SSL_TXT_SSLV2

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL_TXT_SSLV2

Stuart Henderson
mail/dovecot's default config has a problem because SSL_TXT_SSLV2
is defined but SSLv2 is not allowed in a protocol string. End result
is that unless you specify your own ssl_protocols line, Dovecot will
start but client connections will fail. (I ran into this after updating
an oldish mail server).

dovecot: src/lib-master/master-service-ssl-settings.c
 42 static const struct master_service_ssl_settings master_service_ssl_default_settings = {
 43 #ifdef HAVE_SSL
 44         .ssl = "yes:no:required",
 45 #else
 46         .ssl = "no:yes:required",
 47 #endif
 48         .ssl_ca = "",
 49         .ssl_cert = "",
 50         .ssl_key = "",
 51         .ssl_alt_cert = "",
 52         .ssl_alt_key = "",
 53         .ssl_key_password = "",
 54         .ssl_cipher_list = "ALL:!LOW:!SSLv2:!EXP:!aNULL",
 55 #ifdef SSL_TXT_SSLV2
 56         .ssl_protocols = "!SSLv2 !SSLv3",
 57 #else
 58         .ssl_protocols = "!SSLv3",
 59 #endif
 60         .ssl_cert_username_field = "commonName",
 61         .ssl_crypto_device = "",
 62         .ssl_verify_client_cert = FALSE,
 63         .ssl_require_crl = TRUE,
 64         .verbose_ssl = FALSE,
 65         .ssl_prefer_server_ciphers = FALSE,
 66         .ssl_options = "",
 67 };

Looks like there's something related in mail/kopano/core.

SSL_TXT_SSLV2 isn't used anywhere in our tree and looking at Debian
codesearch results I think it's safe if we just drop the define as
OpenSSL has also done in 1.1. (I don't think the same is possible for
SSL_TXT_SSLV3 without causing churn).

Alternatively we could patch the ports, but there doesn't seem much
point in that. (Obviously those ports would still need REVISION bumps
in order that users get updated).

OK?

Index: lib/libssl/ssl.h
===================================================================
RCS file: /cvs/src/lib/libssl/ssl.h,v
retrieving revision 1.146
diff -u -p -r1.146 ssl.h
--- lib/libssl/ssl.h 3 Mar 2018 19:58:29 -0000 1.146
+++ lib/libssl/ssl.h 10 Mar 2018 11:18:16 -0000
@@ -300,7 +300,6 @@ extern "C" {
 #define SSL_TXT_STREEBOG512 "STREEBOG512"
 
 #define SSL_TXT_DTLS1 "DTLSv1"
-#define SSL_TXT_SSLV2 "SSLv2"
 #define SSL_TXT_SSLV3 "SSLv3"
 #define SSL_TXT_TLSV1 "TLSv1"
 #define SSL_TXT_TLSV1_1 "TLSv1.1"


Reply | Threaded
Open this post in threaded view
|

Re: SSL_TXT_SSLV2

Jeremie Courreges-Anglas-2
On Sat, Mar 10 2018, Stuart Henderson <[hidden email]> wrote:

> mail/dovecot's default config has a problem because SSL_TXT_SSLV2
> is defined but SSLv2 is not allowed in a protocol string. End result
> is that unless you specify your own ssl_protocols line, Dovecot will
> start but client connections will fail. (I ran into this after updating
> an oldish mail server).
>
> dovecot: src/lib-master/master-service-ssl-settings.c
>  42 static const struct master_service_ssl_settings master_service_ssl_default_settings = {
>  43 #ifdef HAVE_SSL
>  44         .ssl = "yes:no:required",
>  45 #else
>  46         .ssl = "no:yes:required",
>  47 #endif
>  48         .ssl_ca = "",
>  49         .ssl_cert = "",
>  50         .ssl_key = "",
>  51         .ssl_alt_cert = "",
>  52         .ssl_alt_key = "",
>  53         .ssl_key_password = "",
>  54         .ssl_cipher_list = "ALL:!LOW:!SSLv2:!EXP:!aNULL",
>  55 #ifdef SSL_TXT_SSLV2
>  56         .ssl_protocols = "!SSLv2 !SSLv3",
>  57 #else
>  58         .ssl_protocols = "!SSLv3",
>  59 #endif
>  60         .ssl_cert_username_field = "commonName",
>  61         .ssl_crypto_device = "",
>  62         .ssl_verify_client_cert = FALSE,
>  63         .ssl_require_crl = TRUE,
>  64         .verbose_ssl = FALSE,
>  65         .ssl_prefer_server_ciphers = FALSE,
>  66         .ssl_options = "",
>  67 };
>
> Looks like there's something related in mail/kopano/core.
>
> SSL_TXT_SSLV2 isn't used anywhere in our tree and looking at Debian
> codesearch results I think it's safe if we just drop the define as
> OpenSSL has also done in 1.1. (I don't think the same is possible for
> SSL_TXT_SSLV3 without causing churn).
>
> Alternatively we could patch the ports, but there doesn't seem much
> point in that. (Obviously those ports would still need REVISION bumps
> in order that users get updated).
>
> OK?

I don't see the point of keeping it.  The code in kopano seems to be
able to cope.  ok jca@

> Index: lib/libssl/ssl.h
> ===================================================================
> RCS file: /cvs/src/lib/libssl/ssl.h,v
> retrieving revision 1.146
> diff -u -p -r1.146 ssl.h
> --- lib/libssl/ssl.h 3 Mar 2018 19:58:29 -0000 1.146
> +++ lib/libssl/ssl.h 10 Mar 2018 11:18:16 -0000
> @@ -300,7 +300,6 @@ extern "C" {
>  #define SSL_TXT_STREEBOG512 "STREEBOG512"
>  
>  #define SSL_TXT_DTLS1 "DTLSv1"
> -#define SSL_TXT_SSLV2 "SSLv2"
>  #define SSL_TXT_SSLV3 "SSLv3"
>  #define SSL_TXT_TLSV1 "TLSv1"
>  #define SSL_TXT_TLSV1_1 "TLSv1.1"
>
>

--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE