Re: SSL_TXT_SSLV2

Tue, 13 Mar 2018 05:35:44 -0700 

On Sat, Mar 10 2018, Stuart Henderson <s...@spacehopper.org> wrote:
> mail/dovecot's default config has a problem because SSL_TXT_SSLV2
> is defined but SSLv2 is not allowed in a protocol string. End result
> is that unless you specify your own ssl_protocols line, Dovecot will
> start but client connections will fail. (I ran into this after updating
> an oldish mail server).
>
> dovecot: src/lib-master/master-service-ssl-settings.c
>  42 static const struct master_service_ssl_settings 
> master_service_ssl_default_settings = {
>  43 #ifdef HAVE_SSL
>  44         .ssl = "yes:no:required",
>  45 #else
>  46         .ssl = "no:yes:required",
>  47 #endif
>  48         .ssl_ca = "",
>  49         .ssl_cert = "",
>  50         .ssl_key = "",
>  51         .ssl_alt_cert = "",
>  52         .ssl_alt_key = "",
>  53         .ssl_key_password = "",
>  54         .ssl_cipher_list = "ALL:!LOW:!SSLv2:!EXP:!aNULL",
>  55 #ifdef SSL_TXT_SSLV2
>  56         .ssl_protocols = "!SSLv2 !SSLv3",
>  57 #else
>  58         .ssl_protocols = "!SSLv3",
>  59 #endif
>  60         .ssl_cert_username_field = "commonName",
>  61         .ssl_crypto_device = "",
>  62         .ssl_verify_client_cert = FALSE,
>  63         .ssl_require_crl = TRUE,
>  64         .verbose_ssl = FALSE,
>  65         .ssl_prefer_server_ciphers = FALSE,
>  66         .ssl_options = "",
>  67 };
>
> Looks like there's something related in mail/kopano/core.
>
> SSL_TXT_SSLV2 isn't used anywhere in our tree and looking at Debian
> codesearch results I think it's safe if we just drop the define as
> OpenSSL has also done in 1.1. (I don't think the same is possible for
> SSL_TXT_SSLV3 without causing churn).
>
> Alternatively we could patch the ports, but there doesn't seem much
> point in that. (Obviously those ports would still need REVISION bumps
> in order that users get updated).
>
> OK?

I don't see the point of keeping it.  The code in kopano seems to be
able to cope.  ok jca@

> Index: lib/libssl/ssl.h
> ===================================================================
> RCS file: /cvs/src/lib/libssl/ssl.h,v
> retrieving revision 1.146
> diff -u -p -r1.146 ssl.h
> --- lib/libssl/ssl.h  3 Mar 2018 19:58:29 -0000       1.146
> +++ lib/libssl/ssl.h  10 Mar 2018 11:18:16 -0000
> @@ -300,7 +300,6 @@ extern "C" {
>  #define SSL_TXT_STREEBOG512          "STREEBOG512"
>  
>  #define SSL_TXT_DTLS1                "DTLSv1"
> -#define SSL_TXT_SSLV2                "SSLv2"
>  #define SSL_TXT_SSLV3                "SSLv3"
>  #define SSL_TXT_TLSV1                "TLSv1"
>  #define SSL_TXT_TLSV1_1              "TLSv1.1"
>
>

-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE
  • SSL_TXT_SSLV2 Stuart Henderson
    • Re: SSL_TXT_SSLV2 Jeremie Courreges-Anglas

Reply via email to