On 15.11.2016 13:55, Apollon Oikonomopoulos wrote: > This is driven by the fact that OpenSSL 1.1 does not know about SSLv2 at > all and dovecot's defaults simply make OpenSSL error out with "Unknown > protocol 'SSLv2'"[1]. So we change the defaults to refer to SSLv2 iff OpenSSL > seems to know something about it. > > While at it, it's also a good idea to disable SSLv3 by default as well. > > [1] https://bugs.debian.org/844347 > > Signed-off-by: Apollon Oikonomopoulos <[email protected]> > --- > doc/example-config/conf.d/10-ssl.conf | 2 +- > src/lib-master/master-service-ssl-settings.c | 6 +++++- > 2 files changed, 6 insertions(+), 2 deletions(-) > > diff --git a/doc/example-config/conf.d/10-ssl.conf > b/doc/example-config/conf.d/10-ssl.conf > index 31b750c..2cd445b 100644 > --- a/doc/example-config/conf.d/10-ssl.conf > +++ b/doc/example-config/conf.d/10-ssl.conf > @@ -46,7 +46,7 @@ ssl_key = </etc/ssl/private/dovecot.pem > #ssl_dh_parameters_length = 1024 > > # SSL protocols to use > -#ssl_protocols = !SSLv2 > +#ssl_protocols = !SSLv3 > > # SSL ciphers to use > #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL > diff --git a/src/lib-master/master-service-ssl-settings.c > b/src/lib-master/master-service-ssl-settings.c > index 4a05045..6b43f6c 100644 > --- a/src/lib-master/master-service-ssl-settings.c > +++ b/src/lib-master/master-service-ssl-settings.c > @@ -44,7 +44,11 @@ static const struct master_service_ssl_settings > master_service_ssl_default_setti > .ssl_key = "", > .ssl_key_password = "", > .ssl_cipher_list = "ALL:!LOW:!SSLv2:!EXP:!aNULL", > - .ssl_protocols = "!SSLv2", > +#ifdef SSL_TXT_SSLV2 > + .ssl_protocols = "!SSLv2 !SSLv3", > +#else > + .ssl_protocols = "!SSLv3", > +#endif > .ssl_cert_username_field = "commonName", > .ssl_crypto_device = "", > .ssl_verify_client_cert = FALSE,
Hi! This patch is also being reviewed. Thank you for your contributions. Aki
