https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7199
Bug ID: 7199
Summary: Bad SSL/TLS Version Default
Product: Spamassassin
Version: 3.4.1
Hardware: PC
OS: OpenBSD
Status: NEW
Severity: normal
Priority: P2
Component: spamc/spamd
Assignee: [email protected]
Reporter: [email protected]
Created attachment 5303
--> https://bz.apache.org/SpamAssassin/attachment.cgi?id=5303&action=edit
Patch libspamc.c and spamd.raw to remove SSL version
In OpenBSD-current with LibreSSL the regression tests of SpamAssassin
fail. SSLv3 has been deprecated because of the poodle attack, so
the SSL versions used by spamc and spamd do not work anymore.
The SSLv3_client_method() allows only SSLv3 while SSLv23_client_method()
chooses a suitable version. As noted before, SSLv3 is insecure and
does not work anymore. I would recommend to remove the whole
sslv3/tlsv1 commandline switch from spamc as it does not allow newer
TLSv1_1 or TLSv1_2 protocols. My patch is only a minimal change
to get SSL working again.
The ssl-version in spamd also does not make sense anymore. SSLv3
is obsolete and TLSv1 is the weakest protocol available. Please
do not try to set it, but let IO::Socket::SSL choose a sane default.
Again I only provide a minimal diff, I think it would make sense
to remove the commandline option ssl-version completelty.
Finally I added some error message to debug the SSL problems.
--
You are receiving this mail because:
You are the assignee for the bug.
