search for: ssl_ctx_set_opt

...an be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389 "The internet" has some workarounds for this problem. For example, in Apache webserver, you need to set SSLHonorCipherOrder On in apache config. This results in the following C-Code being executed: SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); This setting tells OpenSSL not to honor the Ciper Order sent from the client, but prefer it's own configured set of CipherSuites. According to Qualis SSL Labs ( https://www.ssllabs.com/ssldb/index.html ), a webserver configured with this setting is no...

Hi, how do I protect dovecot 1.2.17 against poodle? Br /Marc -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://dovecot.org/pipermail/dovecot/attachments/20141019/b4152487/attachment-0001.sig>

...LSv1.0 and TLSv1.1 *by default*. That means that unless an application requests otherwise, only TLSv1.2 is supported. In the world of e-mail this is seemingly an issue, as there are still way too many old clients out there supporting only TLSv1 or TLSv1.1. Now, traditionally OpenSSL 0.9.8/1.0 used SSL_CTX_set_options() to allow *disabling* specific protocols, without offering a way to enable previously disabled protocols. OpenSSL 1.1 introduced a dedicated API[2] to set allowed protocol versions, taking a linear version approach: the application may request a minimum and a maximum allowed version (inclusive...

...eNULL : !3DES : @STRENGTH However, this doesn't prevent the SSLv2 connection being allowed as our Nessus scans show and I'm tasked with trying to plug that "hole". I see Dovecot2 had the following change a year or so ago, in file src/login-common/ssl-proxy-openssl.c: - SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL); + SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); I tried making the same change to dovecot1's src tree on our test system and it seems to have the desired effect; however I am very hesitant about putting this into our production system without se...

Hi Is there known advices on how to favor PFS with dovecot? In Apache, I use the following directives, with cause all modern browsers to adopt 256 bit PFS ciphers, while keeping backward compatibility with older browsers and avoiding BEAST attack: SSLProtocol all -SSLv2 SSLHonorCipherOrder On SSLCipherSuite ECDHE at STRENGTH:ECDH at STRENGTH:DH at STRENGTH:HIGH:-SSLv3-SHA1:-TLSv10

...char *ssl_options; + const char *ssl_lowest_version; bool ssl_verify_client_cert; bool ssl_require_crl; --- a/src/login-common/ssl-proxy-openssl.c +++ b/src/login-common/ssl-proxy-openssl.c @@ -1302,7 +1302,20 @@ ssl_server_context_init(const struct log if (ctx->prefer_server_ciphers) SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); SSL_CTX_set_options(ssl_ctx, openssl_get_protocol_options(ctx->protocols)); - +#if OPENSSL_VERSION_NUMBER >= 0x10100000 + if (ssl_set->ssl_lowest_version) { + if (!strcmp(ssl_set->ssl_lowest_version, "TLS1.0")) + SSL_CTX_s...

...ory usage low. diff -r 962df5d9413a -r c15d6befe200 src/login-common/ssl-proxy-openssl.c --- a/src/login-common/ssl-proxy-openssl.c Wed Oct 12 17:16:10 2011 +0300 +++ b/src/login-common/ssl-proxy-openssl.c Thu Oct 13 16:19:52 2011 -0300 @@ -925,6 +925,9 @@ STACK_OF(X509_NAME) *xnames = NULL; SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); +#ifdef SSL_MODE_RELEASE_BUFFERS + SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS); +#endif if (*set->ssl_ca != '\0') { /* set trusted CA certs */ store = SSL_CTX_get_cert_store(ssl_ctx);

Using OpenSSL, is there a preferred/recommended rate of rekeying an encrypted stream of data? Does OpenSSL handle this for developers behind the scenes? Does it even need to be rekeyed? Thanks in advance. -sc -- Sean Chittenden -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 202 bytes Desc: not available

...dh_callback(ssl_ctx, ssl_tmp_dh_callback); - return xnames; +#if !defined(OPENSSL_NO_ECDH) + /* In the non-recommended situation where ECDH cipher suites are being + used instead of ECDHE, do not reuse the same ECDH key pair for + different sessions. This option improves forward secrecy. */ + SSL_CTX_set_options(ssl_ctx, SSL_OP_SINGLE_ECDH_USE); +#endif +#if !defined(OPENSSL_NO_ECDH) && OPENSSL_VERSION_NUMBER >= 0x10002000L + /* OpenSSL >= 1.0.2 automatically handles ECDH temporary key parameter + selection. */ + SSL_CTX_set_ecdh_auto(ssl_ctx, 1); +#elif !defined(OPENSSL_NO_ECDH) &...

On Thu, Mar 10, 2016 at 12:30 PM, Osiris <dovecot at flut.demon.nl> wrote: > On 09-03-16 13:14, djk wrote: >> On 09/03/16 10:44, Florent B wrote: >>> Hi, >>> >>> I don't see any SSL configuration option in Dovecot to disable >>> "Client-initiated secure renegotiation". >>> >>> It is advised to disable it as it can

...- bool load_xnames) +static void +ssl_proxy_ctx_init(SSL_CTX *ssl_ctx, const struct master_service_ssl_settings *set) { - X509_STORE *store; - STACK_OF(X509_NAME) *xnames = NULL; - /* enable all SSL workarounds, except empty fragments as it makes SSL more vulnerable against attacks */ SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL & @@ -1010,12 +981,10 @@ if (*set->ssl_ca != '\0') { /* set trusted CA certs */ - store = SSL_CTX_get_cert_store(ssl_ctx); - load_ca(store, set->ssl_ca, load_xnames ? &xnames : NULL); + load_ca(ssl_ctx, set->ssl_ca); } ssl_proxy_ctx_set...