Daniel-Constantin Mierla
2021-05-26 06:30:58 UTC
Content preview: Module: kamailio Branch: 5.4 Commit: 1142d5470d40801743af2fd9e27213bae6c394f4
URL: https://github.com/kamailio/kamailio/commit/1142d5470d40801743af2fd9e27213bae6c394f4
Author: SPChan <***@gmail.com> Committer: Daniel-Constantin Mierla
<***@gmail.com> Date: 2021-05-26T08:25:25+02:00
Content analysis details: (-2.4 points, 5.5 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
mail domains are different
0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is
CUSTOM_MED
1.0 FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received'
headers
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
provider (miconda[at]gmail.com)
0.2 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and
EnvelopeFrom freemail headers are
different
-1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list
manager
Module: kamailio
Branch: 5.4
Commit: 1142d5470d40801743af2fd9e27213bae6c394f4
URL: https://github.com/kamailio/kamailio/commit/1142d5470d40801743af2fd9e27213bae6c394f4
Author: SPChan <***@gmail.com>
Committer: Daniel-Constantin Mierla <***@gmail.com>
Date: 2021-05-26T08:25:25+02:00
[tls] Don't use OpenSSL<1.0.2 fallback on 1.1+
Address GH #2716. Also see https://bugs.python.org/issue29697.
(cherry picked from commit 27904530d1f8efd26e2b96fa5f18a3aad887919b)
(cherry picked from commit 1c7a8459f1a5b0f4d96f3908a301b599d5e24dc3)
---
Modified: src/modules/tls/tls_domain.c
---
Diff: https://github.com/kamailio/kamailio/commit/1142d5470d40801743af2fd9e27213bae6c394f4.diff
Patch: https://github.com/kamailio/kamailio/commit/1142d5470d40801743af2fd9e27213bae6c394f4.patch
---
diff --git a/src/modules/tls/tls_domain.c b/src/modules/tls/tls_domain.c
index a8859c4a31..22897075c7 100644
--- a/src/modules/tls/tls_domain.c
+++ b/src/modules/tls/tls_domain.c
@@ -55,8 +55,12 @@ extern EVP_PKEY * tls_engine_private_key(const char* key_id);
* ECDHE is enabled only on OpenSSL 1.0.0e and later.
* See http://www.openssl.org/news/secadv_20110906.txt
* for details.
+ * Also, copied from _ssl.c of Python for correct initialization.
+ * Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use
+ * prime256v1 by default. This is Apache mod_ssl's initialization
+ * policy, so we should be safe. OpenSSL 1.1 has it enabled by default.
*/
-#ifndef OPENSSL_NO_ECDH
+#if !defined(OPENSSL_NO_ECDH) && !defined(OPENSSL_VERSION_1_1)
static void setup_ecdh(SSL_CTX *ctx)
{
EC_KEY *ecdh;
@@ -65,11 +69,15 @@ static void setup_ecdh(SSL_CTX *ctx)
return;
}
+#if defined(SSL_CTX_set_ecdh_auto)
+ SSL_CTX_set_ecdh_auto(ctx, 1);
+#else
ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
SSL_CTX_set_tmp_ecdh(ctx, ecdh);
EC_KEY_free(ecdh);
+#endif
}
#endif
@@ -670,7 +678,7 @@ static int set_cipher_list(tls_domain_t* d)
tls_domain_str(d), cipher_list);
return -1;
}
-#ifndef OPENSSL_NO_ECDH
+#if !defined(OPENSSL_NO_ECDH) && !defined(OPENSSL_VERSION_1_1)
setup_ecdh(d->ctx[i]);
#endif
#ifndef OPENSSL_NO_DH
URL: https://github.com/kamailio/kamailio/commit/1142d5470d40801743af2fd9e27213bae6c394f4
Author: SPChan <***@gmail.com> Committer: Daniel-Constantin Mierla
<***@gmail.com> Date: 2021-05-26T08:25:25+02:00
Content analysis details: (-2.4 points, 5.5 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
mail domains are different
0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is
CUSTOM_MED
1.0 FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received'
headers
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
provider (miconda[at]gmail.com)
0.2 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and
EnvelopeFrom freemail headers are
different
-1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list
manager
Module: kamailio
Branch: 5.4
Commit: 1142d5470d40801743af2fd9e27213bae6c394f4
URL: https://github.com/kamailio/kamailio/commit/1142d5470d40801743af2fd9e27213bae6c394f4
Author: SPChan <***@gmail.com>
Committer: Daniel-Constantin Mierla <***@gmail.com>
Date: 2021-05-26T08:25:25+02:00
[tls] Don't use OpenSSL<1.0.2 fallback on 1.1+
Address GH #2716. Also see https://bugs.python.org/issue29697.
(cherry picked from commit 27904530d1f8efd26e2b96fa5f18a3aad887919b)
(cherry picked from commit 1c7a8459f1a5b0f4d96f3908a301b599d5e24dc3)
---
Modified: src/modules/tls/tls_domain.c
---
Diff: https://github.com/kamailio/kamailio/commit/1142d5470d40801743af2fd9e27213bae6c394f4.diff
Patch: https://github.com/kamailio/kamailio/commit/1142d5470d40801743af2fd9e27213bae6c394f4.patch
---
diff --git a/src/modules/tls/tls_domain.c b/src/modules/tls/tls_domain.c
index a8859c4a31..22897075c7 100644
--- a/src/modules/tls/tls_domain.c
+++ b/src/modules/tls/tls_domain.c
@@ -55,8 +55,12 @@ extern EVP_PKEY * tls_engine_private_key(const char* key_id);
* ECDHE is enabled only on OpenSSL 1.0.0e and later.
* See http://www.openssl.org/news/secadv_20110906.txt
* for details.
+ * Also, copied from _ssl.c of Python for correct initialization.
+ * Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use
+ * prime256v1 by default. This is Apache mod_ssl's initialization
+ * policy, so we should be safe. OpenSSL 1.1 has it enabled by default.
*/
-#ifndef OPENSSL_NO_ECDH
+#if !defined(OPENSSL_NO_ECDH) && !defined(OPENSSL_VERSION_1_1)
static void setup_ecdh(SSL_CTX *ctx)
{
EC_KEY *ecdh;
@@ -65,11 +69,15 @@ static void setup_ecdh(SSL_CTX *ctx)
return;
}
+#if defined(SSL_CTX_set_ecdh_auto)
+ SSL_CTX_set_ecdh_auto(ctx, 1);
+#else
ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
SSL_CTX_set_tmp_ecdh(ctx, ecdh);
EC_KEY_free(ecdh);
+#endif
}
#endif
@@ -670,7 +678,7 @@ static int set_cipher_list(tls_domain_t* d)
tls_domain_str(d), cipher_list);
return -1;
}
-#ifndef OPENSSL_NO_ECDH
+#if !defined(OPENSSL_NO_ECDH) && !defined(OPENSSL_VERSION_1_1)
setup_ecdh(d->ctx[i]);
#endif
#ifndef OPENSSL_NO_DH