[opensuse-factory] Fun with dovecot and openssl 1.1
Hello, openssl 1.1 brought some fun with dovecot: dovecot[4381]: lmtp(19209): Fatal: Invalid ssl_protocols setting: Unknown protocol 'SSLv2' The reason was this line in /etc/dovecot/conf.d/10-ssl.conf: ssl_protocols = !SSLv2 !SSLv3 Looks like support for SSLv2 was removed from openssl 1.1 completely (not a bad move, it's known to be insecure since years) - but no longer recognizing it as excluded protocol is (at least) a bit annoying ;-) After removing the !SSLv2 part, dovecot starts again. I'm not sure if this is worth a bugreport on the openssl side, or if it will be closed as "works as designed" instantly. OTOH, the line I quoted matches the default dovecot config, so if this change is intentional on the openssl side, the default config needs to be updated. So - who should receive a bugreport? openssl for breaking backward compability, or dovecot to adjust the default config? Regards, Christian Boltz -- Reason why a bot: the bot is just less 'stressed' any makes less mistakes for such obvious things. And people can discuss with the bot as much as they want. [Dominique Leuenberger in opensuse-packaging] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Sunday 2017-12-03 00:42, Christian Boltz wrote:
The reason was this line in /etc/dovecot/conf.d/10-ssl.conf:
ssl_protocols = !SSLv2 !SSLv3
Looks like support for SSLv2 was removed from openssl 1.1 completely (not a bad move, it's known to be insecure since years) - but no longer recognizing it as excluded protocol is (at least) a bit annoying ;-)
So - who should receive a bugreport? openssl for breaking backward compability, or dovecot to adjust the default config?
Even though openssl removed the SSL_TXT_SSLV2 macro, one could also argue the fault lies with the application. Compare this (non-dovecot) sample exhibiting the same issue: https://github.com/Kopano-dev/kopano-core/blob/master/common/ECChannel.cpp#L... Note the distinct lack of a #else else if (strcasecmp(ssl_name, "SSLv2") == 0) { ec_log_debug("OpenSSL does not know about SSLv2, and I don't either"); continue; } #endif section that would have addressed the issue one way or another. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Sun, Dec 03, 2017 at 12:53:41AM +0100, Jan Engelhardt wrote:
On Sunday 2017-12-03 00:42, Christian Boltz wrote:
The reason was this line in /etc/dovecot/conf.d/10-ssl.conf:
ssl_protocols = !SSLv2 !SSLv3
Looks like support for SSLv2 was removed from openssl 1.1 completely (not a bad move, it's known to be insecure since years) - but no longer recognizing it as excluded protocol is (at least) a bit annoying ;-)
So - who should receive a bugreport? openssl for breaking backward compability, or dovecot to adjust the default config?
Even though openssl removed the SSL_TXT_SSLV2 macro, one could also argue the fault lies with the application. Compare this (non-dovecot) sample exhibiting the same issue:
https://github.com/Kopano-dev/kopano-core/blob/master/common/ECChannel.cpp#L...
Note the distinct lack of a
#else else if (strcasecmp(ssl_name, "SSLv2") == 0) { ec_log_debug("OpenSSL does not know about SSLv2, and I don't either"); continue; } #endif
section that would have addressed the issue one way or another.
This needs either a bugreport and/or a fix submission please. Cioa, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Op zondag 3 december 2017 09:11:48 CET schreef Marcus Meissner:
On Sun, Dec 03, 2017 at 12:53:41AM +0100, Jan Engelhardt wrote:
On Sunday 2017-12-03 00:42, Christian Boltz wrote:
The reason was this line in /etc/dovecot/conf.d/10-ssl.conf: ssl_protocols = !SSLv2 !SSLv3
Looks like support for SSLv2 was removed from openssl 1.1 completely (not a bad move, it's known to be insecure since years) - but no longer recognizing it as excluded protocol is (at least) a bit annoying ;-)
So - who should receive a bugreport? openssl for breaking backward compability, or dovecot to adjust the default config?
Even though openssl removed the SSL_TXT_SSLV2 macro, one could also argue the fault lies with the application. Compare this (non-dovecot) sample exhibiting the same issue:
https://github.com/Kopano-dev/kopano-core/blob/master/common/ECChannel.cpp #L127
Note the distinct lack of a
#else
else if (strcasecmp(ssl_name, "SSLv2") == 0) {
ec_log_debug("OpenSSL does not know about SSLv2, and I don't either"); continue;
}
#endif
section that would have addressed the issue one way or another.
This needs either a bugreport and/or a fix submission please.
Cioa, Marcus
Bug report already in https://bugzilla.opensuse.org/show_bug.cgi?id=1070761 -- fr.gr. Freek de Kruijf member open SUSE -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (4)
-
Christian Boltz -
Freek de Kruijf -
Jan Engelhardt -
Marcus Meissner