Description of problem:
This patch here breaks connection from some clients to dovecot OR sendmail.
After I implemented above patch, my 2-3 customers complained about not able to connect to server (Outlook gives error that server does not support encryption method). So had to reverse it.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install openssl-1.0.1h version
2. Restart sendmail and dovecot
3. openssl s_client -ssl3 -connect xxx.yyy.com:995
4. openssl s_client -ssl3 -connect xxx.yyy.com:25 -starttls smtp
5. Connection fails with handshake failure
6. Works if -ssl3 argument is removed from above
Results are as expected but see below.
Results are as expected but question is - is the patch really required?
Why not allow the calling program to decide if SSLv2 or SSLv3 should be disabled or not.
Disabling SSLv2 is probably ok but atleast SSLv3 should not be disabled by default.
The question is why these clients still require to use SSLv3 which is insecure.
From security point of view you are 100% right. I completely agree.
That is the reason I applied your patch thinking lets deny SSLv3 and lower.
But later I realized that I can not simply keep debugging on customer end. People are simply too lazy or too busy!
So ultimately I had to undo the patch.
Plus SSLv3 is still widely use. I have feeling that once this is put to public its going to create issues.
And its not that this can not be achieved without above patch. Those who want to force only TLS can always add SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3 in their config files.
Most server softwares now allow to specify SSL options in config file. Its better to put it in config files instead of hardcoding in library.
I mostly agree with you and especially in regards to SSLv3. I will probably undo the SSLv3 part of the patch. SSLv2 is a different beast though. I would even like to disable the SSLv2 support altogether as it just gives false impression of security but that would break ABI compatibility of the library.
For now I dropped the disablement of SSLv3.