Hoi,
If you compile qpopper with OpenSSL version 0.9.6d or higher there
is a problem with some broken SSL implementation on Eudora 5.1.1
on windows. Qualcomm is working looking into replacing the SSL ddl
to correct the problem.
The Eudora help desk reported the following: "In OpenSSL0.9.6e Make
sure to compile it with the CBC Countermeasure disabled. Please
consult the OpenSSL files on how to do this."
It felt not right to change the OpenSSL code so I've added created
a patch for qpopper which stop's the CBC Countermeasure to be
implemented when a client connects to a qpopper compiled with OpenSSL
version 0.9.6d or higher.
This should pose no and fixes the reported problems with Eudora.
See the SSL_CTX_set_options manual pages for more information. Maybe
to set SSL_OP_ALL is a bit of overkill and we might be a little bit
more conservative if we set only: SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS.
I Like to hear your feedback on this.
Regards,
- Brendan
#### patch start below.
*** pop_tls_openssl.c.orig Wed Aug 7 14:54:53 2002
--- pop_tls_openssl.c Fri Aug 9 16:23:00 2002
***************
*** 340,345 ****
--- 340,360 ----
goto Done;
}
+ /*
+ * This set's the option SSL_OP_ALL to the ssl conection to allow
+ * "broken" clients to connect to the server.
+ */
+
+ DEBUG_LOG0 (pPOP, "...set SSL_CTX_set_options to"
+ " SSL_OP_ALL to allow broken ssl implementations.");
+
+ SSL_CTX_set_options(pTLS->m_OpenSSLctx, SSL_OP_ALL);
+ if(!(SSL_CTX_get_options(pTLS->m_OpenSSLctx) & SSL_OP_ALL))
+ {
+ log_openssl_err ( pPOP, HERE, "Unable to set SSL_OP_ALL option."
+ " Some clients may not be able to connect." );
+ }
+
/*
* Establish the certificate for our server cert.
*/
