Re: [PATCH] ssl: fix reference to SSLv2 and disable SSLv3

On 15.11.2016 13:55, Apollon Oikonomopoulos wrote:

This is driven by the fact that OpenSSL 1.1 does not know about SSLv2 at all and dovecot's defaults simply make OpenSSL error out with "Unknown protocol 'SSLv2'"[1]. So we change the defaults to refer to SSLv2 iff OpenSSL seems to know something about it.

While at it, it's also a good idea to disable SSLv3 by default as well.

[1] https://bugs.debian.org/844347

Signed-off-by: Apollon Oikonomopoulos --- doc/example-config/conf.d/10-ssl.conf | 2 +- src/lib-master/master-service-ssl-settings.c | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/doc/example-config/conf.d/10-ssl.conf b/doc/example-config/conf.d/10-ssl.conf index 31b750c..2cd445b 100644 --- a/doc/example-config/conf.d/10-ssl.conf +++ b/doc/example-config/conf.d/10-ssl.conf @@ -46,7 +46,7 @@ ssl_key =

# SSL protocols to use -#ssl_protocols = !SSLv2 +#ssl_protocols = !SSLv3

# SSL ciphers to use #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL diff --git a/src/lib-master/master-service-ssl-settings.c b/src/lib-master/master-service-ssl-settings.c index 4a05045..6b43f6c 100644 --- a/src/lib-master/master-service-ssl-settings.c +++ b/src/lib-master/master-service-ssl-settings.c @@ -44,7 +44,11 @@ static const struct master_service_ssl_settings master_service_ssl_default_setti .ssl_key = "", .ssl_key_password = "", .ssl_cipher_list = "ALL:!LOW:!SSLv2:!EXP:!aNULL", - .ssl_protocols = "!SSLv2", +#ifdef SSL_TXT_SSLV2 + .ssl_protocols = "!SSLv2 !SSLv3", +#else + .ssl_protocols = "!SSLv3", +#endif .ssl_cert_username_field = "commonName", .ssl_crypto_device = "", .ssl_verify_client_cert = FALSE,

Hi! This patch is also being reviewed. Thank you for your contributions. Aki