From f0f5a555bee153477d12bcbce90875d46884281c Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Sun, 6 May 2012 02:50:57 -0700 Subject: [PATCH] Disable SSLv2 by default. --- doc/doc-docbook/spec.xfpt | 2 +- doc/doc-txt/ChangeLog | 2 ++ doc/doc-txt/NewStuff | 4 ++++ doc/doc-txt/OptionLists.txt | 2 +- src/README.UPDATING | 11 +++++++++-- src/src/tls-openssl.c | 11 ++++++++++- 6 files changed, 27 insertions(+), 5 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index c4739a80f..a00908fe4 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -14355,7 +14355,7 @@ harm. This option overrides the &%pipe_as_creator%& option of the &(pipe)& transport driver. -.option openssl_options main "string list" unset +.option openssl_options main "string list" "+no_sslv2" .cindex "OpenSSL "compatibility options" This option allows an administrator to adjust the SSL options applied by OpenSSL to connections. It is given as a space-separated list of items, diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index ed226b756..6b2b62cdb 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -86,6 +86,8 @@ PP/19 DNS resolver init changes for NetBSD compatibility. (Risk of breakage Not seeing resolver debug output on NetBSD, but suspect this is a resolver implementation change. +PP/20 Disable SSLv2 by default in OpenSSL support. + Exim version 4.77 ----------------- diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 2872d241f..6eae4ce7b 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -56,6 +56,10 @@ Version 4.78 Currently OpenSSL only. + 8. SSLv2 now disabled by default in OpenSSL. (Never supported by GnuTLS). + Use "openssl_options -no_sslv2" to re-enable support, if your OpenSSL + install was not built with OPENSSL_NO_SSL2 ("no-ssl2"). + Version 4.77 ------------ diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt index 52a24b198..d6fedcb5c 100644 --- a/doc/doc-txt/OptionLists.txt +++ b/doc/doc-txt/OptionLists.txt @@ -373,7 +373,7 @@ once string* unset autoreply once_file_size integer 0 autoreply 3.20 once_repeat time 0s autoreply 2.95 one_time boolean false redirect 4.00 -openssl_options string unset main 4.73 default to unset in 4.78 +openssl_options string +no_sslv2 main 4.73 default changed in 4.78 optional boolean false iplookup 4.00 oracle_servers string unset main 4.00 owners string list unset redirect 4.00 diff --git a/src/README.UPDATING b/src/README.UPDATING index 5b6bea869..12335eab8 100644 --- a/src/README.UPDATING +++ b/src/README.UPDATING @@ -39,6 +39,12 @@ Exim version 4.78 the message. No tool has been provided as we believe this is a rare occurence. + * For OpenSSL, SSLv2 is now disabled by default. (GnuTLS does not support + SSLv2). RFC 6176 prohibits SSLv2 and some informal surveys suggest no + actual usage. You can re-enable with the "openssl_options" Exim option, + in the main configuration section. Note that supporting SSLv2 exposes + you to ciphersuite downgrade attacks. + * With OpenSSL 1.0.1+, Exim now supports TLS 1.1 and TLS 1.2. If built against 1.0.1a then you will get a warning message and the "openssl_options" value will not parse "no_tlsv1_1": the value changes @@ -48,8 +54,9 @@ Exim version 4.78 "openssl_options" gains "no_tlsv1_1", "no_tlsv1_2" and "no_compression". COMPATIBILITY WARNING: The default value of "openssl_options" is no longer - "+dont_insert_empty_fragments". We default to unset. That old default was - grandfathered in from before openssl_options became a configuration option. + "+dont_insert_empty_fragments". We default to "+no_sslv2". + That old default was grandfathered in from before openssl_options became a + configuration option. Empty fragments are inserted by default through TLS1.0, to partially defend against certain attacks; TLS1.1+ change the protocol so that this is not needed. The DIEF SSL option was required for some old releases of mail diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index e609670ee..ea32bdb40 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -481,7 +481,13 @@ list of available digests. */ EVP_add_digest(EVP_sha256()); #endif -/* Create a context */ +/* Create a context. +The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant +negotiation in the different methods; as far as I can tell, the only +*_{server,client}_method which allows negotiation is SSLv23, which exists even +when OpenSSL is built without SSLv2 support. +By disabling with openssl_options, we can let admins re-enable with the +existing knob. */ ctx = SSL_CTX_new((host == NULL)? SSLv23_server_method() : SSLv23_client_method()); @@ -1522,6 +1528,9 @@ BOOL adding, item_parsed; result = 0L; /* Prior to 4.78 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed * from default because it increases BEAST susceptibility. */ +#ifdef SSL_OP_NO_SSLv2 +result |= SSL_OP_NO_SSLv2; +#endif if (option_spec == NULL) { -- 2.30.2