Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 948410 Details for
Bug 1153041
RFE: backport method to disable SSLv3 or disable SSv3 permanently
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
backported patch v2
dovecot-2.0.9-sslprot.patch (text/plain), 5.65 KB, created by
Michal Hlavinka
on 2014-10-20 06:45:39 UTC
(
hide
)
Description:
backported patch v2
Filename:
MIME Type:
Creator:
Michal Hlavinka
Created:
2014-10-20 06:45:39 UTC
Size:
5.65 KB
patch
obsolete
>diff -up dovecot-2.0.9/doc/example-config/conf.d/10-ssl.conf.sslprot dovecot-2.0.9/doc/example-config/conf.d/10-ssl.conf >--- dovecot-2.0.9/doc/example-config/conf.d/10-ssl.conf.sslprot 2010-04-12 18:14:53.000000000 +0200 >+++ dovecot-2.0.9/doc/example-config/conf.d/10-ssl.conf 2014-10-19 21:56:55.015443785 +0200 >@@ -37,5 +37,8 @@ ssl_key = </etc/ssl/private/dovecot.pem > # entirely. > #ssl_parameters_regenerate = 168 > >+# SSL protocols to use >+#ssl_protocols = !SSLv2 >+ > # SSL ciphers to use > #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL >diff -up dovecot-2.0.9/src/login-common/login-settings.c.sslprot dovecot-2.0.9/src/login-common/login-settings.c >--- dovecot-2.0.9/src/login-common/login-settings.c.sslprot 2014-10-19 21:58:25.037741296 +0200 >+++ dovecot-2.0.9/src/login-common/login-settings.c 2014-10-19 21:58:25.087740350 +0200 >@@ -32,6 +32,7 @@ static const struct setting_define login > DEF(SET_STR, ssl_key_password), > DEF(SET_STR, ssl_parameters_file), > DEF(SET_STR, ssl_cipher_list), >+ DEF(SET_STR, ssl_protocols), > DEF(SET_STR, ssl_cert_username_field), > DEF(SET_BOOL, ssl_verify_client_cert), > DEF(SET_BOOL, auth_ssl_require_client_cert), >@@ -61,6 +62,7 @@ static const struct login_settings login > .ssl_key = "", > .ssl_key_password = "", > .ssl_parameters_file = "ssl-parameters.dat", >+ .ssl_protocols = "!SSLv2", > .ssl_cipher_list = "ALL:!LOW:!SSLv2:!EXP:!aNULL", > .ssl_cert_username_field = "commonName", > .ssl_verify_client_cert = FALSE, >diff -up dovecot-2.0.9/src/login-common/login-settings.h.sslprot dovecot-2.0.9/src/login-common/login-settings.h >--- dovecot-2.0.9/src/login-common/login-settings.h.sslprot 2014-10-19 21:59:15.133793886 +0200 >+++ dovecot-2.0.9/src/login-common/login-settings.h 2014-10-19 21:59:15.189792827 +0200 >@@ -14,6 +14,7 @@ struct login_settings { > const char *ssl_key_password; > const char *ssl_parameters_file; > const char *ssl_cipher_list; >+ const char *ssl_protocols; > const char *ssl_cert_username_field; > bool ssl_verify_client_cert; > bool auth_ssl_require_client_cert; >diff -up dovecot-2.0.9/src/login-common/ssl-proxy-openssl.c.sslprot dovecot-2.0.9/src/login-common/ssl-proxy-openssl.c >--- dovecot-2.0.9/src/login-common/ssl-proxy-openssl.c.sslprot 2014-10-19 22:00:35.044282630 +0200 >+++ dovecot-2.0.9/src/login-common/ssl-proxy-openssl.c 2014-10-19 22:07:58.117903285 +0200 >@@ -88,6 +88,7 @@ struct ssl_server_context { > const char *key; > const char *ca; > const char *cipher_list; >+ const char *protocols; > bool verify_client_cert; > }; > >@@ -136,6 +137,8 @@ static int ssl_server_context_cmp(const > return 1; > if (null_strcmp(ctx1->cipher_list, ctx2->cipher_list) != 0) > return 1; >+ if (null_strcmp(ctx1->protocols, ctx2->protocols) != 0) >+ return 1; > > return ctx1->verify_client_cert == ctx2->verify_client_cert ? 