Mercurial > dovecot > core-2.2

changeset 21109:9b40053e2b98

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
ssl: fix reference to SSLv2 and disable SSLv3 This is driven by the fact that OpenSSL 1.1 does not know about SSLv2 at all and dovecot's defaults simply make OpenSSL error out with "Unknown protocol 'SSLv2'"[1]. So we change the defaults to refer to SSLv2 iff OpenSSL seems to know something about it. While at it, it's also a good idea to disable SSLv3 by default as well. [1] https://bugs.debian.org/844347 Signed-off-by: Apollon Oikonomopoulos <apoikos@debian.org>
author Apollon Oikonomopoulos <apoikos@debian.org>
date Tue, 15 Nov 2016 12:55:44 +0100
parents 1a1310a5f7a8
children 6318e62c94eb
files doc/example-config/conf.d/10-ssl.conf src/lib-master/master-service-ssl-settings.c
diffstat 2 files changed, 6 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/doc/example-config/conf.d/10-ssl.conf	Tue Nov 15 11:42:47 2016 +0100
+++ b/doc/example-config/conf.d/10-ssl.conf	Tue Nov 15 12:55:44 2016 +0100
@@ -46,7 +46,7 @@
 #ssl_dh_parameters_length = 1024
 
 # SSL protocols to use
-#ssl_protocols = !SSLv2
+#ssl_protocols = !SSLv3
 
 # SSL ciphers to use
 #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
--- a/src/lib-master/master-service-ssl-settings.c	Tue Nov 15 11:42:47 2016 +0100
+++ b/src/lib-master/master-service-ssl-settings.c	Tue Nov 15 12:55:44 2016 +0100
@@ -44,7 +44,11 @@
 	.ssl_key = "",
 	.ssl_key_password = "",
 	.ssl_cipher_list = "ALL:!LOW:!SSLv2:!EXP:!aNULL",
-	.ssl_protocols = "!SSLv2",
+#ifdef SSL_TXT_SSLV2
+	.ssl_protocols = "!SSLv2 !SSLv3",
+#else
+	.ssl_protocols = "!SSLv3",
+#endif
 	.ssl_cert_username_field = "commonName",
 	.ssl_crypto_device = "",
 	.ssl_verify_client_cert = FALSE,