[PATCH] ssl: fix reference to SSLv2 and disable SSLv3

[Aki Tuomi]

On 15.11.2016 13:55, Apollon Oikonomopoulos wrote:
> This is driven by the fact that OpenSSL 1.1 does not know about SSLv2 at
> all and dovecot's defaults simply make OpenSSL error out with "Unknown
> protocol 'SSLv2'"[1]. So we change the defaults to refer to SSLv2 iff OpenSSL
> seems to know something about it.
>
> While at it, it's also a good idea to disable SSLv3 by default as well.
>
> [1] https://bugs.debian.org/844347
>
> Signed-off-by: Apollon Oikonomopoulos <apoikos at debian.org>
> ---
>  doc/example-config/conf.d/10-ssl.conf        | 2 +-
>  src/lib-master/master-service-ssl-settings.c | 6 +++++-
>  2 files changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/doc/example-config/conf.d/10-ssl.conf b/doc/example-config/conf.d/10-ssl.conf
> index 31b750c..2cd445b 100644
> --- a/doc/example-config/conf.d/10-ssl.conf
> +++ b/doc/example-config/conf.d/10-ssl.conf
> @@ -46,7 +46,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
>  #ssl_dh_parameters_length = 1024
>  
>  # SSL protocols to use
> -#ssl_protocols = !SSLv2
> +#ssl_protocols = !SSLv3
>  
>  # SSL ciphers to use
>  #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
> diff --git a/src/lib-master/master-service-ssl-settings.c b/src/lib-master/master-service-ssl-settings.c
> index 4a05045..6b43f6c 100644
> --- a/src/lib-master/master-service-ssl-settings.c
> +++ b/src/lib-master/master-service-ssl-settings.c
> @@ -44,7 +44,11 @@ static const struct master_service_ssl_settings master_service_ssl_default_setti
>  	.ssl_key = "",
>  	.ssl_key_password = "",
>  	.ssl_cipher_list = "ALL:!LOW:!SSLv2:!EXP:!aNULL",
> -	.ssl_protocols = "!SSLv2",
> +#ifdef SSL_TXT_SSLV2
> +	.ssl_protocols = "!SSLv2 !SSLv3",
> +#else
> +	.ssl_protocols = "!SSLv3",
> +#endif
>  	.ssl_cert_username_field = "commonName",
>  	.ssl_crypto_device = "",
>  	.ssl_verify_client_cert = FALSE,

Hi!

This patch is also being reviewed.

Thank you for your contributions.

Aki