Re: That SSLv3 thing

Sun, 16 Aug 2015 12:05:52 -0700 


On 08/16/15 11:41, Seth wrote:

On Wed, 15 Oct 2014 12:33:50 -0700, Gilles Chehade <gil...@poolp.org> 
wrote:



Hi,

As you may know, SSLv3 has been pushed into end of life.

While SSL libraries are working this out, I committed a fix to disable
it explicitely in our code just in case someone builds it against some
pre-catastrophe OpenSSL/LibreSSL version.


We're going to be releasing a minor stable in the next few days with a
few bugs fixed in it, the SSLv3 disable WILL be part of it.


I'll also be publishing both master and portable snapshots in a couple
minutes with the SSLv3 disable in them.


If you're running stable and can't wait for the next minor stable, you
can simply apply the following diff:


Index: ssl.c
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/ssl.c,v
retrieving revision 1.71
diff -u -p -r1.71 ssl.c
--- ssl.c    2 Oct 2014 18:30:21 -0000    1.71
+++ ssl.c    15 Oct 2014 19:14:52 -0000
@@ -263,7 +263,7 @@ ssl_ctx_create(const char *pkiname, char
     SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
     SSL_CTX_set_timeout(ctx, SSL_SESSION_TIMEOUT);
     SSL_CTX_set_options(ctx,
-        SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_TICKET);

+        SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | 
SSL_OP_NO_TICKET);

     SSL_CTX_set_options(ctx,
         SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);




I'm trying to disable the TLSv1.0 protocol on the 5.7.1 release using 
a similar approach...



ssl.c:      SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | 
SSL_OP_NO_TLSv1_0 | SSL_OP_NO_TICKET);


however compile is failing with this error


/usr/local/src/opensmtpd-5.7.1/smtpd/smtpd/../ssl.c: In function 
'ssl_ctx_create':
/usr/local/src/opensmtpd-5.7.1/smtpd/smtpd/../ssl.c:287: error: 
'SSL_OP_NO_TLSv1_0' undeclared (first use in this function)
/usr/local/src/opensmtpd-5.7.1/smtpd/smtpd/../ssl.c:287: error: (Each 
undeclared identifier is reported only once
/usr/local/src/opensmtpd-5.7.1/smtpd/smtpd/../ssl.c:287: error: for 
each function it appears in.)

*** Error 1 in smtpd (<sys.mk>:87 'ssl.o')

*** Error 1 in /usr/local/src/opensmtpd-5.7.1/smtpd 
(<bsd.subdir.mk>:48 'all')


Any pointers?


SSL_OP_etc are defined in /usr/include/openssl/ssl.h there is no 
SSL_OP_NO_TLSv1_0 defined there hence the error.  There is an 
SSL_OP_NO_TLSv1_1 defined maybe thats what you're looking for.


--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org























					Reply via email to