On 08/16/15 11:41, Seth wrote:
On Wed, 15 Oct 2014 12:33:50 -0700, Gilles Chehade <gil...@poolp.org>
wrote:
Hi,
As you may know, SSLv3 has been pushed into end of life.
While SSL libraries are working this out, I committed a fix to disable
it explicitely in our code just in case someone builds it against some
pre-catastrophe OpenSSL/LibreSSL version.
We're going to be releasing a minor stable in the next few days with a
few bugs fixed in it, the SSLv3 disable WILL be part of it.
I'll also be publishing both master and portable snapshots in a couple
minutes with the SSLv3 disable in them.
If you're running stable and can't wait for the next minor stable, you
can simply apply the following diff:
Index: ssl.c
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/ssl.c,v
retrieving revision 1.71
diff -u -p -r1.71 ssl.c
--- ssl.c 2 Oct 2014 18:30:21 -0000 1.71
+++ ssl.c 15 Oct 2014 19:14:52 -0000
@@ -263,7 +263,7 @@ ssl_ctx_create(const char *pkiname, char
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
SSL_CTX_set_timeout(ctx, SSL_SESSION_TIMEOUT);
SSL_CTX_set_options(ctx,
- SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_TICKET);
+ SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
SSL_OP_NO_TICKET);
SSL_CTX_set_options(ctx,
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
I'm trying to disable the TLSv1.0 protocol on the 5.7.1 release using
a similar approach...
ssl.c: SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
SSL_OP_NO_TLSv1_0 | SSL_OP_NO_TICKET);
however compile is failing with this error
/usr/local/src/opensmtpd-5.7.1/smtpd/smtpd/../ssl.c: In function
'ssl_ctx_create':
/usr/local/src/opensmtpd-5.7.1/smtpd/smtpd/../ssl.c:287: error:
'SSL_OP_NO_TLSv1_0' undeclared (first use in this function)
/usr/local/src/opensmtpd-5.7.1/smtpd/smtpd/../ssl.c:287: error: (Each
undeclared identifier is reported only once
/usr/local/src/opensmtpd-5.7.1/smtpd/smtpd/../ssl.c:287: error: for
each function it appears in.)
*** Error 1 in smtpd (<sys.mk>:87 'ssl.o')
*** Error 1 in /usr/local/src/opensmtpd-5.7.1/smtpd
(<bsd.subdir.mk>:48 'all')
Any pointers?
SSL_OP_etc are defined in /usr/include/openssl/ssl.h there is no
SSL_OP_NO_TLSv1_0 defined there hence the error. There is an
SSL_OP_NO_TLSv1_1 defined maybe thats what you're looking for.
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org