Subject: pkg/28478: imap-uw package should read SSL keys from separate file
To: None <pkg-manager@netbsd.org, gnats-admin@netbsd.org,>
From: None <thorpej@shagadelic.org>
List: pkgsrc-bugs
Date: 11/30/2004 15:33:00
>Number: 28478
>Category: pkg
>Synopsis: imap-uw package should read SSL keys from separate file
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Nov 30 15:33:00 +0000 2004
>Originator: Jason R Thorpe
>Release: NetBSD 2.99.10
>Organization:
-- Jason R. Thorpe <thorpej@shagadelic.org>
>Environment:
System: NetBSD yeah-baby.shagadelic.org 2.99.10 NetBSD 2.99.10 (YEAH-BABY-XP) #32: Wed Nov 3 16:00:40 PST 2004 thorpej@yeah-baby.shagadelic.org:/u1/netbsd/src/sys/arch/i386/compile/YEAH-BABY-XP i386
Architecture: i386
Machine: i386
>Description:
The imap-uw package basically assumes that the SSL certificate
and private key will be kept in the same file. This is non-optimal
in many configurations, where you want to use more restrictive
file system permissions on the private key.
>How-To-Repeat:
Inspection.
>Fix:
The following patch makes the imap-uw package use the new
SSLKEYS variable from the openssl package's "builtin.mk"
for the location of the private key file. On NetBSD systems,
this defaults to /etc/openssl/private.
Note: The patch of patch-ab is confusing to look at. What
it does is remove the "SSLKEYS" variable from the Makefile,
the same way that "SSLDIR" and "SSLCERTS" are removed.
Index: MESSAGE
===================================================================
RCS file: /cvsroot/pkgsrc/mail/imap-uw/MESSAGE,v
retrieving revision 1.2
diff -u -p -r1.2 MESSAGE
--- MESSAGE 16 Sep 2003 19:16:44 -0000 1.2
+++ MESSAGE 30 Nov 2004 15:25:12 -0000
@@ -19,9 +19,10 @@ Add the following to /etc/inetd.conf:
pop3s stream tcp nowait root ${PREFIX}/libexec/ipop3d ipop3d
In order to use SSL, you will need to configure a certificate and store it
-in the ${SSLCERTS} directory, using the imapd.pem name.
-If you want to use an existing certificate, say from Apache, just copy it
-there (you may need to concatenate .key and .crt files together).
+in the ${SSLCERTS} directory, using the imapd.pem name. Place the key for
+the certificate in the ${SSLKEYS} directory, also using the imapd.pem name.
+If you want to use an existing certificate, say from Apache, just copy the
+certificate and key files to the appropriate locations.
To put the changes into effect, make inetd reload its configuration:
On NetBSD 1.5 or later:
Index: Makefile
===================================================================
RCS file: /cvsroot/pkgsrc/mail/imap-uw/Makefile,v
retrieving revision 1.85
diff -u -p -r1.85 Makefile
--- Makefile 13 Nov 2004 21:28:28 -0000 1.85
+++ Makefile 30 Nov 2004 15:25:12 -0000
@@ -59,6 +59,7 @@ CCLIENT_MFILES= src/imapd/Makefile \
src/osdep/unix/Makefile
MESSAGE_SUBST+= SSLCERTS="${SSLCERTS}"
+MESSAGE_SUBST+= SSLKEYS="${SSLKEYS}"
PLIST_SUBST+= CCLIENT_MAJOR="${CCLIENT_MAJOR}"
PLIST_SUBST+= CCLIENT_MINOR="${CCLIENT_MINOR}"
@@ -66,6 +67,7 @@ MANFILES= src/imapd/imapd.8 src/ipopd/ip
MAKE_ENV+= SSLDIR=${SSLBASE:Q}
MAKE_ENV+= SSLCERTS=${SSLCERTS:Q}
+MAKE_ENV+= SSLKEYS=${SSLKEYS:Q}
