoap->ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, NULL);
-
diff --git a/zarafa-7.1.11-gsoap-sslv3.patch b/zarafa-7.1.11-gsoap-sslv3.patch
deleted file mode 100644
index 877b0e1..0000000
--- a/zarafa-7.1.11-gsoap-sslv3.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-Patch by Robert Scheck <robert at fedoraproject.org> for zarafa >= 7.1.11 which removes the Zarafa-
-specific override/limitation that forces SSLv3-only SOAP connection between the Zarafa services.
-The pristine gSOAP library itself uses SSLv23_method() instead and thus allows TLSv1.0, TLSv1.1
-as well as TLSv1.2. Disable SSLv2 and SSLv3 as well as TLS compression explicitly; similar like
-the Zarafa Outlook Client which meanwhile only allows TLSv1.0 (and better).
-
-Proposed to upstream via e-mail on Wed, 2 Apr 2014 11:35:40 +0200, initial patch was put into the
-upstream ticket Ticket#2014040210000266.
-
---- zarafa-7.1.11/provider/common/SOAPSock.cpp 2014-09-03 10:45:06.000000000 +0200
-+++ zarafa-7.1.11/provider/common/SOAPSock.cpp.gsoap-sslv3 2015-03-04 00:28:25.000000000 +0100
-@@ -162,9 +162,6 @@
-
- lpCmd->endpoint = strdup(strServerPath.c_str());
-
-- // override the gsoap default v23 method to the force safer v3 only method.
-- lpCmd->soap->ctx = SSL_CTX_new(SSLv3_method());
--
- #ifdef WITH_OPENSSL
- if (strncmp("https:", lpCmd->endpoint, 6) == 0) {
- // no need to add certificates to call, since soap also calls SSL_CTX_set_default_verify_paths()
-@@ -188,6 +185,14 @@
- lpCmd->soap->fsslverify = ssl_verify_callback_zarafa_silent;
-
- SSL_CTX_set_verify(lpCmd->soap->ctx, SSL_VERIFY_PEER, lpCmd->soap->fsslverify);
-+
-+ // disable SSLv2 (according to RFC 6176) and SSLv3, leaving just TLSv1.0 (and better)
-+ SSL_CTX_set_options(lpCmd->soap->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
-+
-+#ifdef SSL_OP_NO_COMPRESSION
-+ // disable TLS compression to close the CRIME attack vector (also known as CVE-2012-4929)
-+ SSL_CTX_set_options(lpCmd->soap->ctx, SSL_OP_NO_COMPRESSION);
-+#endif
- }
- #endif
-
diff --git a/zarafa-7.1.11-webaccess-mcrypt.patch b/zarafa-7.1.11-webaccess-mcrypt.patch
deleted file mode 100644
index 56b5274..0000000
--- a/zarafa-7.1.11-webaccess-mcrypt.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa >= 7.1.10 which fixes the fix that fixes CVE-2014-0103. Ush,
-that was complicated, so: CVE-2014-0103 exists because Zarafa WebAccess < 7.1.10 and Zarafa WebApp < 1.6 storing passwords
-in cleartext on server (in the PHP session). Zarafa solved this flaw by using openssl_encrypt() and openssl_decrypt() from
-PHP's OpenSSL bindings. However these functions are only available in PHP 5.3 or later. Without this patch suggestion, any
-older but still supported Linux distribution like Red Hat Enterprise Linux 5 or SuSE Linux Enterprise Server 10 (which are
-both shipping PHP < 5.3 by default) would still be left vulnerable.
-
-Given that I am personally more a fan of OpenSSL rather mcrypt, I am not absolutely sure if this implementation is really
-correct even it works fine on my test system. So please explicitly review this code to avoid introducing another security
-flaw by trying to fix one! A thing that I generally question for myself is the usage of "des-ede3-cbc"/"MCRYPT_TRIPLEDES"
-instead of e.g. MCRYPT_RIJNDAEL_128. Given that this decision was initially made by Zarafa I am just following that here.
-
-Important: To get this patch really powerful the install-time requirement needs to be adapted like this (this example is
-based on Fedora's build system so the macros %{?rhel} and %{?fedora} might not exist at Zarafa but need to be replaced by
-other macros):
-
-%if 0%{?rhel}%{?fedora} < 6
-Requires: php-mcrypt
-%else
-Requires: php-openssl
-%endif
-
-This requires php-openssl (provided by php-common) on RHEL 6 (and later) and php-mcrypt (separate package) before RHEL 6.
-
-Proposed to upstream via e-mail on Thu, 5 Jun 2014 00:24:32 +0200, initial patch was put into the (non-disclosed) upstream
-ticket https://jira.zarafa.com/browse/ZCP-12407.
