47 lines
2 KiB
C
47 lines
2 KiB
C
$NetBSD: patch-popper_pop__tls__openssl.c,v 1.2 2020/01/10 21:16:03 joerg Exp $
|
|
|
|
Disable SSLv2 and SSLv3. Don't look into the internals of SSL objects.
|
|
|
|
--- popper/pop_tls_openssl.c.orig 2011-05-30 19:13:40.000000000 +0000
|
|
+++ popper/pop_tls_openssl.c
|
|
@@ -51,6 +51,7 @@
|
|
#include <fcntl.h>
|
|
#include <setjmp.h>
|
|
#include <signal.h>
|
|
+#include <string.h>
|
|
|
|
#ifdef HAVE_UNISTD_H
|
|
# include <unistd.h>
|
|
@@ -318,6 +319,7 @@ openssl_init ( pop_tls *pTLS, POP *pPOP
|
|
pTLS->m_OpenSSLmeth = SSLv23_server_method();
|
|
break;
|
|
|
|
+#if 0
|
|
case QPOP_SSLv2: /* SSL version 2 only */
|
|
DEBUG_LOG0 ( pPOP, "...setting method to SSLv2_server_method" );
|
|
pTLS->m_OpenSSLmeth = SSLv2_server_method();
|
|
@@ -327,6 +329,7 @@ openssl_init ( pop_tls *pTLS, POP *pPOP
|
|
DEBUG_LOG0 ( pPOP, "...setting method to SSLv3_server_method" );
|
|
pTLS->m_OpenSSLmeth = SSLv3_server_method();
|
|
break;
|
|
+#endif
|
|
|
|
case QPOP_TLSv1: /* TLS version 1 only */
|
|
DEBUG_LOG0 ( pPOP, "...setting method to TLSv1_server_method" );
|
|
@@ -350,6 +353,7 @@ openssl_init ( pop_tls *pTLS, POP *pPOP
|
|
log_openssl_err ( pPOP, HERE, "Unable to allocate SSL_CTX" );
|
|
goto Done;
|
|
}
|
|
+ SSL_CTX_set_options(pTLS->m_OpenSSLctx, SSL_OP_NO_SSLv2);
|
|
|
|
/*
|
|
* Set desired options
|
|
@@ -537,7 +541,7 @@ openssl_handshake ( pop_tls *pTLS )
|
|
"%s session-id; cipher: %s (%s), %d bits",
|
|
VERSION, SSL_CIPHER_get_version(ciph),
|
|
pTLS->m_pPOP->client, pTLS->m_pPOP->ipaddr,
|
|
- ( pTLS->m_OpenSSLconn->hit ? "reused" : "new" ),
|
|
+ ( SSL_session_reused(pTLS->m_OpenSSLconn) ? "reused" : "new" ),
|
|
( ciph_name != NULL ? ciph_name : "(none)" ),
|
|
get_cipher_description ( ciph, buf, sizeof(buf) ),
|
|
SSL_CIPHER_get_bits ( ciph, &al_bits ) );
|