[Dovecot] disabling SSLv2 in dovecot 1.2.17
Steve Platt
steve.platt at mrc-bsu.cam.ac.uk
Fri Mar 9 17:05:26 EET 2012
Hi Mark,
I think I may not have been clear enough in my query, sorry!
What I'm trying to do is to prevent SSLv2 connections being made to our IMAP
server while allowing SSLv3 and TLSv1 connections. I think I've prevented the
use of SSLv2 ciphers but this does not prevent SSLv2 protocol connections (as
far as I can tell).
(Once connected, the SSLv2 client finds it has no ciphers so the session fails
at that point but this is not enough to satisfy our security audit. I want to
disable the use of the SSLv2 protocol itself, not just the SSLv2 ciphers)
steve.platt at mrc-bsu.cam.ac.uk said:
> I see Dovecot2 had the following change a year or so ago, in file src/
> login-common/ssl-proxy-openssl.c:
>
> - SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL);
> + SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
>
> I tried making the same change to dovecot1's src tree on our test system and
> it seems to have the desired effect ...
I'm testing this by using:
openssl s_client -ssl2 -connect mailhost:993
This should fail immediately with "ssl handshake failure" (for a happy audit!).
Thanks again,
Steve
More information about the dovecot
mailing list