ssl: fix reference to SSLv2 and disable SSLv3

This is driven by the fact that OpenSSL 1.1 does not know about SSLv2 at
all and dovecot's defaults simply make OpenSSL error out with "Unknown
protocol 'SSLv2'"[1]. So we change the defaults to refer to SSLv2 iff OpenSSL
seems to know something about it.

While at it, it's also a good idea to disable SSLv3 by default as well.

[1] https://bugs.debian.org/844347

Signed-off-by: Apollon Oikonomopoulos <apoikos@debian.org>

diff --git a/doc/example-config/conf.d/10-ssl.conf b/doc/example-config/conf.d/10-ssl.conf
index 31b750c6983b92e119e4df07838da01f6193fa18..2cd445b3929875f29690aff2c8b44f0b32fd6e88 100644 (file)
--- a/doc/example-config/conf.d/10-ssl.conf
+++ b/doc/example-config/conf.d/10-ssl.conf
@@ -46,7 +46,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
 #ssl_dh_parameters_length = 1024
 
 # SSL protocols to use
-#ssl_protocols = !SSLv2
+#ssl_protocols = !SSLv3
 
 # SSL ciphers to use
 #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL

diff --git a/src/lib-master/master-service-ssl-settings.c b/src/lib-master/master-service-ssl-settings.c
index 4a0504540d16db94a6891431251df97a6945c899..6b43f6cc6f0a4fe725dc009dad5981450925c618 100644 (file)
--- a/src/lib-master/master-service-ssl-settings.c
+++ b/src/lib-master/master-service-ssl-settings.c
@@ -44,7 +44,11 @@ static const struct master_service_ssl_settings master_service_ssl_default_setti
        .ssl_key = "",
        .ssl_key_password = "",
        .ssl_cipher_list = "ALL:!LOW:!SSLv2:!EXP:!aNULL",
-       .ssl_protocols = "!SSLv2",
+#ifdef SSL_TXT_SSLV2
+       .ssl_protocols = "!SSLv2 !SSLv3",
+#else
+       .ssl_protocols = "!SSLv3",
+#endif
        .ssl_cert_username_field = "commonName",
        .ssl_crypto_device = "",
        .ssl_verify_client_cert = FALSE,