robert pushed to zarafa (epel7). "Added small security enhancement"

notifications at fedoraproject.org notifications at fedoraproject.org
Tue Apr 7 18:39:38 UTC 2015 

>From 423e99d9b3c7f0a134494c7853150fbd0a5d6efc Mon Sep 17 00:00:00 2001
From: Robert Scheck <robert at fedoraproject.org>
Date: Fri, 6 Mar 2015 00:37:52 +0100
Subject: Added small security enhancement


diff --git a/zarafa-7.1.11-gsoap-sslv3.patch b/zarafa-7.1.11-gsoap-sslv3.patch
index e4875ee..877b0e1 100644
--- a/zarafa-7.1.11-gsoap-sslv3.patch
+++ b/zarafa-7.1.11-gsoap-sslv3.patch
@@ -1,13 +1,14 @@
 Patch by Robert Scheck <robert at fedoraproject.org> for zarafa >= 7.1.11 which removes the Zarafa-
 specific override/limitation that forces SSLv3-only SOAP connection between the Zarafa services.
 The pristine gSOAP library itself uses SSLv23_method() instead and thus allows TLSv1.0, TLSv1.1
-as well as TLSv1.2.
+as well as TLSv1.2. Disable SSLv2 and SSLv3 as well as TLS compression explicitly; similar like
+the Zarafa Outlook Client which meanwhile only allows TLSv1.0 (and better).
 
 Proposed to upstream via e-mail on Wed, 2 Apr 2014 11:35:40 +0200, initial patch was put into the
 upstream ticket Ticket#2014040210000266.
 
 --- zarafa-7.1.11/provider/common/SOAPSock.cpp			2014-09-03 10:45:06.000000000 +0200
-+++ zarafa-7.1.11/provider/common/SOAPSock.cpp.gsoap-sslv3	2015-02-18 01:15:50.000000000 +0100
++++ zarafa-7.1.11/provider/common/SOAPSock.cpp.gsoap-sslv3	2015-03-04 00:28:25.000000000 +0100
 @@ -162,9 +162,6 @@
  
  	lpCmd->endpoint = strdup(strServerPath.c_str());
@@ -18,3 +19,18 @@ upstream ticket Ticket#2014040210000266.
  #ifdef WITH_OPENSSL
  	if (strncmp("https:", lpCmd->endpoint, 6) == 0) {
  		// no need to add certificates to call, since soap also calls SSL_CTX_set_default_verify_paths()
+@@ -188,6 +185,14 @@
+ 		lpCmd->soap->fsslverify = ssl_verify_callback_zarafa_silent;
+ 
+ 		SSL_CTX_set_verify(lpCmd->soap->ctx, SSL_VERIFY_PEER, lpCmd->soap->fsslverify);
++
++		// disable SSLv2 (according to RFC 6176) and SSLv3, leaving just TLSv1.0 (and better)
++		SSL_CTX_set_options(lpCmd->soap->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
++
++#ifdef SSL_OP_NO_COMPRESSION
++		// disable TLS compression to close the CRIME attack vector (also known as CVE-2012-4929)
++		SSL_CTX_set_options(lpCmd->soap->ctx, SSL_OP_NO_COMPRESSION);
++#endif
+ 	}
+ #endif
+ 
-- 
cgit v0.10.2


	http://pkgs.fedoraproject.org/cgit/zarafa.git/commit/?h=epel7&id=423e99d9b3c7f0a134494c7853150fbd0a5d6efc

More information about the scm-commits mailing list