diff --git a/SOURCES/sendmail-8.14.7-tls-use-certificate-chain-file.patch b/SOURCES/sendmail-8.14.7-tls-use-certificate-chain-file.patch new file mode 100644 index 0000000..0dea379 --- /dev/null +++ b/SOURCES/sendmail-8.14.7-tls-use-certificate-chain-file.patch @@ -0,0 +1,70 @@ +diff --git a/sendmail/conf.c b/sendmail/conf.c +index 777e05e..e693ed0 100644 +--- a/sendmail/conf.c ++++ b/sendmail/conf.c +@@ -6504,6 +6504,14 @@ char *FFRCompileOptions[] = + /* More STARTTLS options, e.g., secondary certs. */ + "_FFR_TLS_1", + #endif /* _FFR_TLS_1 */ ++#if _FFR_TLS_USE_CERTIFICATE_CHAIN_FILE ++ /* ++ ** Use SSL_CTX_use_certificate_chain_file() ++ ** instead of SSL_CTX_use_certificate_file() ++ */ ++ ++ "_FFR_TLS_USE_CERTIFICATE_CHAIN_FILE", ++#endif /* _FFR_TLS_USE_CERTIFICATE_CHAIN_FILE */ + #if _FFR_TRUSTED_QF + /* + ** If we don't own the file mark it as unsafe. +diff --git a/sendmail/tls.c b/sendmail/tls.c +index 72da987..6707a35 100644 +--- a/sendmail/tls.c ++++ b/sendmail/tls.c +@@ -860,17 +860,25 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar + if (bitset(TLS_I_USE_KEY, req)) + return false; + } ++#if _FFR_TLS_USE_CERTIFICATE_CHAIN_FILE ++# define SSL_CTX_use_cert(ssl_ctx, certfile) \ ++ SSL_CTX_use_certificate_chain_file(ssl_ctx, certfile) ++# define SSL_CTX_USE_CERT "SSL_CTX_use_certificate_chain_file" ++#else ++# define SSL_CTX_use_cert(ssl_ctx, certfile) \ ++ SSL_CTX_use_certificate_file(ssl_ctx, certfile, SSL_FILETYPE_PEM) ++# define SSL_CTX_USE_CERT "SSL_CTX_use_certificate_file" ++#endif + + /* get the certificate file */ + if (bitset(TLS_S_CERT_OK, status) && +- SSL_CTX_use_certificate_file(*ctx, certfile, +- SSL_FILETYPE_PEM) <= 0) ++ SSL_CTX_use_cert(*ctx, certfile) <= 0) + { + if (LogLevel > 7) + { + sm_syslog(LOG_WARNING, NOQID, +- "STARTTLS=%s, error: SSL_CTX_use_certificate_file(%s) failed", +- who, certfile); ++ "STARTTLS=%s, error: %s(%s) failed", ++ who, SSL_CTX_USE_CERT, certfile); + if (LogLevel > 9) + tlslogerr(LOG_WARNING, who); + } +@@ -914,13 +922,13 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar + + /* get the certificate file */ + if (bitset(TLS_S_CERT2_OK, status) && +- SSL_CTX_use_certificate_file(*ctx, cf2, SSL_FILETYPE_PEM) <= 0) ++ SSL_CTX_use_cert(*ctx, cf2) <= 0) + { + if (LogLevel > 7) + { + sm_syslog(LOG_WARNING, NOQID, +- "STARTTLS=%s, error: SSL_CTX_use_certificate_file(%s) failed", +- who, cf2); ++ "STARTTLS=%s, error: %s(%s) failed", ++ who, SSL_CTX_USE_CERT, cf2); + if (LogLevel > 9) + tlslogerr(LOG_WARNING, who); + } diff --git a/SPECS/sendmail.spec b/SPECS/sendmail.spec index 0b2e194..04d7633 100644 --- a/SPECS/sendmail.spec +++ b/SPECS/sendmail.spec @@ -26,7 +26,7 @@ Summary: A widely used Mail Transport Agent (MTA) Name: sendmail Version: 8.14.7 -Release: 5%{?dist} +Release: 6%{?dist} License: Sendmail Group: System Environment/Daemons URL: http://www.sendmail.org/ @@ -112,6 +112,9 @@ Patch28: sendmail-8.14.7-tls11-12-config-options.patch # have MX record pointing to the CNAME # patch backported from upstream Patch29: sendmail-8.14.7-ipv6-mx-cname-fix.patch +# add support for SSL_CTX_use_certificate_chain_file(), #1596725 +# patch backported from upstream +Patch30: sendmail-8.14.7-tls-use-certificate-chain-file.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: tcp_wrappers-devel BuildRequires: libdb-devel @@ -237,6 +240,7 @@ cp devtools/M4/UNIX/{,shared}library.m4 %patch27 -p1 -b .client-port %patch28 -p1 -b .tls11-12-config-options %patch29 -p1 -b .ipv6-mx-cname-fix +%patch30 -p1 -b .tls-use-certificate-chain-file for f in RELEASE_NOTES contrib/etrn.0; do iconv -f iso8859-1 -t utf8 -o ${f}{_,} && @@ -250,7 +254,7 @@ sed -i 's|/usr/local/bin/perl|%{_bindir}/perl|' contrib/*.pl cat > redhat.config.m4 << EOF define(\`confMAPDEF', \`-DNEWDB -DNIS -DHESIOD -DMAP_REGEX -DSOCKETMAP -DNAMED_BIND=1') define(\`confOPTIMIZE', \`\`\`\`${RPM_OPT_FLAGS}'''') -define(\`confENVDEF', \`-I%{_includedir}/libdb -I/usr/kerberos/include -Wall -DXDEBUG=0 -DTCPWRAPPERS -DNETINET6 -DHES_GETMAILHOST -DUSE_VENDOR_CF_PATH=1 -D_FFR_TLS_1 -D_FFR_LINUX_MHNL -D_FFR_QOS -D_FFR_TLS_EC') +define(\`confENVDEF', \`-I%{_includedir}/libdb -I/usr/kerberos/include -Wall -DXDEBUG=0 -DTCPWRAPPERS -DNETINET6 -DHES_GETMAILHOST -DUSE_VENDOR_CF_PATH=1 -D_FFR_LINUX_MHNL -D_FFR_QOS') define(\`confLIBDIRS', \`-L/usr/kerberos/%{_lib}') define(\`confLIBS', \`-lnsl -lwrap -lhesiod -lcrypt -ldb -lresolv %{?relro:%{relro}}') define(\`confMANOWN', \`root') @@ -287,7 +291,7 @@ EOF %if "%{with_tls}" == "yes" cat >> redhat.config.m4 << EOF -APPENDDEF(\`conf_sendmail_ENVDEF', \`-DSTARTTLS')dnl +APPENDDEF(\`conf_sendmail_ENVDEF', \`-DSTARTTLS -D_FFR_TLS_1 -D_FFR_TLS_EC -D_FFR_TLS_USE_CERTIFICATE_CHAIN_FILE')dnl APPENDDEF(\`conf_sendmail_LIBS', \`-lssl -lcrypto')dnl EOF %endif @@ -761,6 +765,11 @@ fi %{_initrddir}/sendmail %changelog +* Thu Jul 25 2019 Jaroslav Škarvada - 8.14.7-6 +- Use SSL_CTX_use_certificate_chain_file() to handle intermediate + certificates passed additionally in confSERVER_CERT + Resolves: rhbz#1596725 + * Thu Mar 23 2017 Jaroslav Škarvada - 8.14.7-5 - Explicitly enabled sm-client statistics Resolves: rhbz#890585