From 9b7dc8d446d468edc9e1f96eccfb82a0153dfb33 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D0=A0=D0=BE=D0=BC=D0=B0=D0=BD=20=D0=94=D0=BE=D0=BD=D1=87?=
 =?UTF-8?q?=D0=B5=D0=BD=D0=BA=D0=BE?= <dpb@corrigendum.ru>
Date: Thu, 26 Mar 2015 23:15:18 +0300
Subject: [PATCH] Don't hardcode TLS version to SSLv3

SSL 3.0 is now considered insecure (because of the POODLE attack), and
servers are starting to turn it off. In any case, hardcoding a particular
version is a bad idea - let Twisted figure out which version to use.
---
 master/buildbot/status/mail.py | 16 +---------------
 master/docs/relnotes/index.rst |  2 ++
 2 files changed, 3 insertions(+), 15 deletions(-)

diff --git a/master/buildbot/status/mail.py b/master/buildbot/status/mail.py
index bce0302bb62..cccfcde7845 100644
--- a/master/buildbot/status/mail.py
+++ b/master/buildbot/status/mail.py
@@ -36,13 +36,6 @@
 except ImportError:
     ESMTPSenderFactory = None
 
-have_ssl = True
-try:
-    from twisted.internet import ssl
-    from OpenSSL.SSL import SSLv3_METHOD
-except ImportError:
-    have_ssl = False
-
 # this incantation teaches email to output utf-8 using 7- or 8-bit encoding,
 # although it has no effect before python-2.7.
 from email import charset
@@ -816,12 +809,6 @@ def _gotRecipients(self, rlist, m):
     def sendmail(self, s, recipients):
         result = defer.Deferred()
 
-        if have_ssl and self.useTls:
-            client_factory = ssl.ClientContextFactory()
-            client_factory.method = SSLv3_METHOD
-        else:
-            client_factory = None
-
         if self.smtpUser and self.smtpPassword:
             useAuth = True
         else:
@@ -833,8 +820,7 @@ def sendmail(self, s, recipients):
         sender_factory = ESMTPSenderFactory(
             self.smtpUser, self.smtpPassword,
             self.fromaddr, recipients, StringIO(s),
-            result, contextFactory=client_factory,
-            requireTransportSecurity=self.useTls,
+            result, requireTransportSecurity=self.useTls,
             requireAuthentication=useAuth)
 
         reactor.connectTCP(self.relayhost, self.smtpPort, sender_factory)
diff --git a/master/docs/relnotes/index.rst b/master/docs/relnotes/index.rst
index a841cbe60a9..0e151f9b8f2 100644
--- a/master/docs/relnotes/index.rst
+++ b/master/docs/relnotes/index.rst
@@ -85,6 +85,8 @@ Features
 
 * Builders can now have multiple "tags" associated with them. Tags can be used in various status classes as filters (eg, on the waterfall page).
 
+* :bb:status:`MailNotifier` no longer forces SSL 3.0 when ``useTls`` is true.
+
 Fixes
 ~~~~~