[Dovecot] disabling SSLv2 in dovecot 1.2.17

Steve Platt steve.platt at mrc-bsu.cam.ac.uk
Fri Mar 9 17:05:26 EET 2012


Hi Mark,

I think I may not have been clear enough in my query, sorry!

What I'm trying to do is to prevent SSLv2 connections being made to our IMAP 
server while allowing SSLv3 and TLSv1 connections. I think I've prevented the 
use of SSLv2 ciphers but this does not prevent SSLv2 protocol connections (as 
far as I can tell).

(Once connected, the SSLv2 client finds it has no ciphers so the session fails 
at that point but this is not enough to satisfy our security audit. I want to 
disable the use of the SSLv2 protocol itself, not just the SSLv2 ciphers)


steve.platt at mrc-bsu.cam.ac.uk said:
> I see Dovecot2 had the following change a year or so ago, in file  src/
> login-common/ssl-proxy-openssl.c:
>
> -       SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL);
> +       SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
>
> I tried making the same change to dovecot1's src tree on our test system and
> it seems to have the desired effect ...

I'm testing this by using:

 openssl s_client -ssl2 -connect mailhost:993

This should fail immediately with "ssl handshake failure" (for a happy audit!).

Thanks again,
Steve




More information about the dovecot mailing list