mail/dovecot's default config has a problem because SSL_TXT_SSLV2
is defined but SSLv2 is not allowed in a protocol string. End result
is that unless you specify your own ssl_protocols line, Dovecot will
start but client connections will fail. (I ran into this after updating
an oldish mail server).

dovecot: src/lib-master/master-service-ssl-settings.c
 42 static const struct master_service_ssl_settings 
master_service_ssl_default_settings = {
 43 #ifdef HAVE_SSL
 44         .ssl = "yes:no:required",
 45 #else
 46         .ssl = "no:yes:required",
 47 #endif
 48         .ssl_ca = "",
 49         .ssl_cert = "",
 50         .ssl_key = "",
 51         .ssl_alt_cert = "",
 52         .ssl_alt_key = "",
 53         .ssl_key_password = "",
 54         .ssl_cipher_list = "ALL:!LOW:!SSLv2:!EXP:!aNULL",
 55 #ifdef SSL_TXT_SSLV2
 56         .ssl_protocols = "!SSLv2 !SSLv3",
 57 #else
 58         .ssl_protocols = "!SSLv3",
 59 #endif
 60         .ssl_cert_username_field = "commonName",
 61         .ssl_crypto_device = "",
 62         .ssl_verify_client_cert = FALSE,
 63         .ssl_require_crl = TRUE,
 64         .verbose_ssl = FALSE,
 65         .ssl_prefer_server_ciphers = FALSE,
 66         .ssl_options = "",
 67 };

Looks like there's something related in mail/kopano/core.

SSL_TXT_SSLV2 isn't used anywhere in our tree and looking at Debian
codesearch results I think it's safe if we just drop the define as
OpenSSL has also done in 1.1. (I don't think the same is possible for
SSL_TXT_SSLV3 without causing churn).

Alternatively we could patch the ports, but there doesn't seem much
point in that. (Obviously those ports would still need REVISION bumps
in order that users get updated).

OK?

Index: lib/libssl/ssl.h
===================================================================
RCS file: /cvs/src/lib/libssl/ssl.h,v
retrieving revision 1.146
diff -u -p -r1.146 ssl.h
--- lib/libssl/ssl.h    3 Mar 2018 19:58:29 -0000       1.146
+++ lib/libssl/ssl.h    10 Mar 2018 11:18:16 -0000
@@ -300,7 +300,6 @@ extern "C" {
 #define SSL_TXT_STREEBOG512            "STREEBOG512"
 
 #define SSL_TXT_DTLS1          "DTLSv1"
-#define SSL_TXT_SSLV2          "SSLv2"
 #define SSL_TXT_SSLV3          "SSLv3"
 #define SSL_TXT_TLSV1          "TLSv1"
 #define SSL_TXT_TLSV1_1                "TLSv1.1"


Reply via email to