[PATCH] ssl: fix reference to SSLv2 and disable SSLv3

Tue, 15 Nov 2016 03:57:19 -0800 

This is driven by the fact that OpenSSL 1.1 does not know about SSLv2 at
all and dovecot's defaults simply make OpenSSL error out with "Unknown
protocol 'SSLv2'"[1]. So we change the defaults to refer to SSLv2 iff OpenSSL
seems to know something about it.

While at it, it's also a good idea to disable SSLv3 by default as well.

[1] https://bugs.debian.org/844347

Signed-off-by: Apollon Oikonomopoulos <[email protected]>
---
 doc/example-config/conf.d/10-ssl.conf        | 2 +-
 src/lib-master/master-service-ssl-settings.c | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/doc/example-config/conf.d/10-ssl.conf 
b/doc/example-config/conf.d/10-ssl.conf
index 31b750c..2cd445b 100644
--- a/doc/example-config/conf.d/10-ssl.conf
+++ b/doc/example-config/conf.d/10-ssl.conf
@@ -46,7 +46,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
 #ssl_dh_parameters_length = 1024
 
 # SSL protocols to use
-#ssl_protocols = !SSLv2
+#ssl_protocols = !SSLv3
 
 # SSL ciphers to use
 #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
diff --git a/src/lib-master/master-service-ssl-settings.c 
b/src/lib-master/master-service-ssl-settings.c
index 4a05045..6b43f6c 100644
--- a/src/lib-master/master-service-ssl-settings.c
+++ b/src/lib-master/master-service-ssl-settings.c
@@ -44,7 +44,11 @@ static const struct master_service_ssl_settings 
master_service_ssl_default_setti
        .ssl_key = "",
        .ssl_key_password = "",
        .ssl_cipher_list = "ALL:!LOW:!SSLv2:!EXP:!aNULL",
-       .ssl_protocols = "!SSLv2",
+#ifdef SSL_TXT_SSLV2
+       .ssl_protocols = "!SSLv2 !SSLv3",
+#else
+       .ssl_protocols = "!SSLv3",
+#endif
        .ssl_cert_username_field = "commonName",
        .ssl_crypto_device = "",
        .ssl_verify_client_cert = FALSE,
-- 
2.10.1

Reply via email to