0 : 1; > } >@@ -603,6 +606,7 @@ ssl_server_context_get(const struct logi > lookup_ctx.key = set->ssl_key; > lookup_ctx.ca = set->ssl_ca; > lookup_ctx.cipher_list = set->ssl_cipher_list; >+ lookup_ctx.protocols = set->ssl_protocols; > lookup_ctx.verify_client_cert = set->ssl_verify_client_cert; > > ctx = hash_table_lookup(ssl_servers, &lookup_ctx); >@@ -1005,7 +1009,8 @@ ssl_proxy_ctx_init(SSL_CTX *ssl_ctx, con > X509_STORE *store; > STACK_OF(X509_NAME) *xnames = NULL; > >- SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); >+ /* enable all SSL workarounds */ >+ SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL); > if (*set->ssl_ca != '\0') { > /* set trusted CA certs */ > store = SSL_CTX_get_cert_store(ssl_ctx); >@@ -1172,6 +1177,57 @@ static void ssl_servername_callback(SSL > } > #endif > >+enum { >+ DOVECOT_SSL_PROTO_SSLv2 = 0x01, >+ DOVECOT_SSL_PROTO_SSLv3 = 0x02, >+ DOVECOT_SSL_PROTO_TLSv1 = 0x04, >+ DOVECOT_SSL_PROTO_ALL = 0x07 >+}; >+ >+static void >+ssl_proxy_ctx_set_protocols(struct ssl_server_context *ssl_ctx, >+ const char *protocols) >+{ >+ const char *const *tmp; >+ int proto, op = 0, include = 0, exclude = 0; >+ bool neg; >+ >+ tmp = t_strsplit_spaces(protocols, " "); >+ for (; *tmp != NULL; tmp++) { >+ const char *name = *tmp; >+ >+ if (*name != '!') >+ neg = FALSE; >+ else { >+ name++; >+ neg = TRUE; >+ } >+ if (strcasecmp(name, SSL_TXT_SSLV2) == 0) >+ proto = DOVECOT_SSL_PROTO_SSLv2; >+ else if (strcasecmp(name, SSL_TXT_SSLV3) == 0) >+ proto = DOVECOT_SSL_PROTO_SSLv3; >+ else if (strcasecmp(name, SSL_TXT_TLSV1) == 0) >+ proto = DOVECOT_SSL_PROTO_TLSv1; >+ else { >+ i_fatal("Invalid ssl_protocols setting: " >+ "Unknown protocol '%s'", name); >+ } >+ if (neg) >+ exclude |= proto; >+ else >+ include |= proto; >+ } >+ if (include != 0) { >+ /* exclude everything, except those that are included >+ (and let excludes still override those) */ >+ exclude |= DOVECOT_SSL_PROTO_ALL & ~include; >+ } >+ if ((exclude & DOVECOT_SSL_PROTO_SSLv2) != 0) op |= SSL_OP_NO_SSLv2; >+ if ((exclude & DOVECOT_SSL_PROTO_SSLv3) != 0) op |= SSL_OP_NO_SSLv3; >+ if ((exclude & DOVECOT_SSL_PROTO_TLSv1) != 0) op |= SSL_OP_NO_TLSv1; >+ SSL_CTX_set_options(ssl_ctx->ctx, op); >+} >+ > static struct ssl_server_context * > ssl_server_context_init(const struct login_settings *set) > { >@@ -1187,6 +1243,7 @@ ssl_server_context_init(const struct log > ctx->key = p_strdup(pool, set->ssl_key); > ctx->ca = p_strdup(pool, set->ssl_ca); > ctx->cipher_list = p_strdup(pool, set->ssl_cipher_list); >+ ctx->protocols = p_strdup(pool, set->ssl_protocols); > ctx->verify_client_cert = set->ssl_verify_client_cert; > > ctx->ctx = ssl_ctx = SSL_CTX_new(SSLv23_server_method()); >@@ -1198,6 +1255,7 @@ ssl_server_context_init(const struct log > i_fatal("Can't set cipher list to '%s': %s", > ctx->cipher_list, ssl_last_error()); > } >+ ssl_proxy_ctx_set_protocols(ctx, ctx->protocols); > > if (ssl_proxy_ctx_use_certificate_chain(ctx->ctx, ctx->cert) != 1) { > i_fatal("Can't load ssl_cert: %s",
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=948410">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1153041
:
948408
| 948410 |
976640