diff options
| -rw-r--r-- | imap/ChangeLog | 4 | ||||
| -rw-r--r-- | imap/imapd-ssl.dist.in.git | 8 | ||||
| -rw-r--r-- | imap/pop3d-ssl.dist.in.git | 4 | ||||
| -rw-r--r-- | tcpd/libcouriertls.c | 5 |
4 files changed, 6 insertions, 15 deletions
diff --git a/imap/ChangeLog b/imap/ChangeLog index f3ffcca..d00a152 100644 --- a/imap/ChangeLog +++ b/imap/ChangeLog @@ -1,3 +1,7 @@ +2016-04-23 Sam Varshavchik <mrsam@courier-mta.com> + + * Stop using SSL2 and SSL3 openssl configuration methods. + 2016-03-03 Sam Varshavchik <mrsam@courier-mta.com> * libs/tcpd/libcouriertls.c: Add support for TLS SNI. diff --git a/imap/imapd-ssl.dist.in.git b/imap/imapd-ssl.dist.in.git index 20620cc..15c8ab6 100644 --- a/imap/imapd-ssl.dist.in.git +++ b/imap/imapd-ssl.dist.in.git @@ -136,13 +136,11 @@ COURIERTLS=@bindir@/couriertls # # OpenSSL: # -# SSL3 - SSLv3 -# SSL23 - all protocols (including TLS 1.x protocols) # TLSv1 - TLS1 # TLSv1.1 - TLS1.1 # TLSv1.2 - TLS1.2 # -# SSL3+, TLSv1+, TLSv1.1+, and TLSv1.2+ - the corresponding protocol, and all +# TLSv1+, TLSv1.1+, and TLSv1.2+ - the corresponding protocol, and all # higher protocols. # # The default value is TLSv1+ @@ -306,10 +304,6 @@ TLS_VERIFYPEER=NONE # that open multiple SSL sessions to the server. TLS_CACHEFILE will be # automatically created, TLS_CACHESIZE bytes long, and used as a cache # buffer. -# -# This is an experimental feature and should be disabled if it causes -# problems with SSL clients. Disable SSL caching by commenting out the -# following settings: TLS_CACHEFILE=@localstatedir@/couriersslcache TLS_CACHESIZE=524288 diff --git a/imap/pop3d-ssl.dist.in.git b/imap/pop3d-ssl.dist.in.git index 70ee341..be691dc 100644 --- a/imap/pop3d-ssl.dist.in.git +++ b/imap/pop3d-ssl.dist.in.git @@ -121,13 +121,11 @@ COURIERTLS=@bindir@/couriertls # # OpenSSL: # -# SSL3 - SSLv3 -# SSL23 - all protocols (including TLS 1.x protocols) # TLSv11 - TLS1 # TLSv1.1 - TLS1.1 # TLSv1.2 - TLS1.2 # -# SSL3+, TLSv1+, TLSv1.1+, and TLSv1.2+ - the corresponding protocol, and all +# TLSv1+, TLSv1.1+, and TLSv1.2+ - the corresponding protocol, and all # higher protocols. # # The default value is TLSv1+ diff --git a/tcpd/libcouriertls.c b/tcpd/libcouriertls.c index 985c76e..89e362c 100644 --- a/tcpd/libcouriertls.c +++ b/tcpd/libcouriertls.c @@ -73,11 +73,6 @@ struct proto_ops op_list[] = { "TLSv1+", &SSLv23_method, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3 }, { "TLSv1", &TLSv1_method, SSL_OP_ALL }, { "TLS1", &TLSv1_method, SSL_OP_ALL }, - { "SSL3+", &SSLv23_method, SSL_OP_ALL|SSL_OP_NO_SSLv2 }, -#ifdef HAVE_SSLV3_METHOD - { "SSL3", &SSLv3_method, SSL_OP_ALL }, -#endif - { "SSL23", &SSLv23_method, SSL_OP_ALL }, { "", &SSLv23_method, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3 }, { NULL, &SSLv23_method, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3 }, }; |