Disabling SSLv3 protocol

Timo Sirainen tss at iki.fi
Tue Oct 14 19:25:32 UTC 2014


Since people are now talking about the SSLv3 security hole and how to disable it, here's a thread where you can talk about that. In Dovecot v2.1+ you can disable SSLv3 by setting:

ssl_protocols = !SSLv2 !SSLv3

In older versions you'd have to patch the source code. Attached a patch against v2.0. 

I don't know if there are any clients that would break by disabling SSLv3. I'd expect all the clients to use the system (or otherwise generic) SSL libraries, which would automatically choose the TLS protocol over SSL. So my guess is that unless somebody is using over a 10 year old client there wouldn't be any problems. Maybe some old mobile phones might be using SSL.. If you find out about any clients that require SSLv3 I'd like to know about it. For Dovecot v2.3 I could maybe disable SSLv3 by default if there's no real need for it.

(Also: Don't be confused by SSL/TLS protocols vs. SSL port/STARTTLS, as described in http://wiki2.dovecot.org/SSL. For example https://en.wikipedia.org/wiki/Comparison_of_email_clients#SSL_and_TLS_support is irrelevant here.)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: dovecot-sslv3-disable.diff
Type: application/octet-stream
Size: 533 bytes
Desc: not available
URL: <http://dovecot.org/pipermail/dovecot/attachments/20141014/0c46af0d/attachment.obj>
-------------- next part --------------




More information about the dovecot mailing list