From owner-freebsd-ports@freebsd.org Fri Mar 23 09:40:56 2018 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 86583F59080 for ; Fri, 23 Mar 2018 09:40:56 +0000 (UTC) (envelope-from matthias.andree@gmx.de) Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8CD8869B4F for ; Fri, 23 Mar 2018 09:40:54 +0000 (UTC) (envelope-from matthias.andree@gmx.de) Received: from mandree.no-ip.org ([77.181.73.43]) by mail.gmx.com (mrgmx102 [212.227.17.168]) with ESMTPSA (Nemesis) id 0M6P5z-1eg8Lu06aB-00yRHE for ; Fri, 23 Mar 2018 10:40:53 +0100 Received: from ryzen.an3e.de (localhost [IPv6:::1]) by ryzen.an3e.de (Postfix) with ESMTP id 4EC131221E1 for ; Fri, 23 Mar 2018 10:40:52 +0100 (CET) Subject: Re: Qpopper and openssl on FreeBSD 11.x To: freebsd-ports@freebsd.org References: From: Matthias Andree Message-ID: <658796bc-2e39-85d3-77c2-b54fa5d7c736@gmx.de> Date: Fri, 23 Mar 2018 10:40:52 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Language: en-GB X-Provags-ID: V03:K0:ORPaN/VRcparOcYwD/aBY+pb22HCRx+DcuiwFmsY2Hj+fNF0Xt2 LEMuU3V5LXGqERtZ0wuuDCP9bDEfKniZPQxy30xYSynBnl9kuoU8tBnG+6Nh4XQdJKc3jWq rIfVSPGjj8m7/OXZz6ZE/DFmLD0XKvopc+Mr3jL17IMjbMXpv1GZEn6AZ8RaV4CtUmMfkmZ Wo+ldDZpTuLX5LaNY5R9A== X-UI-Out-Filterresults: notjunk:1;V01:K0:4JRFtMmLK4k=:MdiUnq4l2Z0P5BgvkCFnrL lA0yu8aFIKxWQ3WcLWE43T76wgJ851ZMKHxGBBeeYHljEHUl8tlZpispZYBMJsa/+AsyOcORI tNdrRVuAK6OitDKy3w7c3x7yROmZucDVNH8P26Df+WT8m3F7n/I2DONPAX+elKVctBzDdDFGY cr421ued+nNIRle4eh2IO/wdv9uLD0f05qEf61ESVVEKzEzs0Gd2D5VY70/hIBJQtH3l+UrYv WJOLOA2hX7Omi861PKui6QagK2WmsWJi5CHODGtsJrRvhSNkl1rCkq+EbpCcXSki8Vp0gbl0I iy2tJtbFZ5GcQShwYWEkWdJclfGIkk7+Lyg3mX5DQyyCQ+4fNkgT2uUwbnLnZ2Qr4WoiGliKm lWkhTDdAjtJK76kOUKtdlC4K+Y5bJlMjxkL17zfcO0o2cf/RV0BM0QKSC1sX2djbUeAC2foLf xteFLZAoJtrseDWdtnorzeEslCPMt9q5PGoRODB1uYeTDuO/8VQWzEeQnxCkmoybesh6V0hbp lyWRuu9rZQr9bz/IwwAN6x4dFKBYb+i0dKzqzR4wINXXKQftJkVboPlRUWOHHBLsqHIAHmCfz azOtUIA/ppybXRMEo1LPOM0xHOuIWvMY9VJyx/74XbhBjVb/8iYq5Jstnh/gzZTq57s26Ocae hmYfblJCQhXHmTV5HHmlAW23AUUJKlhIce96bOzWsOIVw4VWKog3ZeIViDGdmg+PWSzIBwA9t KcxBb1+zrcJOHjVEZxZfcaxzXjWVGvcEDM/5aqJ0ULqgZbN9Ybho8P52KnT70gZTtWa00Wc+k gAdtxVzm1tbx7mptT/W72bNQ5FTm+CIfS5ct3ys4eD9QszLpF8= X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Mar 2018 09:40:56 -0000 Am 17.02.2018 um 04:22 schrieb Doug Hardie: > I have encountered an interesting situation while trying to resolve a P= R on qpopper. I am unable to build qpopper on 11.1 (and probably 11.0) b= ecause the openssl function SSLv3_server_method has been removed. I can = see where the SSLv2 functions are disabled in ssl.h, but the SSLv3 functi= ons appear that they should be there. nm on libssl shows they are there.= Clang's linker can't link to them. One of the qpopper users' indicates= that the problem does not exist on 10.4. I believe the loss of the SSLv= 3 methods is a bug and have filed Bug report. It is a deliberate security measure to remove SSLv3 methods, and not a bug. The protocol is broken. > Resolution of that PR will obviously take some time. The question at h= and is what to do in the meantime. I am guessing the packages must be bui= lt on 10.x or there would be a report of the problem. I can easily chang= e the code, via a patch, to use SSLv23_server_method in all cases, or the= preferred TLSv1_server_method. That will eliminate the options to restr= ict qpopper to SSLv2 or SSLv3. This does not appear to be an issue for t= hose running 11.x. However, it is for those using 10.x and earlier. Giv= en the security issues today, I can't imagine anyone wanting to use those= options, but it is possible someone is using them. Switching to the TLS= v1_server_method will remove that capability for them. =20 Use SSLv23_server_method(), and use code to block out SSLv2 + SSLv3 on those systems that still support them - which depends on the OpenSSL/LibreSSL version, however: Older OpenSSL and LibreSSL require SSL_OP_NO_SSLv3 and SSL_OP_NO_SSLv2 set through ..._set_options() on the SSL or CTX, newer OpenSSL (1.1.0+) have ..._set_min_proto_version(..., TLS1_VERSION).=