-
---- zarafa-7.1.10/php-webclient-ajax/index.php 2014-05-23 15:56:38.000000000 +0200
-+++ zarafa-7.1.10/php-webclient-ajax/index.php.webaccess-mcrypt 2014-06-05 00:08:18.000000000 +0200
-@@ -135,6 +135,8 @@
- // if user has openssl module installed
- if(function_exists("openssl_encrypt")) {
- $_SESSION['password'] = openssl_encrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV);
-+ } elseif(function_exists("mcrypt_encrypt")) {
-+ $_SESSION['password'] = base64_encode(mcrypt_encrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, $password, MCRYPT_MODE_CBC, PASSWORD_IV));
- } else {
- $_SESSION["password"] = $password;
- }
---- zarafa-7.1.10/php-webclient-ajax/server/core/class.mapisession.php 2014-05-23 15:56:38.000000000 +0200
-+++ zarafa-7.1.10/php-webclient-ajax/server/core/class.mapisession.php.webaccess-mcrypt 2014-06-05 00:08:57.000000000 +0200
-@@ -132,6 +132,8 @@
- if(is_string($username) && is_string($password)) {
- if(function_exists("openssl_decrypt")) {
- $password = openssl_decrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV);
-+ } elseif(function_exists("mcrypt_decrypt")) {
-+ $password = rtrim(mcrypt_decrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, base64_decode($password), MCRYPT_MODE_CBC, PASSWORD_IV), "\0");
- }
- // logon
- $this->session = mapi_logon_zarafa($username, $password, $server, $sslcert_file, $sslcert_pass);
-@@ -139,6 +141,8 @@
-
- if(function_exists("openssl_encrypt")) {
- $password = openssl_encrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV);
-+ } elseif(function_exists("mcrypt_encrypt")) {
-+ $password = base64_encode(mcrypt_encrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, $password, MCRYPT_MODE_CBC, PASSWORD_IV));
- }
-
- if ($result == NOERROR && $this->session !== false){
diff --git a/zarafa-7.1.12-gsoap-sslv3.patch b/zarafa-7.1.12-gsoap-sslv3.patch
new file mode 100644
index 0000000..b1e58f2
--- /dev/null
+++ b/zarafa-7.1.12-gsoap-sslv3.patch
@@ -0,0 +1,38 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for zarafa >= 7.1.12 which disables weak SSLv2
+and SSLv3 protocols for encrypted SOAP connections between the Zarafa services. Until (including)
+the Zarafa 7.1.11 release the upstream default was to replace the SSLv23_method() that a pristine
+gSOAP library ships with the "safer" SSLv3_method(). With Zarafa 7.1.12 the SSLv3_method() was
+changed to SSLv23_method(). However this enables SSLv2 again (and still does not disable SSLv3).
+Thus this patch disables SSLv2 and SSLv3 as well as TLS compression explicitly; similar like the
+Zarafa Outlook Client which meanwhile only allows TLSv1.0 (and better).
+
+Proposed to upstream via e-mail on Wed, 2 Apr 2014 11:35:40 +0200, initial patch was put into the
+upstream ticket Ticket#2014040210000266.
+
+--- zarafa-7.1.12/provider/common/SOAPSock.cpp 2015-04-07 13:10:13.000000000 +0200
++++ zarafa-7.1.12/provider/common/SOAPSock.cpp.gsoap-sslv3 2015-04-07 16:32:20.000000000 +0200
+@@ -157,9 +157,6 @@
+
+ lpCmd->endpoint = strdup(strServerPath.c_str());
+
+- // default allow SSLv3, TLSv1, TLSv1.1 and TLSv1.2
+- lpCmd->soap->ctx = SSL_CTX_new(SSLv23_method());
+-
+ #ifdef WITH_OPENSSL
+ if (strncmp("https:", lpCmd->endpoint, 6) == 0) {
+ // no need to add certificates to call, since soap also calls SSL_CTX_set_default_verify_paths()
+@@ -183,6 +180,14 @@
+ lpCmd->soap->fsslverify = ssl_verify_callback_zarafa_silent;
+
+ SSL_CTX_set_verify(lpCmd->soap->ctx, SSL_VERIFY_PEER, lpCmd->soap->fsslverify);
++
++ // disable SSLv2 (according to RFC 6176) and SSLv3, leaving just TLSv1.0 (and better)
++ SSL_CTX_set_options(lpCmd->soap->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
++
++#ifdef SSL_OP_NO_COMPRESSION
++ // disable TLS compression to close the CRIME attack vector (also known as CVE-2012-4929)
++ SSL_CTX_set_options(lpCmd->soap->ctx, SSL_OP_NO_COMPRESSION);
++#endif
+ }
+ #endif
+
diff --git a/zarafa-7.1.12-licensed-archiver.patch b/zarafa-7.1.12-licensed-archiver.patch
new file mode 100644
index 0000000..0ccde8c
--- /dev/null
+++ b/zarafa-7.1.12-licensed-archiver.patch
@@ -0,0 +1,117 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa >= 7.1.12 which removes a wrongly introduced dependency to the
+proprietary zarafa-licensed. From Zarafa 7.1.11 to 7.1.12 there were some changes to the ValidateArchiverLicense() method;
+due to these changes rebuilding fails with "ArchiverSession.cpp:53:23: fatal error: ECLicense.h: No such file or directory"
+now. The patch just reverts the changes that were introduced from 7.1.11 to 7.1.12 to get the code building again.
+
+--- zarafa-7.1.12/ECtools/zarafa-archiver/ArchiverSession.cpp 2015-04-07 13:10:12.000000000 +0200
++++ zarafa-7.1.12/ECtools/zarafa-archiver/ArchiverSession.cpp.licensed-archiver 2015-04-07 15:55:07.000000000 +0200
+@@ -50,8 +50,6 @@
+ #include "mapiext.h"
+ #include "userutil.h"
+ #include "ECMsgStore.h"
+-#include "ECLicense.h"
+-#include "ECMAPILicense.h"
+
+ typedef mapi_memory_ptr<ECSERVERLIST> ECServerListPtr;
+
+@@ -879,38 +877,7 @@
+ typedef mapi_object_ptr<ECMsgStore, IID_ECMsgStore> ECMsgStorePtr;
+
+ HRESULT ArchiverSession::ValidateArchiverLicense(bool attachnewuser /* = false*/) const {
+- IMsgStore *lpMsgStore = NULL;
+- IMsgStore *lpProxedMsgStore = NULL;
+- UnknownPtr ptrUnknown;
+- ECMsgStorePtr ptrOnlineStore;
+-
+- HRESULT hr = HrOpenDefaultStore(GetMAPISession(), MDB_WRITE | MDB_NO_DIALOG | MDB_NO_MAIL | MDB_TEMPORARY, &lpMsgStore);
+- if (hr != hrSuccess)
+- goto exit;
+-
+- hr = GetProxyStoreObject(lpMsgStore, &lpProxedMsgStore);
+- if (hr != hrSuccess)
+- goto exit;
+-
+- hr = lpProxedMsgStore->QueryInterface(IID_ECMsgStoreOnline, &ptrUnknown);
+- if (hr != hrSuccess)
+- goto exit;
+-
+- hr = ptrUnknown->QueryInterface(IID_ECMsgStore, &ptrOnlineStore);
+- if (hr != hrSuccess) {
+- m_lpLogger->Log(EC_LOGLEVEL_FATAL, "Unable to validate archived user count. Please check the archiver and licensed log for errors.");
+- hr = MAPI_E_NO_SUPPORT;
+- goto exit;
+- }
+-
+- hr = HrCheckLicense(&ptrOnlineStore->m_xMsgStore, SERVICE_TYPE_ARCHIVE, ZARAFA_ARCHIVE_DEFAULT);
+- if (hr != hrSuccess)
+- {
+- m_lpLogger->Log(EC_LOGLEVEL_FATAL, "No archiver license found.");
+- hr = MAPI_E_NO_SUPPORT;
+- }
+- else
+- {
++ HRESULT hr;
+ unsigned int ulArchivedUsers = 0;
+ unsigned int ulMaxUsers = 0;
+
+@@ -931,7 +898,6 @@
+ } else if (ulArchivedUsers + 5 >= ulMaxUsers) { //@todo which warning limit?
+ m_lpLogger->Log(EC_LOGLEVEL_FATAL, "You almost reached the archived user limit. Archived users %d of %d", ulArchivedUsers, ulMaxUsers);
+ }
+- }
+
+ exit:
+ return hr;
+--- zarafa-7.1.12/ECtools/zarafa-archiver/Makefile.am 2015-04-07 12:00:49.000000000 +0200
++++ zarafa-7.1.12/ECtools/zarafa-archiver/Makefile.am.licensed-archiver 2015-04-07 15:59:42.000000000 +0200
+@@ -9,7 +9,6 @@
+ -I${top_srcdir}/provider/client \
+ -I${top_srcdir}/provider/include \
+ -I${top_srcdir}/provider/soap \
+- -I${top_srcdir}/liblicense \
+ -I${top_builddir}/provider/soap \
+ $(GSOAP_CFLAGS) \
+ -I${top_srcdir}/common \
+@@ -17,9 +16,7 @@
+
+ libarchiver_la_LIBADD = ${top_builddir}/mapi4linux/src/libmapi.la \
+ ${top_builddir}/common/libcommon_mapi.la \
+- ${top_builddir}/common/libcommon_util.la \
+- ${top_builddir}/liblicense/liblicense.la \
+- ${top_builddir}/liblicense/liblicense_mapi.la
++ ${top_builddir}/common/libcommon_util.la
+
+ libarchiver_la_SOURCES = \
+ ArchiverSession.cpp ArchiverSession.h ArchiverSessionPtr.h \
+--- zarafa-7.1.12/ECtools/zarafa-archiver/Makefile.in 2015-04-07 12:03:40.000000000 +0200
++++ zarafa-7.1.12/ECtools/zarafa-archiver/Makefile.in.licensed-archiver 2015-04-07 16:00:15.000000000 +0200
+@@ -112,9 +112,7 @@
+ libarchiver_la_DEPENDENCIES = \
+ ${top_builddir}/mapi4linux/src/libmapi.la \
+ ${top_builddir}/common/libcommon_mapi.la \
+- ${top_builddir}/common/libcommon_util.la \
+- ${top_builddir}/liblicense/liblicense.la \
+- ${top_builddir}/liblicense/liblicense_mapi.la
++ ${top_builddir}/common/libcommon_util.la
+ am_libarchiver_la_OBJECTS = ArchiverSession.lo archiver-common.lo \
+ ArchiveManageImpl.lo ArchiveStateCollector.lo \
+ ArchiveStateUpdater.lo ArchiveHelper.lo StoreHelper.lo \
+@@ -395,7 +393,6 @@
+ -I${top_srcdir}/provider/client \
+ -I${top_srcdir}/provider/include \
+ -I${top_srcdir}/provider/soap \
+- -I${top_srcdir}/liblicense \
+ -I${top_builddir}/provider/soap \
+ $(GSOAP_CFLAGS) \
+ -I${top_srcdir}/common \
+@@ -403,9 +400,7 @@
+
+ libarchiver_la_LIBADD = ${top_builddir}/mapi4linux/src/libmapi.la \
+ ${top_builddir}/common/libcommon_mapi.la \
+- ${top_builddir}/common/libcommon_util.la \
+- ${top_builddir}/liblicense/liblicense.la \
+- ${top_builddir}/liblicense/liblicense_mapi.la
++ ${top_builddir}/common/libcommon_util.la
+
+ libarchiver_la_SOURCES = \
+ ArchiverSession.cpp ArchiverSession.h ArchiverSessionPtr.h \
diff --git a/zarafa-7.1.12-ssl_ecdhe.patch b/zarafa-7.1.12-ssl_ecdhe.patch
new file mode 100644
index 0000000..837fba2
--- /dev/null
+++ b/zarafa-7.1.12-ssl_ecdhe.patch
@@ -0,0 +1,85 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa >= 7.1.12 which implements ECDHE (elliptic
+curve diffie-hellman key exchange) support. http://en.wikipedia.org/wiki/Elliptic_curve_cryptography is
+providing more information about elliptic curves.
+
+Suggestions for testing; run the following openssl(1) commands before and after applying this patch:
+
+1. echo QUIT | openssl s_client -connect <host>:110 -starttls pop3 2>&1 | grep Cipher
+2. echo QUIT | openssl s_client -connect <host>:143 -starttls imap 2>&1 | grep Cipher
+3. echo QUIT | openssl s_client -connect <host>:237 2>&1 | grep Cipher
+4. echo QUIT | openssl s_client -connect <host>:993 2>&1 | grep Cipher
+5. echo QUIT | openssl s_client -connect <host>:995 2>&1 | grep Cipher
+6. echo QUIT | openssl s_client -connect <host>:8443 2>&1 | grep Cipher
+
+After applying this patch the output should contain e.g. "ECDHE-RSA-AES256-GCM-SHA384" on a Red Hat
+Enterprise Linux 6.5 (only RHEL >= 6.5 has support for elliptic curve). Without this patch the result
+is e.g. "AES256-GCM-SHA384".
+
+Important: The technical implementation of this patch might be not perfect as I am not really a C/C++
+developer. The logic and the implementation is heavily based on Sendmail. There should be a code review
+by an experienced C/C++ and OpenSSL developer before merging into Zarafa core.
+
+This patch should be only applied after ZCP-12143 and its dependencies. However this patch might maybe
+not directly apply due to some previous merge issues as mentioned in Ticket#2014030810000131.
+
+Proposed to upstream via e-mail on Mon, 14 Apr 2014 12:04:17 +0200, initial patch was put into upstream
+ticket https://jira.zarafa.com/browse/ZCP-12237.
+
+--- zarafa-7.1.12/common/ECChannel.cpp 2015-04-07 13:10:12.000000000 +0200
++++ zarafa-7.1.12/common/ECChannel.cpp.ssl_ecdhe 2015-04-07 17:12:15.000000000 +0200
+@@ -93,6 +93,9 @@
+ char *ssl_ciphers = lpConfig->GetSetting("ssl_ciphers");
+ char *ssl_name = NULL;
+ int ssl_op = 0, ssl_include = 0, ssl_exclude = 0;
++#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1)
++ EC_KEY *ecdh;
++#endif
+
+ if (lpConfig == NULL) {
+ lpLogger->Log(EC_LOGLEVEL_ERROR, "ECChannel::HrSetCtx(): invalid parameters");
+@@ -113,6 +116,16 @@
+
+ SSL_CTX_set_options(lpCTX, SSL_OP_ALL); // enable quirk and bug workarounds
+
++#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1)
++ ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
++
++ if (ecdh != NULL) {
++ SSL_CTX_set_options(lpCTX, SSL_OP_SINGLE_ECDH_USE);
++ SSL_CTX_set_tmp_ecdh(lpCTX, ecdh);
++ EC_KEY_free(ecdh);
++ }
++#endif
++
+ ssl_name = strtok(ssl_protocols, " ");
+ while(ssl_name != NULL) {
+ int ssl_proto = 0;
+--- zarafa-7.1.12/provider/server/ECSoapServerConnection.cpp 2015-04-07 13:10:13.000000000 +0200
++++ zarafa-7.1.12/provider/server/ECSoapServerConnection.cpp.ssl_ecdhe 2015-04-07 17:13:23.000000000 +0200
+@@ -235,6 +235,9 @@
+ char *server_ssl_ciphers = m_lpConfig->GetSetting("server_ssl_ciphers");
+ char *ssl_name = NULL;
+ int ssl_op = 0, ssl_include = 0, ssl_exclude = 0;
++#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1)
++ EC_KEY *ecdh;
++#endif
+
+ if(lpServerName == NULL) {
+ free(server_ssl_ciphers);
+@@ -268,6 +271,16 @@
+
+ SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_ALL);
+
++#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1)
++ ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
++
++ if (ecdh != NULL) {
++ SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_SINGLE_ECDH_USE);
++ SSL_CTX_set_tmp_ecdh(lpsSoap->ctx, ecdh);
++ EC_KEY_free(ecdh);
++ }
++#endif
++
+ ssl_name = strtok(server_ssl_protocols, " ");
+ while(ssl_name != NULL) {
+ int ssl_proto = 0;
diff --git a/zarafa-7.1.12-ssl_protocols_ciphers.patch b/zarafa-7.1.12-ssl_protocols_ciphers.patch
new file mode 100644
index 0000000..c9de1c6
--- /dev/null
+++ b/zarafa-7.1.12-ssl_protocols_ciphers.patch
@@ -0,0 +1,123 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa >= 7.1.12 which re-adds the whole
+documentation that was initially proposed to upstream but lost when this feature was backported
+from Zarafa 7.2 to the 7.1 series.
+
+Proposed to upstream via e-mail on Sat, 8 Mar 2014 14:30:29 +0100, initial patch was put into
+the upstream ticket https://jira.zarafa.com/browse/ZCP-12143.
+
+--- zarafa-7.1.12/doc/manual.xml 2015-04-07 12:03:31.000000000 +0200
++++ zarafa-7.1.12/doc/manual.xml.ssl_protocols_ciphers 2015-04-07 17:05:47.000000000 +0200
+@@ -4226,14 +4226,35 @@
+ </varlistentry>
+
+ <varlistentry>
+- <term><option>server_ssl_enable_v2</option></term>
++ <term><option>server_ssl_protocols</option></term>
+ <listitem>
+- <para>Incoming SSL connections normally are v3.</para>
+- <para>Default: <replaceable>no</replaceable>
+- </para>
++ <para>Disabled or enabled protocol names. Supported protocol names
++ are <replaceable>SSLv2</replaceable>, <replaceable>SSLv3</replaceable>
++ and <replaceable>TLSv1</replaceable>. If Zarafa was linked against
++ OpenSSL 1.0.1 or later there is additional support for the new protocols
++ <replaceable>TLSv1.1</replaceable> and <replaceable>TLSv1.2</replaceable>.
++ To exclude both, SSLv2 and SSLv3 set <option>server_ssl_protocols</option>
++ to <replaceable>!SSLv2 !SSLv3</replaceable>. SSLv2 is considered unsafe
++ and these connections should not be accepted.</para>
++ <para>Default: <replaceable>!SSLv2</replaceable></para>
++ </listitem>
++ </varlistentry>
++
++ <varlistentry>
++ <term><option>server_ssl_ciphers</option></term>
++ <listitem>
++ <para>SSL ciphers to use, set to <replaceable>ALL</replaceable> for backward compatibility.</para>
++ <para>Default: <replaceable>ALL:!LOW:!SSLv2:!EXP:!aNULL</replaceable></para>
+ </listitem>
+ </varlistentry>
+
++ <varlistentry>
++ <term><option>server_ssl_prefer_server_ciphers</option></term>
++ <listitem>
++ <para>Prefer the server's order of SSL ciphers over client's.</para>
++ <para>Default: <replaceable>no</replaceable></para>
++ </listitem>
++ </varlistentry>
+ </variablelist>
+ </refsection>
+
+@@ -8090,11 +8111,32 @@
+ </varlistentry>
+
+ <varlistentry>
+- <term><option>ssl_enable_v2</option></term>
++ <term><option>ssl_protocols</option></term>
++ <listitem>
++ <para>Disabled or enabled protocol names. Supported protocol names
++ are <replaceable>SSLv2</replaceable>, <replaceable>SSLv3</replaceable>
++ and <replaceable>TLSv1</replaceable>. If Zarafa was linked against
++ OpenSSL 1.0.1 or later there is additional support for the new protocols
++ <replaceable>TLSv1.1</replaceable> and <replaceable>TLSv1.2</replaceable>.
++ To exclude both, SSLv2 and SSLv3 set <option>ssl_protocols</option>
++ to <replaceable>!SSLv2 !SSLv3</replaceable>. SSLv2 is considered unsafe
++ and these connections should not be accepted.</para>
++ <para>Default: <replaceable>!SSLv2</replaceable></para>
++ </listitem>
++ </varlistentry>
++
++ <varlistentry>
++ <term><option>ssl_ciphers</option></term>
+ <listitem>
+- <para>Accept SSLv2 only connections. SSLv2 is considered
+- unsafe, and these connections should not be
+- accepted.</para>
++ <para>SSL ciphers to use, set to <replaceable>ALL</replaceable> for backward compatibility.</para>
++ <para>Default: <replaceable>ALL:!LOW:!SSLv2:!EXP:!aNULL</replaceable></para>
++ </listitem>
++ </varlistentry>
++
++ <varlistentry>
++ <term><option>ssl_prefer_server_ciphers</option></term>
++ <listitem>
++ <para>Prefer the server's order of SSL ciphers over client's.</para>
+ <para>Default: <replaceable>no</replaceable></para>
+ </listitem>
+ </varlistentry>
+@@ -10091,11 +10133,32 @@
+ </varlistentry>
+
+ <varlistentry>
+- <term><option>ssl_enable_v2</option></term>
++ <term><option>ssl_protocols</option></term>
++ <listitem>
++ <para>Disabled or enabled protocol names. Supported protocol names
++ are <replaceable>SSLv2</replaceable>, <replaceable>SSLv3</replaceable>
++ and <replaceable>TLSv1</replaceable>. If Zarafa was linked against
++ OpenSSL 1.0.1 or later there is additional support for the new protocols
++ <replaceable>TLSv1.1</replaceable> and <replaceable>TLSv1.2</replaceable>.
++ To exclude both, SSLv2 and SSLv3 set <option>ssl_protocols</option>
++ to <replaceable>!SSLv2 !SSLv3</replaceable>. SSLv2 is considered unsafe
++ and these connections should not be accepted.</para>
++ <para>Default: <replaceable>!SSLv2</replaceable></para>
++ </listitem>
++ </varlistentry>
++
++ <varlistentry>
++ <term><option>ssl_ciphers</option></term>
++ <listitem>
++ <para>SSL ciphers to use, set to <replaceable>ALL</replaceable> for backward compatibility.</para>
++ <para>Default: <replaceable>ALL:!LOW:!SSLv2:!EXP:!aNULL</replaceable></para>
++ </listitem>
++ </varlistentry>
++
++ <varlistentry>
++ <term><option>ssl_prefer_server_ciphers</option></term>
+ <listitem>
+- <para>Accept SSLv2 only connections. SSLv2 is considered
+- unsafe, and these connections should not be
+- accepted.</para>
++ <para>Prefer the server's order of SSL ciphers over client's.</para>
+ <para>Default: <replaceable>no</replaceable></para>
+ </listitem>
+ </varlistentry>
diff --git a/zarafa-7.1.12-webaccess-mcrypt.patch b/zarafa-7.1.12-webaccess-mcrypt.patch
new file mode 100644
index 0000000..e7b3fcd
--- /dev/null
+++ b/zarafa-7.1.12-webaccess-mcrypt.patch
@@ -0,0 +1,58 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa >= 7.1.12 which fixes the fix that fixes CVE-2014-0103. Ush,
+that was complicated, so: CVE-2014-0103 exists because Zarafa WebAccess < 7.1.10 and Zarafa WebApp < 1.6 storing passwords
+in cleartext on server (in the PHP session). Zarafa solved this flaw by using openssl_encrypt() and openssl_decrypt() from
+PHP's OpenSSL bindings. However these functions are only available in PHP 5.3 or later. Without this patch suggestion, any
+older but still supported Linux distribution like Red Hat Enterprise Linux 5 or SuSE Linux Enterprise Server 10 (which are
+both shipping PHP < 5.3 by default) would still be left vulnerable.
+
+Given that I am personally more a fan of OpenSSL rather mcrypt, I am not absolutely sure if this implementation is really
+correct even it works fine on my test system. So please explicitly review this code to avoid introducing another security
+flaw by trying to fix one! A thing that I generally question for myself is the usage of "des-ede3-cbc"/"MCRYPT_TRIPLEDES"
+instead of e.g. MCRYPT_RIJNDAEL_128. Given that this decision was initially made by Zarafa I am just following that here.
+
+Important: To get this patch really powerful the install-time requirement needs to be adapted like this (this example is
+based on Fedora's build system so the macros %{?rhel} and %{?fedora} might not exist at Zarafa but need to be replaced by
+other macros):
+
+%if 0%{?rhel}%{?fedora} < 6
+Requires: php-mcrypt
+%else
+Requires: php-openssl
+%endif
+
+This requires php-openssl (provided by php-common) on RHEL 6 (and later) and php-mcrypt (separate package) before RHEL 6.
+
+Proposed to upstream via e-mail on Thu, 5 Jun 2014 00:24:32 +0200, initial patch was put into the (non-disclosed) upstream
+ticket https://jira.zarafa.com/browse/ZCP-12407.
+
+--- zarafa-7.1.12/php-webclient-ajax/index.php 2015-04-07 13:10:13.000000000 +0200
++++ zarafa-7.1.12/php-webclient-ajax/index.php.webaccess-mcrypt 2015-04-07 16:22:23.000000000 +0200
+@@ -135,6 +135,8 @@
+ } else {
+ $_SESSION['password'] = openssl_encrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV);
+ }
++ } elseif(function_exists("mcrypt_encrypt")) {
++ $_SESSION['password'] = base64_encode(mcrypt_encrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, $password, MCRYPT_MODE_CBC, PASSWORD_IV));
+ } else {
+ $_SESSION["password"] = $password;
+ }
+--- zarafa-7.1.12/php-webclient-ajax/server/core/class.mapisession.php 2015-04-07 13:10:14.000000000 +0200
++++ zarafa-7.1.12/php-webclient-ajax/server/core/class.mapisession.php.webaccess-mcrypt 2015-04-07 16:23:58.000000000 +0200
+@@ -132,6 +132,8 @@
+ } else {
+ $password = openssl_decrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV);
+ }
++ } elseif(function_exists("mcrypt_decrypt")) {
++ $password = rtrim(mcrypt_decrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, base64_decode($password), MCRYPT_MODE_CBC, PASSWORD_IV), "\0");
+ }
+ // logon
+ $this->session = mapi_logon_zarafa($username, $password, $server, $sslcert_file, $sslcert_pass);
+@@ -144,6 +146,8 @@
+ } else {
+ $password = openssl_encrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV);
+ }
++ } elseif(function_exists("mcrypt_encrypt")) {
++ $password = base64_encode(mcrypt_encrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, $password, MCRYPT_MODE_CBC, PASSWORD_IV));
+ }
+
+ if ($result == NOERROR && $this->session !== false){
diff --git a/zarafa-7.1.9-ssl_ecdhe.patch b/zarafa-7.1.9-ssl_ecdhe.patch
deleted file mode 100644
index 6596637..0000000
--- a/zarafa-7.1.9-ssl_ecdhe.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-Patch by Robert Scheck <robert at fedoraproject.org> for Zarafa <= 7.1.9 which implements ECDHE (elliptic
-curve diffie-hellman key exchange) support. http://en.wikipedia.org/wiki/Elliptic_curve_cryptography is
-providing more information about elliptic curves.
-
-Suggestions for testing; run the following openssl(1) commands before and after applying this patch:
-
-1. echo QUIT | openssl s_client -connect <host>:110 -starttls pop3 2>&1 | grep Cipher
-2. echo QUIT | openssl s_client -connect <host>:143 -starttls imap 2>&1 | grep Cipher
-3. echo QUIT | openssl s_client -connect <host>:237 2>&1 | grep Cipher
-4. echo QUIT | openssl s_client -connect <host>:993 2>&1 | grep Cipher
-5. echo QUIT | openssl s_client -connect <host>:995 2>&1 | grep Cipher
-6. echo QUIT | openssl s_client -connect <host>:8443 2>&1 | grep Cipher
-
-After applying this patch the output should contain e.g. "ECDHE-RSA-AES256-GCM-SHA384" on a Red Hat
-Enterprise Linux 6.5 (only RHEL >= 6.5 has support for elliptic curve). Without this patch the result
-is e.g. "AES256-GCM-SHA384".
-
-Important: The technical implementation of this patch might be not perfect as I am not really a C/C++
-developer. The logic and the implementation is heavily based on Sendmail. There should be a code review
-by an experienced C/C++ and OpenSSL developer before merging into Zarafa core.
-
-This patch should be only applied after ZCP-12143 and its dependencies. However this patch might maybe
-not directly apply due to some previous merge issues as mentioned in Ticket#2014030810000131.
-
-Proposed to upstream via e-mail on Mon, 14 Apr 2014 12:04:17 +0200, patch was put into the upstream
-ticket https://jira.zarafa.com/browse/ZCP-12237.
-
---- zarafa-7.1.9/common/ECChannel.cpp 2014-04-13 23:46:59.000000000 +0200
-+++ zarafa-7.1.9/common/ECChannel.cpp.ssl_ecdhe 2014-04-13 23:59:43.000000000 +0200
-@@ -97,6 +97,9 @@
- char *ssl_name;
- int ssl_proto, ssl_op = 0, ssl_include = 0, ssl_exclude = 0;
- bool ssl_neg;
-+#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1)
-+ EC_KEY *ecdh;
-+#endif
-
- if (lpConfig == NULL) {
- hr = MAPI_E_CALL_FAILED;
-@@ -113,6 +116,16 @@
- lpCTX = SSL_CTX_new(SSLv23_server_method());
- SSL_CTX_set_options(lpCTX, SSL_OP_ALL);
-
-+#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1)
-+ ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
-+
-+ if (ecdh != NULL) {
-+ SSL_CTX_set_options(lpCTX, SSL_OP_SINGLE_ECDH_USE);
-+ SSL_CTX_set_tmp_ecdh(lpCTX, ecdh);
-+ EC_KEY_free(ecdh);
-+ }
-+#endif
-+
- ssl_name = strtok(ssl_protocols, " ");
- while(ssl_name != NULL) {
- if (*ssl_name != '!')
---- zarafa-7.1.9/provider/server/ECSoapServerConnection.cpp 2014-04-13 23:46:59.000000000 +0200
-+++ zarafa-7.1.9/provider/server/ECSoapServerConnection.cpp.ssl_ecdhe 2014-04-14 00:00:54.000000000 +0200
-@@ -245,6 +245,9 @@
- char *ssl_name;
- int ssl_proto, ssl_op = 0, ssl_include = 0, ssl_exclude = 0;
- bool ssl_neg;
-+#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1)
-+ EC_KEY *ecdh;
-+#endif
-
- if(lpServerName == NULL) {
- er = ZARAFA_E_INVALID_PARAMETER;
-@@ -277,6 +280,16 @@
-
- SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_ALL);
-
-+#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1)
-+ ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
-+
-+ if (ecdh != NULL) {
-+ SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_SINGLE_ECDH_USE);
-+ SSL_CTX_set_tmp_ecdh(lpsSoap->ctx, ecdh);
-+ EC_KEY_free(ecdh);
-+ }
-+#endif
-+
- ssl_name = strtok(server_ssl_protocols, " ");
- while(ssl_name != NULL) {
- if (*ssl_name != '!')
diff --git a/zarafa.spec b/zarafa.spec
index 4fc0f9a..2debd81 100644
--- a/zarafa.spec
+++ b/zarafa.spec
@@ -1,6 +1,6 @@
%global beta_or_rc 0
-%global actual_release 3
-%global svnrevision 46050
+%global actual_release 1
+%global svnrevision 48726
%global with_search 1
%global with_ldap 1
%global with_xmlto 1
@@ -31,7 +31,7 @@
Summary: Open Source Edition of the Zarafa Collaboration Platform
Name: zarafa
-Version: 7.1.11
+Version: 7.1.12
%if %{beta_or_rc}
Release: 0.%{actual_release}.svn%{svnrevision}%{?dist}
%else
@@ -57,16 +57,17 @@ Source3: %{name}-webaccess.conf
Patch0: zarafa-7.1.11-rpath.patch
Patch1: zarafa-7.1.11-php-unbundle.patch
Patch2: zarafa-7.1.10-kyotocabinet.patch
-Patch3: zarafa-7.1.10-ssl_protocols_ciphers.patch
-Patch4: zarafa-7.1.9-ssl_ecdhe.patch
+Patch3: zarafa-7.1.12-ssl_protocols_ciphers.patch
+Patch4: zarafa-7.1.12-ssl_ecdhe.patch
Patch5: zarafa-7.1.11-plaintext_auth_localhost.patch
Patch6: zarafa-7.1.10-imap-badcharset.patch
Patch7: zarafa-7.1.10-imap-fetch-body.patch
Patch8: zarafa-7.1.11-vacation-headers.patch
Patch9: zarafa-7.1.11-vacation-headers2.patch
Patch10: zarafa-7.1.11-webaccess-fail2ban.patch
-Patch11: zarafa-7.1.11-webaccess-mcrypt.patch
-Patch12: zarafa-7.1.11-gsoap-sslv3.patch
+Patch11: zarafa-7.1.12-webaccess-mcrypt.patch
+Patch12: zarafa-7.1.12-gsoap-sslv3.patch
+Patch13: zarafa-7.1.12-licensed-archiver.patch
BuildRequires: bison
BuildRequires: gcc-c++
@@ -406,6 +407,7 @@ touch -c -r aclocal.m4.rpath aclocal.m4
%patch11 -p1 -b .webaccess-mcrypt
rm -f php-webclient-ajax/{.,*,*/*}/*.webaccess-*
%patch12 -p1 -b .gsoap-sslv3
+%patch13 -p1 -b .licensed-archiver
%build
%if 0%{?rhel}%{?fedora} < 6
@@ -553,7 +555,7 @@ mkdir -p $RPM_BUILD_ROOT%{_datadir}/%{name}-webaccess/plugins/
# Remove unwanted language connectors and webaccess files
rm -f $RPM_BUILD_ROOT%{_datadir}/%{name}-webaccess/client/widgets/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.{cfm,pl}
-rm -f $RPM_BUILD_ROOT%{_datadir}/%{name}-webaccess/{.htaccess,%{name}-webaccess.conf,senddocument.php}
+rm -f $RPM_BUILD_ROOT%{_datadir}/%{name}-webaccess/{.htaccess,%{name}-webaccess.conf}
# Remove flash-based multi-attachment upload (missing source)
%if %{no_multiupload}
@@ -782,8 +784,6 @@ fi
%{_libdir}/libicalmapi.so
%{_libdir}/libinetmapi.so
%{_libdir}/libmapi.so
-%{_libdir}/libmapicalendar.so
-%{_libdir}/libmapitimezone.so
%{_libdir}/libcommon_mapi.a
%{_libdir}/libcommon_service.a
%{_libdir}/libcommon_ssl.a
@@ -792,10 +792,8 @@ fi
%{_libdir}/libzarafasync.so
%{_includedir}/icalmapi/
%{_includedir}/inetmapi/
-%{_includedir}/mapitimezone/
%{_includedir}/mapi4linux/
%{_includedir}/libfreebusy/
-%{_includedir}/libmapicalendar/
%{_includedir}/libzarafasync/
%{_includedir}/%{name}/
%{_libdir}/pkgconfig/%{name}.pc
@@ -940,12 +938,11 @@ fi
%{_libdir}/libicalmapi.so.*
%{_libdir}/libinetmapi.so.*
%{_libdir}/libmapi.so.*
-%{_libdir}/libmapicalendar.so.*
-%{_libdir}/libmapitimezone.so.*
%files -n php-mapi
%defattr(-,root,root,-)
%config(noreplace) %{_sysconfdir}/php.d/%{ini_name}
+%config(noreplace) %{_sysconfdir}/%{name}/php-mapi.cfg
%{_datadir}/php/mapi/
%{_libdir}/php/modules/mapi.so
@@ -954,7 +951,8 @@ fi
%{python_sitearch}/*
%changelog
-* Sun Feb 22 2015 Robert Scheck <robert at fedoraproject.org> 7.1.11-3
+* Tue Apr 07 2015 Robert Scheck <robert at fedoraproject.org> 7.1.12-1
+- Upgrade to 7.1.12
- Added multiple minor enhancement and bugfix patches
- Added patch to fix CVE-2014-0103 for PHP < 5.3 (#1073618)
- Handle "su" option in logrotate >= 3.8.0 to avoid errors
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/zarafa.git/commit/?h=f21&id=17841d83c9a5d875bf788bed28173e1a621c7d68
More information about the scm-commits
mailing list