dovecot-2.0: SSL: Enable SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS flag...
dovecot at dovecot.org
dovecot at dovecot.org
Sun Feb 12 03:31:30 EET 2012
details: http://hg.dovecot.org/dovecot-2.0/rev/e3d46fd04105
changeset: 13050:e3d46fd04105
user: Timo Sirainen <tss at iki.fi>
date: Sun Feb 12 03:31:24 2012 +0200
description:
SSL: Enable SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS flag for extra security.
This is to counter the "BEAST SSL" attack, although I don't think it's
practical to implement against IMAP/POP3/LMTP protocols. There's really no
way for attackers to inject any evil data before authentication, so the
password is safe. Post-authentication attacker could cause clients to
download evil emails, but even then clients don't typically redownload some
specific mail, so there's really no way to extract anything useful.
diffstat:
src/login-common/ssl-proxy-openssl.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diffs (15 lines):
diff -r 8228f09ab0c2 -r e3d46fd04105 src/login-common/ssl-proxy-openssl.c
--- a/src/login-common/ssl-proxy-openssl.c Thu Feb 09 20:38:42 2012 +0200
+++ b/src/login-common/ssl-proxy-openssl.c Sun Feb 12 03:31:24 2012 +0200
@@ -1011,7 +1011,10 @@
X509_STORE *store;
STACK_OF(X509_NAME) *xnames = NULL;
- SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
+ /* enable all SSL workarounds, except empty fragments as it
+ makes SSL more vulnerable against attacks */
+ SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2 |
+ (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS));
#ifdef SSL_MODE_RELEASE_BUFFERS
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
#endif
More information about the dovecot-cvs
mailing list