Date: Fri, 23 Mar 2018 10:40:52 +0100 From: Matthias Andree <matthias.andree@gmx.de> To: freebsd-ports@freebsd.org Subject: Re: Qpopper and openssl on FreeBSD 11.x Message-ID: <658796bc-2e39-85d3-77c2-b54fa5d7c736@gmx.de> In-Reply-To: <F2C790CE-CD5B-41A8-B3A5-826392D5B43E@mail.sermon-archive.info> References: <F2C790CE-CD5B-41A8-B3A5-826392D5B43E@mail.sermon-archive.info>
next in thread | previous in thread | raw e-mail | index | archive | help
Am 17.02.2018 um 04:22 schrieb Doug Hardie: > I have encountered an interesting situation while trying to resolve a P= R on qpopper. I am unable to build qpopper on 11.1 (and probably 11.0) b= ecause the openssl function SSLv3_server_method has been removed. I can = see where the SSLv2 functions are disabled in ssl.h, but the SSLv3 functi= ons appear that they should be there. nm on libssl shows they are there.= Clang's linker can't link to them. One of the qpopper users' indicates= that the problem does not exist on 10.4. I believe the loss of the SSLv= 3 methods is a bug and have filed Bug report. It is a deliberate security measure to remove SSLv3 methods, and not a bug. The protocol is broken. > Resolution of that PR will obviously take some time. The question at h= and is what to do in the meantime. I am guessing the packages must be bui= lt on 10.x or there would be a report of the problem. I can easily chang= e the code, via a patch, to use SSLv23_server_method in all cases, or the= preferred TLSv1_server_method. That will eliminate the options to restr= ict qpopper to SSLv2 or SSLv3. This does not appear to be an issue for t= hose running 11.x. However, it is for those using 10.x and earlier. Giv= en the security issues today, I can't imagine anyone wanting to use those= options, but it is possible someone is using them. Switching to the TLS= v1_server_method will remove that capability for them. =20 Use SSLv23_server_method(), and use code to block out SSLv2 + SSLv3 on those systems that still support them - which depends on the OpenSSL/LibreSSL version, however: Older OpenSSL and LibreSSL require SSL_OP_NO_SSLv3 and SSL_OP_NO_SSLv2 set through ..._set_options() on the SSL or CTX, newer OpenSSL (1.1.0+) have ..._set_min_proto_version(..., TLS1_VERSION).=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?658796bc-2e39-85d3-77c2-b54fa5d7c736>