OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ++this can be disabled, if need be, via "!TLSv1.3".
+ +At the dane and + dane-only security +@@ -11405,6 +11411,9 @@ + disabled. The latest patch levels of Postfix ≥ 2.6, and all + versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or + "TLSv1.2".
++ ++OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ++this can be disabled, if need be, via "!TLSv1.3".
+ +Example:
+ +@@ -12561,6 +12573,9 @@ + and "TLSv1.2". The latest patch levels of Postfix ≥ 2.6, and all + versions of Postfix ≥ 2.10 can explicitly disable support for + "TLSv1.1" or "TLSv1.2" ++ ++OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ++this can be disabled, if need be, via "!TLSv1.3".
+ +To include a protocol list its name, to exclude it, prefix the name + with a "!" character. To exclude SSLv2 for opportunistic TLS set +@@ -12593,6 +12609,9 @@ + and "TLSv1.2". The latest patch levels of Postfix ≥ 2.6, and all + versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or + "TLSv1.2".
++ ++OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ++this can be disabled, if need be, via "!TLSv1.3".
+ + To include a protocol list its name, to exclude it, prefix the name
+ with a "!" character. To exclude SSLv2 for opportunistic TLS set
+--- postfix-3.3.1/src/tls/tls.h
++++ postfix-3.3.2/src/tls/tls.h
+@@ -372,10 +415,15 @@
+ #define SSL_OP_NO_TLSv1_2 0L /* Noop */
+ #endif
+
+-#ifdef SSL_TXT_TLSV1_3
++ /*
++ * OpenSSL 1.1.1 does not define a TXT macro for TLS 1.3, so we roll our
++ * own.
++ */
++#define TLS_PROTOCOL_TXT_TLSV1_3 "TLSv1.3"
++
++#if defined(TLS1_3_VERSION) && defined(SSL_OP_NO_TLSv1_3)
+ #define TLS_PROTOCOL_TLSv1_3 (1<<5) /* TLSv1_3 */
+ #else
+-#define SSL_TXT_TLSV1_3 "TLSv1.3"
+ #define TLS_PROTOCOL_TLSv1_3 0 /* Unknown */
+ #undef SSL_OP_NO_TLSv1_3
+ #define SSL_OP_NO_TLSv1_3 0L /* Noop */
+@@ -383,7 +431,7 @@
+
+ #define TLS_KNOWN_PROTOCOLS \
+ ( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 \
+- | TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 )
++ | TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3 )
+ #define TLS_SSL_OP_PROTOMASK(m) \
+ ((((m) & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L) \
+ | (((m) & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L) \
+--- postfix-3.3.1/src/tls/tls_misc.c
++++ postfix-3.3.2/src/tls/tls_misc.c
+@@ -279,7 +306,7 @@
+ SSL_TXT_TLSV1, TLS_PROTOCOL_TLSv1,
+ SSL_TXT_TLSV1_1, TLS_PROTOCOL_TLSv1_1,
+ SSL_TXT_TLSV1_2, TLS_PROTOCOL_TLSv1_2,
+- SSL_TXT_TLSV1_3, TLS_PROTOCOL_TLSv1_3,
++ TLS_PROTOCOL_TXT_TLSV1_3, TLS_PROTOCOL_TLSv1_3,
+ 0, TLS_PROTOCOL_INVALID,
+ };
+
diff --git a/SPECS/postfix.spec b/SPECS/postfix.spec
index 8921edc..8c91f14 100644
--- a/SPECS/postfix.spec
+++ b/SPECS/postfix.spec
@@ -48,7 +48,7 @@
Name: postfix
Summary: Postfix Mail Transport Agent
Version: 3.3.1
-Release: 12%{?dist}
+Release: 12%{?dist}.1
Epoch: 2
Group: System Environment/Daemons
URL: http://www.postfix.org
@@ -96,6 +96,7 @@ Patch9: pflogsumm-1.1.5-datecalc.patch
Patch10: pflogsumm-1.1.5-ipv6-warnings-fix.patch
# rhbz#1723950, included upstream
Patch11: postfix-3.3.1-ref-search-fix.patch
+Patch12: postfix-3.3.1-tlsv13.patch
# Optional patches - set the appropriate environment variables to include
# them when building the package/spec file
@@ -221,6 +222,7 @@ pushd pflogsumm-%{pflogsumm_ver}
popd
%endif
%patch11 -p1 -b .ref-search-fix
+%patch12 -p1 -b .tlsv13
for f in README_FILES/TLS_{LEGACY_,}README TLS_ACKNOWLEDGEMENTS; do
iconv -f iso8859-1 -t utf8 -o ${f}{_,} &&
@@ -719,6 +721,10 @@ exit 0
%endif
%changelog
+* Tue Jan 26 2021 Jan Zerdik