dovecot-1.1: SSL: Enable SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS flag...

[dovecot at dovecot.org]

details:   http://hg.dovecot.org/dovecot-1.1/rev/22b99f10260a
changeset: 8375:22b99f10260a
user:      Timo Sirainen <tss at iki.fi>
date:      Sun Feb 12 03:32:20 2012 +0200
description:
SSL: Enable SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS flag for extra security.
This is to counter the "BEAST SSL" attack, although I don't think it's
practical to implement against IMAP/POP3/LMTP protocols. There's really no
way for attackers to inject any evil data before authentication, so the
password is safe. Post-authentication attacker could cause clients to
download evil emails, but even then clients don't typically redownload some
specific mail, so there's really no way to extract anything useful.

diffstat:

 src/login-common/ssl-proxy-openssl.c |  5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diffs (15 lines):

diff -r eadc6ecd92a8 -r 22b99f10260a src/login-common/ssl-proxy-openssl.c
--- a/src/login-common/ssl-proxy-openssl.c	Wed Jan 25 23:45:02 2012 +0200
+++ b/src/login-common/ssl-proxy-openssl.c	Sun Feb 12 03:32:20 2012 +0200
@@ -776,7 +776,10 @@
 	if ((ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL)
 		i_fatal("SSL_CTX_new() failed");
 
-	SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL);
+	/* enable all SSL workarounds, except empty fragments as it
+	   makes SSL more vulnerable against attacks */
+	SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL &
+			    ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
 
 	cipher_list = getenv("SSL_CIPHER_LIST");
 	if (cipher_list == NULL)