MAKE_ENV+= CCLIENT_MAJOR=${CCLIENT_MAJOR:Q}
MAKE_ENV+= CCLIENT_MINOR=${CCLIENT_MINOR:Q}
MAKE_ENV+= CREATEPROTO=${IMAP_UW_CCLIENT_MBOX_FMT:Q}proto
Index: distinfo
===================================================================
RCS file: /cvsroot/pkgsrc/mail/imap-uw/distinfo,v
retrieving revision 1.18
diff -u -p -r1.18 distinfo
--- distinfo 11 Oct 2004 16:56:28 -0000 1.18
+++ distinfo 30 Nov 2004 15:25:12 -0000
@@ -3,7 +3,7 @@ $NetBSD: distinfo,v 1.18 2004/10/11 16:5
SHA1 (imap-2004a.tar.Z) = e5df251f2b8c3f01e94195a2832b5ba5cd809fbb
Size (imap-2004a.tar.Z) = 2224181 bytes
SHA1 (patch-aa) = 2109d076b1f50ca461b2b2a00ee927207a64f766
-SHA1 (patch-ab) = 76af6b8772962e77925da19902285aabcebc7d76
+SHA1 (patch-ab) = 20c8d4f449d7b72e4abe01da941658999799fa4d
SHA1 (patch-ac) = 8b4ea8c15929c65eda1b3444c68fdbf70fa68b6a
SHA1 (patch-ad) = 3404de4e4acb456e3c7b34ca80b31b80b465b3e1
SHA1 (patch-ae) = 702473377ca66266bdb6d5d13045d279a38ea7de
Index: patches/patch-ab
===================================================================
RCS file: /cvsroot/pkgsrc/mail/imap-uw/patches/patch-ab,v
retrieving revision 1.14
diff -u -p -r1.14 patch-ab
--- patches/patch-ab 12 Aug 2004 12:13:54 -0000 1.14
+++ patches/patch-ab 30 Nov 2004 15:25:12 -0000
@@ -1,17 +1,18 @@
-$NetBSD: patch-ab,v 1.14 2004/08/12 12:13:54 adam Exp $
+$NetBSD$
---- src/osdep/unix/Makefile.orig 2004-08-12 13:26:38.000000000 +0000
-+++ src/osdep/unix/Makefile
-@@ -29,8 +29,6 @@ IP=4
+--- src/osdep/unix/Makefile.orig 2004-11-23 22:28:38.000000000 -0800
++++ src/osdep/unix/Makefile 2004-11-23 22:34:55.000000000 -0800
+@@ -29,9 +29,6 @@
# Extended flags needed for SSL. You may need to modify.
-SSLDIR=/usr/local/ssl
-SSLCERTS=$(SSLDIR)/certs
- SSLKEYS=$(SSLCERTS)
+-SSLKEYS=$(SSLCERTS)
SSLINCLUDE=$(SSLDIR)/include
SSLLIB=$(SSLDIR)/lib
-@@ -48,7 +46,7 @@ SSLRSA= # -lRSAglue -lrsaref
+
+@@ -48,7 +45,7 @@
SSLCFLAGS= -I$(SSLINCLUDE) -I$(SSLINCLUDE)/openssl\
-DSSL_CERT_DIRECTORY=\"$(SSLCERTS)\" -DSSL_KEY_DIRECTORY=\"$(SSLKEYS)\"
@@ -20,7 +21,7 @@ $NetBSD: patch-ab,v 1.14 2004/08/12 12:1
# Extended flags needed for non-standard passwd types. You may need to modify.
-@@ -92,14 +90,14 @@ LOCKPGM=/etc/mlock
+@@ -92,14 +89,14 @@
# set certain other formats (e.g. mbx and mx) as the EMPTYPROTO since these
# formats can never be empty files.
@@ -37,7 +38,7 @@ $NetBSD: patch-ab,v 1.14 2004/08/12 12:1
LN=ln -s
RANLIB=ranlib
-@@ -391,9 +389,9 @@ gso: os_sol.h # GCC Solaris
+@@ -391,9 +388,9 @@
SPOOLDIR=/var/spool MAILSPOOL=/var/mail \
ACTIVEFILE=/usr/share/news/active \
RSHPATH=/usr/bin/rsh \
@@ -49,7 +50,7 @@ $NetBSD: patch-ab,v 1.14 2004/08/12 12:1
gsu: # GCC SUN-OS
$(BUILD) `$(CAT) SPECIALS` OS=sun \
-@@ -483,9 +481,9 @@ neb: # NetBSD
+@@ -483,9 +480,9 @@
$(BUILD) `$(CAT) SPECIALS` OS=bsi \
CRXTYPE=nfs \
SPOOLDIR=/var \
@@ -61,7 +62,7 @@ $NetBSD: patch-ab,v 1.14 2004/08/12 12:1
BASELDFLAGS="-lcrypt"
nec: # NEC UX
-@@ -911,7 +909,7 @@ onceenv:
+@@ -911,7 +908,7 @@
-DACTIVEFILE=\"$(ACTIVEFILE)\" -DNEWSSPOOL=\"$(NEWSSPOOL)\" \
-DRSHPATH=\"$(RSHPATH)\" -DLOCKPGM=\"$(LOCKPGM)\" > OSCFLAGS
echo $(BASELDFLAGS) $(EXTRALDFLAGS) > LDFLAGS
>Unformatted: