dovecot-1.0: SSL: Enable SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS flag...
dovecot at dovecot.org
dovecot at dovecot.org
Sun Feb 12 03:32:50 EET 2012
details: http://hg.dovecot.org/dovecot-1.0/rev/708b2c9a851c
changeset: 5573:708b2c9a851c
user: Timo Sirainen <tss at iki.fi>
date: Sun Feb 12 03:32:20 2012 +0200
description:
SSL: Enable SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS flag for extra security.
This is to counter the "BEAST SSL" attack, although I don't think it's
practical to implement against IMAP/POP3/LMTP protocols. There's really no
way for attackers to inject any evil data before authentication, so the
password is safe. Post-authentication attacker could cause clients to
download evil emails, but even then clients don't typically redownload some
specific mail, so there's really no way to extract anything useful.
diffstat:
src/login-common/ssl-proxy-openssl.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diffs (15 lines):
diff -r f8f680d5ae04 -r 708b2c9a851c src/login-common/ssl-proxy-openssl.c
--- a/src/login-common/ssl-proxy-openssl.c Wed May 11 18:03:31 2011 +0300
+++ b/src/login-common/ssl-proxy-openssl.c Sun Feb 12 03:32:20 2012 +0200
@@ -697,7 +697,10 @@
if ((ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL)
i_fatal("SSL_CTX_new() failed");
- SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL);
+ /* enable all SSL workarounds, except empty fragments as it
+ makes SSL more vulnerable against attacks */
+ SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL &
+ ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
cipher_list = getenv("SSL_CIPHER_LIST");
if (cipher_list == NULL)
More information about the dovecot-cvs
mailing list