Mercurial > dovecot > original-hg > dovecot-1.2
changeset 9653:9f3c8c59f8c4 HEAD
SSL: Enable SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS flag for extra security.
This is to counter the "BEAST SSL" attack, although I don't think it's
practical to implement against IMAP/POP3/LMTP protocols. There's really no
way for attackers to inject any evil data before authentication, so the
password is safe. Post-authentication attacker could cause clients to
download evil emails, but even then clients don't typically redownload some
specific mail, so there's really no way to extract anything useful.
| author | Timo Sirainen <tss@iki.fi> |
|---|---|
| date | Sun, 12 Feb 2012 03:32:20 +0200 |
| parents | 031a4c2fabea |
| children | c80abc48d486 |
| files | src/login-common/ssl-proxy-openssl.c |
| diffstat | 1 files changed, 4 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/src/login-common/ssl-proxy-openssl.c Sat Jan 28 23:58:50 2012 +0200 +++ b/src/login-common/ssl-proxy-openssl.c Sun Feb 12 03:32:20 2012 +0200 @@ -817,7 +817,10 @@ { const char *cafile; - SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL); + /* enable all SSL workarounds, except empty fragments as it + makes SSL more vulnerable against attacks */ + SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL & + ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); cafile = getenv("SSL_CA_FILE"); if (cafile != NULL) {