The "sslv3" option doesn't do what it says (upstream bug 7093) and only makes things worse. The SSLv3 support also prevents SpamAssassin from working with LibreSSL, which no longer does SSLv3. Index: trunk/spamc/libspamc.c =================================================================== --- trunk.orig/spamc/libspamc.c +++ trunk/spamc/libspamc.c @@ -1187,7 +1187,7 @@ int message_filter(struct transport *tp, unsigned int throwaway; SSL_CTX *ctx = NULL; SSL *ssl = NULL; - SSL_METHOD *meth; + const SSL_METHOD *meth; char zlib_on = 0; unsigned char *zlib_buf = NULL; int zlib_bufsiz = 0; @@ -1213,11 +1213,7 @@ int message_filter(struct transport *tp, if (flags & SPAMC_USE_SSL) { #ifdef SPAMC_SSL SSLeay_add_ssl_algorithms(); - if (flags & SPAMC_TLSV1) { - meth = TLSv1_client_method(); - } else { - meth = SSLv3_client_method(); /* default */ - } + meth = SSLv23_client_method(); SSL_load_error_strings(); ctx = SSL_CTX_new(meth); #else @@ -1596,7 +1592,7 @@ int message_tell(struct transport *tp, c int failureval; SSL_CTX *ctx = NULL; SSL *ssl = NULL; - SSL_METHOD *meth; + const SSL_METHOD *meth; assert(tp != NULL); assert(m != NULL); @@ -1604,7 +1600,7 @@ int message_tell(struct transport *tp, c if (flags & SPAMC_USE_SSL) { #ifdef SPAMC_SSL SSLeay_add_ssl_algorithms(); - meth = SSLv3_client_method(); + meth = SSLv23_client_method(); SSL_load_error_strings(); ctx = SSL_CTX_new(meth); #else Index: trunk/spamc/spamc.c =================================================================== --- trunk.orig/spamc/spamc.c +++ trunk/spamc/spamc.c @@ -368,16 +368,11 @@ read_args(int argc, char **argv, case 'S': { flags |= SPAMC_USE_SSL; - if (!spamc_optarg || (strcmp(spamc_optarg,"sslv3") == 0)) { - flags |= SPAMC_SSLV3; - } - else if (strcmp(spamc_optarg,"tlsv1") == 0) { - flags |= SPAMC_TLSV1; - } - else { - libspamc_log(flags, LOG_ERR, "Please specify a legal ssl version (%s)", spamc_optarg); - ret = EX_USAGE; - } + if(spamc_optarg) { + libspamc_log(flags, LOG_ERR, + "Explicit specification of an SSL/TLS version no longer supported."); + ret = EX_USAGE; + } break; } #endif Index: trunk/spamd/spamd.raw =================================================================== --- trunk.orig/spamd/spamd.raw +++ trunk/spamd/spamd.raw @@ -409,7 +409,6 @@ GetOptions( 'sql-config!' => \$opt{'sql-config'}, 'ssl' => \$opt{'ssl'}, 'ssl-port=s' => \$opt{'ssl-port'}, - 'ssl-version=s' => \$opt{'ssl-version'}, 'syslog-socket=s' => \$opt{'syslog-socket'}, 'syslog|s=s' => \$opt{'syslog'}, 'log-timestamp-fmt:s' => \$opt{'log-timestamp-fmt'}, @@ -744,11 +743,6 @@ if ( defined $ENV{'HOME'} ) { # Do whitelist later in tmp dir. Side effect: this will be done as -u user. -my $sslversion = $opt{'ssl-version'} || 'sslv3'; -if ($sslversion !~ /^(?:sslv3|tlsv1)$/) { - die "spamd: invalid ssl-version: $opt{'ssl-version'}\n"; -} - $opt{'server-key'} ||= "$LOCAL_RULES_DIR/certs/server-key.pem"; $opt{'server-cert'} ||= "$LOCAL_RULES_DIR/certs/server-cert.pem"; @@ -899,9 +893,8 @@ sub compose_listen_info_string { $socket_info->{ip_addr}, $socket_info->{port})); } elsif ($socket->isa('IO::Socket::SSL')) { - push(@listeninfo, sprintf("SSL [%s]:%s, ssl version %s", - $socket_info->{ip_addr}, $socket_info->{port}, - $opt{'ssl-version'}||'sslv3')); + push(@listeninfo, sprintf("SSL [%r]:%s", $socket_info->{ip_addr}, + $socket_info->{port})); } } @@ -1072,7 +1065,6 @@ sub server_sock_setup_inet { $sockopt{V6Only} = 1 if $io_socket_module_name eq 'IO::Socket::IP' && IO::Socket::IP->VERSION >= 0.09; %sockopt = (%sockopt, ( - SSL_version => $sslversion, SSL_verify_mode => 0x00, SSL_key_file => $opt{'server-key'}, SSL_cert_file => $opt{'server-cert'}, @@ -1093,7 +1085,8 @@ sub server_sock_setup_inet { if (!$server_inet) { $diag = sprintf("could not create %s socket on [%s]:%s: %s", $ssl ? 'IO::Socket::SSL' : $io_socket_module_name, - $adr, $port, $!); + $adr, $port, $ssl && $IO::Socket::SSL::SSL_ERROR ? + "$!,$IO::Socket::SSL::SSL_ERROR" : $!); push(@diag_fail, $diag); } else { $diag = sprintf("created %s socket on [%s]:%s", @@ -3238,7 +3231,6 @@ Options: -H [dir], --helper-home-dir[=dir] Specify a different HOME directory --ssl Enable SSL on TCP connections --ssl-port port Override --port setting for SSL connections - --ssl-version sslversion Specify SSL protocol version to use --server-key keyfile Specify an SSL keyfile --server-cert certfile Specify an SSL certificate --socketpath=path Listen on a given UNIX domain socket @@ -3727,14 +3719,6 @@ Optionally specifies the port number for SSL connections (default: whatever --port uses). See B<--ssl> for more details. -=item B<--ssl-version>=I - -Specify the SSL protocol version to use, one of B or B. -The default, B, is the most flexible, accepting a SSLv3 or -higher hello handshake, then negotiating use of SSLv3 or TLSv1 -protocol if the client can accept it. Specifying B<--ssl-version> -implies B<--ssl>. - =item B<--server-key> I Specify the SSL key file to use for SSL connections. Index: trunk/spamc/spamc.pod =================================================================== --- trunk.orig/spamc/spamc.pod +++ trunk/spamc/spamc.pod @@ -177,12 +177,10 @@ The default is 1 time (ie. one attempt a Sleep for I seconds between failed spamd filtering attempts. The default is 1 second. -=item B<-S>, B<--ssl>, B<--ssl>=I +=item B<-S>, B<--ssl>, B<--ssl> If spamc was built with support for SSL, encrypt data to and from the spamd process with SSL; spamd must support SSL as well. -I specifies the SSL protocol version to use, either -C, or C. The default, is C. =item B<-t> I, B<--timeout>=I Index: trunk/t/spamd_ssl_tls.t =================================================================== --- trunk.orig/t/spamd_ssl_tls.t +++ /dev/null @@ -1,28 +0,0 @@ -#!/usr/bin/perl - -use lib '.'; use lib 't'; -use SATest; sa_t_init("spamd_ssl_tls"); -use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9); - -exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE); - -# --------------------------------------------------------------------------- - -%patterns = ( - -q{ Return-Path: sb55sb55@yahoo.com}, 'firstline', -q{ Subject: There yours for FREE!}, 'subj', -q{ X-Spam-Status: Yes, score=}, 'status', -q{ X-Spam-Flag: YES}, 'flag', -q{ X-Spam-Level: **********}, 'stars', -q{ TEST_ENDSNUMS}, 'endsinnums', -q{ TEST_NOREALNAME}, 'noreal', -q{ This must be the very last line}, 'lastline', - - -); - -ok (sdrun ("-L --ssl --ssl-version=tlsv1 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert", - "--ssl=tlsv1 < data/spam/001", - \&patterns_run_cb)); -ok_all_patterns(); Index: trunk/t/spamd_ssl_v3.t =================================================================== --- trunk.orig/t/spamd_ssl_v3.t +++ /dev/null @@ -1,28 +0,0 @@ -#!/usr/bin/perl - -use lib '.'; use lib 't'; -use SATest; sa_t_init("spamd_sslv3"); -use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9); - -exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE); - -# --------------------------------------------------------------------------- - -%patterns = ( - -q{ Return-Path: sb55sb55@yahoo.com}, 'firstline', -q{ Subject: There yours for FREE!}, 'subj', -q{ X-Spam-Status: Yes, score=}, 'status', -q{ X-Spam-Flag: YES}, 'flag', -q{ X-Spam-Level: **********}, 'stars', -q{ TEST_ENDSNUMS}, 'endsinnums', -q{ TEST_NOREALNAME}, 'noreal', -q{ This must be the very last line}, 'lastline', - - -); - -ok (sdrun ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert", - "--ssl=sslv3 < data/spam/001", - \&patterns_run_cb)); -ok_all_patterns(); Index: trunk/t/spamd_ssl_accept_fail.t =================================================================== --- trunk.orig/t/spamd_ssl_accept_fail.t +++ trunk/t/spamd_ssl_accept_fail.t @@ -23,9 +23,9 @@ q{ This must be the very last line}, 'la ); -ok (start_spamd ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert")); +ok (start_spamd ("-L --ssl --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert")); ok (spamcrun ("< data/spam/001", \&patterns_run_cb)); -ok (spamcrun ("--ssl=sslv3 < data/spam/001", \&patterns_run_cb)); +ok (spamcrun ("--ssl < data/spam/001", \&patterns_run_cb)); ok (stop_spamd ()); ok_all_patterns(); Index: trunk/t/spamd_ssl.t =================================================================== --- trunk.orig/t/spamd_ssl.t +++ trunk/t/spamd_ssl.t @@ -2,10 +2,7 @@ use lib '.'; use lib 't'; use SATest; sa_t_init("spamd_ssl"); -use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9), - onfail => sub { - warn "\n\nNote: This may not be a SpamAssassin bug, as some platforms require that you" . - "\nspecify a protocol in spamc --ssl option, and possibly in spamd --ssl-version.\n\n" }; +use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9); exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE); Index: trunk/MANIFEST =================================================================== --- trunk.orig/MANIFEST +++ trunk/MANIFEST @@ -513,8 +513,6 @@ t/spamd_report_ifspam.t t/spamd_sql_prefs.t t/spamd_ssl.t t/spamd_ssl_accept_fail.t -t/spamd_ssl_tls.t -t/spamd_ssl_v3.t t/spamd_stop.t t/spamd_symbols.t t/spamd_syslog.t