On Sat, Mar 10 2018, Stuart Henderson <s...@spacehopper.org> wrote: > mail/dovecot's default config has a problem because SSL_TXT_SSLV2 > is defined but SSLv2 is not allowed in a protocol string. End result > is that unless you specify your own ssl_protocols line, Dovecot will > start but client connections will fail. (I ran into this after updating > an oldish mail server). > > dovecot: src/lib-master/master-service-ssl-settings.c > 42 static const struct master_service_ssl_settings > master_service_ssl_default_settings = { > 43 #ifdef HAVE_SSL > 44 .ssl = "yes:no:required", > 45 #else > 46 .ssl = "no:yes:required", > 47 #endif > 48 .ssl_ca = "", > 49 .ssl_cert = "", > 50 .ssl_key = "", > 51 .ssl_alt_cert = "", > 52 .ssl_alt_key = "", > 53 .ssl_key_password = "", > 54 .ssl_cipher_list = "ALL:!LOW:!SSLv2:!EXP:!aNULL", > 55 #ifdef SSL_TXT_SSLV2 > 56 .ssl_protocols = "!SSLv2 !SSLv3", > 57 #else > 58 .ssl_protocols = "!SSLv3", > 59 #endif > 60 .ssl_cert_username_field = "commonName", > 61 .ssl_crypto_device = "", > 62 .ssl_verify_client_cert = FALSE, > 63 .ssl_require_crl = TRUE, > 64 .verbose_ssl = FALSE, > 65 .ssl_prefer_server_ciphers = FALSE, > 66 .ssl_options = "", > 67 }; > > Looks like there's something related in mail/kopano/core. > > SSL_TXT_SSLV2 isn't used anywhere in our tree and looking at Debian > codesearch results I think it's safe if we just drop the define as > OpenSSL has also done in 1.1. (I don't think the same is possible for > SSL_TXT_SSLV3 without causing churn). > > Alternatively we could patch the ports, but there doesn't seem much > point in that. (Obviously those ports would still need REVISION bumps > in order that users get updated). > > OK?
I don't see the point of keeping it. The code in kopano seems to be able to cope. ok jca@ > Index: lib/libssl/ssl.h > =================================================================== > RCS file: /cvs/src/lib/libssl/ssl.h,v > retrieving revision 1.146 > diff -u -p -r1.146 ssl.h > --- lib/libssl/ssl.h 3 Mar 2018 19:58:29 -0000 1.146 > +++ lib/libssl/ssl.h 10 Mar 2018 11:18:16 -0000 > @@ -300,7 +300,6 @@ extern "C" { > #define SSL_TXT_STREEBOG512 "STREEBOG512" > > #define SSL_TXT_DTLS1 "DTLSv1" > -#define SSL_TXT_SSLV2 "SSLv2" > #define SSL_TXT_SSLV3 "SSLv3" > #define SSL_TXT_TLSV1 "TLSv1" > #define SSL_TXT_TLSV1_1 "TLSv1.1" > > -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE