Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 948408 Details for
Bug 1153041
RFE: backport method to disable SSLv3 or disable SSv3 permanently
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
backported patch
dovecot-2.0.9-sslprot.patch (text/plain), 5.20 KB, created by
Michal Hlavinka
on 2014-10-20 06:24:26 UTC
(
hide
)
Description:
backported patch
Filename:
MIME Type:
Creator:
Michal Hlavinka
Created:
2014-10-20 06:24:26 UTC
Size:
5.20 KB
patch
obsolete
>diff -up dovecot-1.0.7/dovecot-example.conf.sslprot dovecot-1.0.7/dovecot-example.conf >--- dovecot-1.0.7/dovecot-example.conf.sslprot 2014-10-20 00:09:29.678506343 +0200 >+++ dovecot-1.0.7/dovecot-example.conf 2014-10-20 00:09:29.840503239 +0200 >@@ -111,6 +111,9 @@ > # entirely. > #ssl_parameters_regenerate = 168 > >+# SSL protocols to use >+#ssl_protocols = !SSLv2 >+ > # SSL ciphers to use > #ssl_cipher_list = ALL:!LOW > >diff -up dovecot-1.0.7/src/login-common/ssl-proxy-openssl.c.sslprot dovecot-1.0.7/src/login-common/ssl-proxy-openssl.c >--- dovecot-1.0.7/src/login-common/ssl-proxy-openssl.c.sslprot 2007-10-28 02:09:24.000000000 +0200 >+++ dovecot-1.0.7/src/login-common/ssl-proxy-openssl.c 2014-10-20 00:09:29.852503009 +0200 >@@ -667,9 +667,62 @@ unsigned int ssl_proxy_get_count(void) > return ssl_proxies == NULL ? 0 : hash_size(ssl_proxies); > } > >+enum { >+ DOVECOT_SSL_PROTO_SSLv2 = 0x01, >+ DOVECOT_SSL_PROTO_SSLv3 = 0x02, >+ DOVECOT_SSL_PROTO_TLSv1 = 0x04, >+ DOVECOT_SSL_PROTO_ALL = 0x07 >+}; >+ >+static void >+ssl_proxy_ctx_set_protocols(/*struct ssl_server_context *ssl_ctx,*/ >+ const char *protocols) >+{ >+ const char *const *tmp; >+ int proto, op = 0, include = 0, exclude = 0; >+ bool neg; >+ >+ tmp = t_strsplit_spaces(protocols, " "); >+ for (; *tmp != NULL; tmp++) { >+ const char *name = *tmp; >+ >+ if (*name != '!') >+ neg = FALSE; >+ else { >+ name++; >+ neg = TRUE; >+ } >+ if (strcasecmp(name, SSL_TXT_SSLV2) == 0) >+ proto = DOVECOT_SSL_PROTO_SSLv2; >+ else if (strcasecmp(name, SSL_TXT_SSLV3) == 0) >+ proto = DOVECOT_SSL_PROTO_SSLv3; >+ else if (strcasecmp(name, SSL_TXT_TLSV1) == 0) >+ proto = DOVECOT_SSL_PROTO_TLSv1; >+ else { >+ i_fatal("Invalid ssl_protocols setting: " >+ "Unknown protocol '%s'", name); >+ } >+ if (neg) >+ exclude |= proto; >+ else >+ include |= proto; >+ } >+ if (include != 0) { >+ /* exclude everything, except those that are included >+ (and let excludes still override those) */ >+ exclude |= DOVECOT_SSL_PROTO_ALL & ~include; >+ } >+ if ((exclude & DOVECOT_SSL_PROTO_SSLv2) != 0) op |= SSL_OP_NO_SSLv2; >+ if ((exclude & DOVECOT_SSL_PROTO_SSLv3) != 0) op |= SSL_OP_NO_SSLv3; >+ if ((exclude & DOVECOT_SSL_PROTO_TLSv1) != 0) op |= SSL_OP_NO_TLSv1; >+ SSL_CTX_set_options(ssl_ctx, op); >+} >+ >+ >+ > void ssl_proxy_init(void) > { >- const char *cafile, *certfile, *keyfile, *cipher_list; >+ const char *cafile, *certfile, *keyfile, *cipher_list, *protocols; > char *password; > unsigned char buf; > >@@ -694,6 +747,8 @@ void ssl_proxy_init(void) > if ((ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) > i_fatal("SSL_CTX_new() failed"); > >+ protocols = getenv("SSL_PROTOCOLS"); >+ > SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL); > > cipher_list = getenv("SSL_CIPHER_LIST"); >@@ -704,6 +759,8 @@ void ssl_proxy_init(void) > cipher_list, ssl_last_error()); > } > >+ ssl_proxy_ctx_set_protocols(protocols); >+ > if (cafile != NULL) { > if (SSL_CTX_load_verify_locations(ssl_ctx, cafile, NULL) != 1) { > i_fatal("Can't load CA file %s: %s", >diff -up dovecot-1.0.7/src/master/login-process.c.sslprot dovecot-1.0.7/src/master/login-process.c >--- dovecot-1.0.7/src/master/login-process.c.sslprot 2014-10-20 00:09:29.639507090 +0200 >+++ dovecot-1.0.7/src/master/login-process.c 2014-10-20 00:09:29.856502932 +0200 >@@ -546,6 +546,10 @@ static void login_process_init_env(struc > env_put(t_strconcat("SSL_CIPHER_LIST=", > set->ssl_cipher_list, NULL)); > } >+ if (*set->ssl_protocols != '\0') { >+ env_put(t_strconcat("SSL_PROTOCOLS=", >+ set->ssl_protocols, NULL)); >+ } > if (set->ssl_verify_client_cert) > env_put("SSL_VERIFY_CLIENT_CERT=1"); > } >diff -up dovecot-1.0.7/src/master/master-settings.c.sslprot dovecot-1.0.7/src/master/master-settings.c >--- dovecot-1.0.7/src/master/master-settings.c.sslprot 2014-10-20 00:09:29.643507014 +0200 >+++ dovecot-1.0.7/src/master/master-settings.c 2014-10-20 00:09:29.860502855 +0200 >@@ -173,6 +173,7 @@ struct settings default_settings = { > MEMBER(ssl_key_password) "", > MEMBER(ssl_parameters_regenerate) 168, > MEMBER(ssl_cipher_list) "", >+ MEMBER(ssl_protocols) "!SSLv2", > MEMBER(ssl_verify_client_cert) FALSE, > MEMBER(disable_plaintext_auth) FALSE, > MEMBER(verbose_ssl) FALSE, >diff -up dovecot-1.0.7/src/master/master-settings-defs.c.sslprot dovecot-1.0.7/src/master/master-settings-defs.c >--- dovecot-1.0.7/src/master/master-settings-defs.c.sslprot 2014-10-20 00:11:10.593572486 +0200 >+++ dovecot-1.0.7/src/master/master-settings-defs.c 2014-10-20 00:11:10.645571490 +0200 >@@ -23,6 +23,7 @@ static struct setting_def setting_defs[] > DEF(SET_STR, ssl_key_password), > DEF(SET_INT, ssl_parameters_regenerate), > DEF(SET_STR, ssl_cipher_list), >+ DEF(SET_STR, ssl_protocols), > DEF(SET_BOOL, ssl_verify_client_cert), > DEF(SET_BOOL, disable_plaintext_auth), > DEF(SET_BOOL, verbose_ssl), >diff -up dovecot-1.0.7/src/master/master-settings.h.sslprot dovecot-1.0.7/src/master/master-settings.h >--- dovecot-1.0.7/src/master/master-settings.h.sslprot 2014-10-20 00:09:29.777504446 +0200 >+++ dovecot-1.0.7/src/master/master-settings.h 2014-10-20 00:09:29.864502779 +0200 >@@ -33,6 +33,7 @@ struct settings { > const char *ssl_key_password; > unsigned int ssl_parameters_regenerate; > const char *ssl_cipher_list; >+ const char *ssl_protocols; > bool ssl_verify_client_cert; > bool disable_plaintext_auth; > bool verbose_ssl;
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1153041
:
948408
|
948410
|
976640