Mailinglist Archive: opensuse-factory (454 mails)

< Previous Next >
Re: [opensuse-factory] Fun with dovecot and openssl 1.1
  • From: Freek de Kruijf <freek@xxxxxxxxxxxx>
  • Date: Sun, 03 Dec 2017 16:59:38 +0100
  • Message-id: <1776154.3tXPz1LuGo@eiktum>
Op zondag 3 december 2017 09:11:48 CET schreef Marcus Meissner:
On Sun, Dec 03, 2017 at 12:53:41AM +0100, Jan Engelhardt wrote:
On Sunday 2017-12-03 00:42, Christian Boltz wrote:
The reason was this line in /etc/dovecot/conf.d/10-ssl.conf:
ssl_protocols = !SSLv2 !SSLv3

Looks like support for SSLv2 was removed from openssl 1.1 completely
(not a bad move, it's known to be insecure since years) - but no longer
recognizing it as excluded protocol is (at least) a bit annoying ;-)

So - who should receive a bugreport? openssl for breaking backward
compability, or dovecot to adjust the default config?

Even though openssl removed the SSL_TXT_SSLV2 macro, one could also argue
the fault lies with the application. Compare this (non-dovecot) sample
exhibiting the same issue:

https://github.com/Kopano-dev/kopano-core/blob/master/common/ECChannel.cpp
#L127

Note the distinct lack of a

#else

else if (strcasecmp(ssl_name, "SSLv2") == 0) {

ec_log_debug("OpenSSL does not know about SSLv2, and I don't
either");
continue;

}

#endif

section that would have addressed the issue one way or another.

This needs either a bugreport and/or a fix submission please.

Cioa, Marcus

Bug report already in https://bugzilla.opensuse.org/show_bug.cgi?id=1070761

--
fr.gr.

Freek de Kruijf
member open SUSE

--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >