← Back to branch summary

~ubuntu-desktop/evolution-data-server/ubuntu-trusty 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106

Description: Enable all SSL/TLS versions supported by NSS
Origin: vendor, http://pkgs.fedoraproject.org/cgit/evolution-data-server.git/tree/evolution-data-server-3.10.4-poodle-enable-tls-for-ssl.patch?h=f20
Author: Milan Crha <mcrha@redhat.com>

diff -up evolution-data-server-3.10.4/camel/camel-network-service.c.poodle-enable-tls-for-ssl evolution-data-server-3.10.4/camel/camel-network-service.c
--- evolution-data-server-3.10.4/camel/camel-network-service.c.poodle-enable-tls-for-ssl	2014-10-16 17:23:12.445495018 +0200
+++ evolution-data-server-3.10.4/camel/camel-network-service.c	2014-10-16 17:23:17.187494840 +0200
@@ -328,7 +328,8 @@ network_service_connect_sync (CamelNetwo
 			stream = camel_tcp_stream_ssl_new (
 				session, host,
 				CAMEL_TCP_STREAM_SSL_ENABLE_SSL2 |
-				CAMEL_TCP_STREAM_SSL_ENABLE_SSL3);
+				CAMEL_TCP_STREAM_SSL_ENABLE_SSL3 |
+				CAMEL_TCP_STREAM_SSL_ENABLE_TLS);
 			break;
 
 		default:
diff -up evolution-data-server-3.10.4/camel/camel-tcp-stream-ssl.c.poodle-enable-tls-for-ssl evolution-data-server-3.10.4/camel/camel-tcp-stream-ssl.c
--- evolution-data-server-3.10.4/camel/camel-tcp-stream-ssl.c.poodle-enable-tls-for-ssl	2013-12-08 19:42:50.000000000 +0100
+++ evolution-data-server-3.10.4/camel/camel-tcp-stream-ssl.c	2014-10-16 17:14:29.590514659 +0200
@@ -43,6 +43,8 @@
 #include <sslerr.h>
 #include "nss.h"    /* Don't use <> here or it will include the system nss.h instead */
 #include <ssl.h>
+#include <sslt.h>
+#include <sslproto.h>
 #include <cert.h>
 #include <certdb.h>
 #include <pk11func.h>
@@ -545,6 +547,9 @@ enable_ssl (CamelTcpStreamSSL *ssl,
 {
 	PRFileDesc *ssl_fd;
 	static gchar v2_enabled = -1;
+#if NSS_VMAJOR > 3 || (NSS_VMAJOR == 3 && NSS_VMINOR >= 14)
+	SSLVersionRange versionStreamSup, versionStream;
+#endif
 
 	g_assert (fd != NULL);
 
@@ -575,6 +580,7 @@ enable_ssl (CamelTcpStreamSSL *ssl,
 		SSL_OptionSet (ssl_fd, SSL_V2_COMPATIBLE_HELLO, PR_FALSE);
 	}
 
+#if NSS_VMAJOR < 3 || (NSS_VMAJOR == 3 && NSS_VMINOR < 14)
 	if (ssl->priv->flags & CAMEL_TCP_STREAM_SSL_ENABLE_SSL3)
 		SSL_OptionSet (ssl_fd, SSL_ENABLE_SSL3, PR_TRUE);
 	else
@@ -585,6 +591,29 @@ enable_ssl (CamelTcpStreamSSL *ssl,
 	else
 		SSL_OptionSet (ssl_fd, SSL_ENABLE_TLS, PR_FALSE);
 
+#else
+	SSL_VersionRangeGetSupported (ssl_variant_stream, &versionStreamSup);
+
+	if (ssl->priv->flags & CAMEL_TCP_STREAM_SSL_ENABLE_SSL3)
+		versionStream.min = SSL_LIBRARY_VERSION_3_0;
+	else
+		versionStream.min = SSL_LIBRARY_VERSION_TLS_1_0;
+
+	if (ssl->priv->flags & CAMEL_TCP_STREAM_SSL_ENABLE_TLS)
+		versionStream.max = versionStreamSup.max;
+	else
+		versionStream.max = SSL_LIBRARY_VERSION_3_0;
+
+	if (versionStream.max < versionStream.min) {
+		PRUint16 tmp;
+
+		tmp = versionStream.max;
+		versionStream.max = versionStream.min;
+		versionStream.min = tmp;
+	}
+
+	SSL_VersionRangeSet (ssl_fd, &versionStream);
+#endif
 	SSL_SetURL (ssl_fd, ssl->priv->expected_host);
 
 	/* NSS provides a default implementation for the SSL_GetClientAuthDataHook callback
diff -up evolution-data-server-3.10.4/camel/camel.c.poodle-enable-tls-for-ssl evolution-data-server-3.10.4/camel/camel.c
--- evolution-data-server-3.10.4/camel/camel.c.poodle-enable-tls-for-ssl	2013-12-08 19:42:49.000000000 +0100
+++ evolution-data-server-3.10.4/camel/camel.c	2014-10-16 17:14:29.590514659 +0200
@@ -100,6 +100,9 @@ camel_init (const gchar *configdir,
 		gchar *nss_configdir = NULL;
 		gchar *nss_sql_configdir = NULL;
 		SECStatus status = SECFailure;
+#if NSS_VMAJOR > 3 || (NSS_VMAJOR == 3 && NSS_VMINOR >= 14)
+		SSLVersionRange versionStream;
+#endif
 
 #if NSS_VMAJOR < 3 || (NSS_VMAJOR == 3 && NSS_VMINOR < 14)
 		/* NSS pre-3.14 has most of the ciphers disabled, thus enable
@@ -212,8 +215,14 @@ skip_nss_init:
 
 		SSL_OptionSetDefault (SSL_ENABLE_SSL2, v2_enabled ? PR_TRUE : PR_FALSE);
 		SSL_OptionSetDefault (SSL_V2_COMPATIBLE_HELLO, PR_FALSE);
+#if NSS_VMAJOR < 3 || (NSS_VMAJOR == 3 && NSS_VMINOR < 14)
 		SSL_OptionSetDefault (SSL_ENABLE_SSL3, PR_TRUE);
-		SSL_OptionSetDefault (SSL_ENABLE_TLS, PR_TRUE);
+		SSL_OptionSetDefault (SSL_ENABLE_TLS, PR_TRUE); /* Enable TLSv1.0 */
+#else
+		/* Enable all SSL/TLS versions supported by NSS (this API is for SSLv3 and newer). */
+		SSL_VersionRangeGetSupported (ssl_variant_stream, &versionStream);
+		SSL_VersionRangeSetDefault (ssl_variant_stream, &versionStream);
+#endif
 
 		PR_Unlock (nss_initlock);