dovecot-2.1: SSL: Enable SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS flag...

dovecot at dovecot.org dovecot at dovecot.org
Sun Feb 12 03:29:49 EET 2012 

details:   http://hg.dovecot.org/dovecot-2.1/rev/8d90de706bd2
changeset: 14114:8d90de706bd2
user:      Timo Sirainen <tss at iki.fi>
date:      Sun Feb 12 03:29:36 2012 +0200
description:
SSL: Enable SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS flag for extra security.
This is to counter the "BEAST SSL" attack, although I don't think it's
practical to implement against IMAP/POP3/LMTP protocols. There's really no
way for attackers to inject any evil data before authentication, so the
password is safe. Post-authentication attacker could cause clients to
download evil emails, but even then clients don't typically redownload some
specific mail, so there's really no way to extract anything useful.

diffstat:

 src/lib-ssl-iostream/iostream-openssl-context.c |  5 ++++-
 src/login-common/ssl-proxy-openssl.c            |  6 ++++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diffs (31 lines):

diff -r 6420d63e7570 -r 8d90de706bd2 src/lib-ssl-iostream/iostream-openssl-context.c
--- a/src/lib-ssl-iostream/iostream-openssl-context.c	Sun Feb 12 02:53:50 2012 +0200
+++ b/src/lib-ssl-iostream/iostream-openssl-context.c	Sun Feb 12 03:29:36 2012 +0200
@@ -356,7 +356,10 @@
 	ctx->pool = pool_alloconly_create("ssl iostream context", 4096);
 	ctx->source = p_strdup(ctx->pool, source);
 
-	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
+	/* enable all SSL workarounds, except empty fragments as it
+	   makes SSL more vulnerable against attacks */
+	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2 |
+			    (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS));
 	if (SSL_CTX_need_tmp_RSA(ctx->ssl_ctx))
 		SSL_CTX_set_tmp_rsa_callback(ctx->ssl_ctx, ssl_gen_rsa_key);
 	SSL_CTX_set_tmp_dh_callback(ctx->ssl_ctx, ssl_tmp_dh_callback);
diff -r 6420d63e7570 -r 8d90de706bd2 src/login-common/ssl-proxy-openssl.c
--- a/src/login-common/ssl-proxy-openssl.c	Sun Feb 12 02:53:50 2012 +0200
+++ b/src/login-common/ssl-proxy-openssl.c	Sun Feb 12 03:29:36 2012 +0200
@@ -941,8 +941,10 @@
 	X509_STORE *store;
 	STACK_OF(X509_NAME) *xnames = NULL;
 
-	/* enable all SSL workarounds */
-	SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL);
+	/* enable all SSL workarounds, except empty fragments as it
+	   makes SSL more vulnerable against attacks */
+	SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL &
+			    ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
 
 #ifdef SSL_MODE_RELEASE_BUFFERS
 	SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);

More information about the dovecot-cvs mailing list