On 2014-10-21 at 08:23 +0200, Frank Elsner wrote: > Sorry, but I can't find 'openssl_options` in the doc for exim-4.72. > ^^ > NewStuff introduces this option for version 4.73.
I missed that in the Subject. Then there is no way for you to disable SSLv3 usage in your ancient Exim, without replacing the OpenSSL library with one which disables SSLv3 for you or patching Exim yourself: instructions below. 4.73 was released over three years ago, on 2011-01-05. I added `+no_sslv3` as a valid value in commit c0c7b2da on 2011-03-22 included with Exim 4.76 released 2011-05-09, also over three years ago. You'll also need OpenSSL 1.<something>, since the constant we use wasn't exposed in OpenSSL 0.9.8n, which was the basis of the previous list of available options. (Unless OpenSSL backported the option to 0.9.8.) When asked "How do I do X with Exim?" and the Exim maintainers say "Here's the feature where we provided that, years ago", then if you don't want to take the release where we provided that feature, all I can say is "You have the source code for your version and the source code where we fixed it, go ahead and make the change yourself." This works well for OS packagers who decide which fixes to take and which not to take. It's a little easier in this case: I fixed it in Exim by adding a generic extensible option, `openssl_options`, which can be used to tune Exim's tuning of OpenSSL. You don't need that. You need a one-line code change. >From commit `c0c7b2da` you get that the OpenSSL constant you need is `SSL_OP_NO_SSLv3`. I added `openssl_options` in commit 77bb000f and from that we see that you're looking for the bit in `tls-openssl.c` which looks like this: ----------------------------8< cut here >8------------------------------ if (!(SSL_CTX_set_options(ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))) return tls_error(US"SSL_CTX_set_option", host, NULL); #endif ----------------------------8< cut here >8------------------------------ Change the call to be: SSL_CTX_set_options(ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS|SSL_OP_NO_SSLv3) That is: use the `|` vertical bar for a bit-wise OR operator and OR in the flag which disables SSLv3. Insert those 16 extra characters and recompile Exim. If compilation fails with SSL_OP_NO_SSLv3 being unknown, then your OpenSSL headers are too old and you can't disable SSLv3 without replacing OpenSSL. -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
