From 447370b6c73546db867c249a74a9f4863fddf735 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Thu, 3 Jul 2008 14:46:39 +0000 Subject: SSL fix: check and report if SSL_set_fd fails. SSL change: enable all workarounds with SSL_CTX_set_options(ctx,SSL_OP_ALL) svn path=/branches/BRANCH_6-3/; revision=5214 --- NEWS | 2 ++ socket.c | 9 +++++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index 1dc45357..b7f6fdb2 100644 --- a/NEWS +++ b/NEWS @@ -87,6 +87,7 @@ fetchmail 6.3.9 (not yet released): Fixes BerliOS Bug #13207 (reported + fix suggested by Terry Brown). * Only print "Deleting fetchids file" if there actually is one. Fixes Debian Bug#374514, reported by Dan Jacobson. +* SSL fix: check and report if SSL_set_fd fails. # CHANGES: * autoconf 2.60 is now required to build fetchmail; it uses @@ -118,6 +119,7 @@ fetchmail 6.3.9 (not yet released): misconfigured upstream SSL servers that use the wrong certificate name. It specifies which CommonName fetchmail expects and logs. (Daniel Richard G.) * Changed CRLF to LF line endings in contrib/delete-later (reporter: Petr Uzel) +* SSL change: enable all workarounds with SSL_CTX_set_options(ctx,SSL_OP_ALL) # DOCUMENTATION: * Add fetchmail-SA-2007-02.txt and fetchmail-SA-2008-01.txt. diff --git a/socket.c b/socket.c index 1af4a393..e943f8b2 100644 --- a/socket.c +++ b/socket.c @@ -801,7 +801,7 @@ int SSLOpen(int sock, char *mycert, char *mykey, char *myproto, int certck, char int i; SSL_load_error_strings(); - SSLeay_add_ssl_algorithms(); + SSLeay_add_ssl_algorithms(); /* synonym for SSL_library_init() */ #ifdef SSL_ENABLE if (stat("/dev/random", &randstat) && @@ -851,6 +851,8 @@ int SSLOpen(int sock, char *mycert, char *mykey, char *myproto, int certck, char return(-1); } + SSL_CTX_set_options(_ctx[sock], SSL_OP_ALL); + if (certck) { SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback); } else { @@ -901,9 +903,8 @@ int SSLOpen(int sock, char *mycert, char *mykey, char *myproto, int certck, char SSL_use_RSAPrivateKey_file(_ssl_context[sock], mykey, SSL_FILETYPE_PEM); } - SSL_set_fd(_ssl_context[sock], sock); - - if(SSL_connect(_ssl_context[sock]) < 1) { + if (SSL_set_fd(_ssl_context[sock], sock) == 0 + || SSL_connect(_ssl_context[sock]) < 1) { ERR_print_errors_fp(stderr); SSL_CTX_free(_ctx[sock]); _ctx[sock] = NULL; -- cgit v1.2.3