Hi,
As you may know, SSLv3 has been pushed into end of life.
While SSL libraries are working this out, I committed a fix to disable
it explicitely in our code just in case someone builds it against some
pre-catastrophe OpenSSL/LibreSSL version.
We're going to be releasing a minor stable in the next few days with a
few bugs fixed in it, the SSLv3 disable WILL be part of it.
I'll also be publishing both master and portable snapshots in a couple
minutes with the SSLv3 disable in them.
If you're running stable and can't wait for the next minor stable, you
can simply apply the following diff:
Index: ssl.c
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/ssl.c,v
retrieving revision 1.71
diff -u -p -r1.71 ssl.c
--- ssl.c 2 Oct 2014 18:30:21 -0000 1.71
+++ ssl.c 15 Oct 2014 19:14:52 -0000
@@ -263,7 +263,7 @@ ssl_ctx_create(const char *pkiname, char
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
SSL_CTX_set_timeout(ctx, SSL_SESSION_TIMEOUT);
SSL_CTX_set_options(ctx,
- SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_TICKET);
+ SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TICKET);
SSL_CTX_set_options(ctx,
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
--
Gilles Chehade
https://www.poolp.org @poolpOrg
--
You received this mail because you are subscribed to [email protected]
To unsubscribe, send a mail to: [email protected]
