Mercurial > dovecot > core-2.2
changeset 21109:9b40053e2b98
ssl: fix reference to SSLv2 and disable SSLv3
This is driven by the fact that OpenSSL 1.1 does not know about SSLv2 at
all and dovecot's defaults simply make OpenSSL error out with "Unknown
protocol 'SSLv2'"[1]. So we change the defaults to refer to SSLv2 iff OpenSSL
seems to know something about it.
While at it, it's also a good idea to disable SSLv3 by default as well.
[1] https://bugs.debian.org/844347
Signed-off-by: Apollon Oikonomopoulos <apoikos@debian.org>
author | Apollon Oikonomopoulos <apoikos@debian.org> |
---|---|
date | Tue, 15 Nov 2016 12:55:44 +0100 |
parents | 1a1310a5f7a8 |
children | 6318e62c94eb |
files | doc/example-config/conf.d/10-ssl.conf src/lib-master/master-service-ssl-settings.c |
diffstat | 2 files changed, 6 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/doc/example-config/conf.d/10-ssl.conf Tue Nov 15 11:42:47 2016 +0100 +++ b/doc/example-config/conf.d/10-ssl.conf Tue Nov 15 12:55:44 2016 +0100 @@ -46,7 +46,7 @@ #ssl_dh_parameters_length = 1024 # SSL protocols to use -#ssl_protocols = !SSLv2 +#ssl_protocols = !SSLv3 # SSL ciphers to use #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
--- a/src/lib-master/master-service-ssl-settings.c Tue Nov 15 11:42:47 2016 +0100 +++ b/src/lib-master/master-service-ssl-settings.c Tue Nov 15 12:55:44 2016 +0100 @@ -44,7 +44,11 @@ .ssl_key = "", .ssl_key_password = "", .ssl_cipher_list = "ALL:!LOW:!SSLv2:!EXP:!aNULL", - .ssl_protocols = "!SSLv2", +#ifdef SSL_TXT_SSLV2 + .ssl_protocols = "!SSLv2 !SSLv3", +#else + .ssl_protocols = "!SSLv3", +#endif .ssl_cert_username_field = "commonName", .ssl_crypto_device = "", .ssl_verify_client_cert = FALSE,