search for: ssl_op_al

...#39;Patch #88 (openssl-ssl-h.patch):' Patch #88 (openssl-ssl-h.patch): + patch -p1 -s 1 out of 1 hunk FAILED -- saving rejects to file ssl/ssl.h.rej error: Bad exit status from /var/tmp/rpm-tmp.52066 (%prep) The ssl.h.rej file has: *************** *** 497,503 **** /* SSL_OP_ALL: various bug workarounds that should be rather harmless. * This used to be 0x000FFFFFL before 0.9.7. */ - #define SSL_OP_ALL 0x00000FFFL /* DTLS options */ #define SSL_OP_NO_QUERY_MTU 0x00001000L --- 497,503 ----...

...gin-common/ssl-proxy-openssl.c 2010-12-30 10:42:54.000000000 +0100 --- src/login-common/ssl-proxy-openssl.c_1 2012-03-20 09:48:28.359508087 +0100 *************** *** 924,930 **** X509_STORE *store; STACK_OF(X509_NAME) *xnames = NULL; ! SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); if (*set->ssl_ca != '\0') { /* set trusted CA certs */ store = SSL_CTX_get_cert_store(ssl_ctx); --- 924,930 ---- X509_STORE *store; STACK_OF(X509_NAME) *xnames = NULL; ! SSL_CTX_set_options(ssl_ctx, SSL_O...

Hi, how do I protect dovecot 1.2.17 against poodle? Br /Marc -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://dovecot.org/pipermail/dovecot/attachments/20141019/b4152487/attachment-0001.sig>

...owever, this doesn't prevent the SSLv2 connection being allowed as our Nessus scans show and I'm tasked with trying to plug that "hole". I see Dovecot2 had the following change a year or so ago, in file src/login-common/ssl-proxy-openssl.c: - SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL); + SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); I tried making the same change to dovecot1's src tree on our test system and it seems to have the desired effect; however I am very hesitant about putting this into our production system without seeking advice here first...

.... Problem Description In order to provide bug-for-bug compatibility with Microsoft Internet Explorer 3.02, a verification step required by the Secure Sockets Layer protocol can be disabled by using the SSL_OP_MSIE_SSLV2_RSA_PADDING option in OpenSSL. This option is implied by the frequently-used SSL_OP_ALL option. III. Impact If the SSL_OP_MSIE_SSLV2_RSA_PADDING option is enabled in a server application using OpenSSL, an attacker who is able to intercept and tamper with packets transmitted between a client and the server can cause the protocol version negotiation to result in SSLv2 being used even...

...5d9413a -r c15d6befe200 src/login-common/ssl-proxy-openssl.c --- a/src/login-common/ssl-proxy-openssl.c Wed Oct 12 17:16:10 2011 +0300 +++ b/src/login-common/ssl-proxy-openssl.c Thu Oct 13 16:19:52 2011 -0300 @@ -925,6 +925,9 @@ STACK_OF(X509_NAME) *xnames = NULL; SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); +#ifdef SSL_MODE_RELEASE_BUFFERS + SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS); +#endif if (*set->ssl_ca != '\0') { /* set trusted CA certs */ store = SSL_CTX_get_cert_store(ssl_ctx);

Using OpenSSL, is there a preferred/recommended rate of rekeying an encrypted stream of data? Does OpenSSL handle this for developers behind the scenes? Does it even need to be rekeyed? Thanks in advance. -sc -- Sean Chittenden -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 202 bytes Desc: not available

.... Problem Description In order to provide bug-for-bug compatibility with Microsoft Internet Explorer 3.02, a verification step required by the Secure Sockets Layer protocol can be disabled by using the SSL_OP_MSIE_SSLV2_RSA_PADDING option in OpenSSL. This option is implied by the frequently-used SSL_OP_ALL option. III. Impact If the SSL_OP_MSIE_SSLV2_RSA_PADDING option is enabled in a server application using OpenSSL, an attacker who is able to intercept and tamper with packets transmitted between a client and the server can cause the protocol version negotiation to result in SSLv2 being used even...

...ic void +ssl_proxy_ctx_init(SSL_CTX *ssl_ctx, const struct master_service_ssl_settings *set) { - X509_STORE *store; - STACK_OF(X509_NAME) *xnames = NULL; - /* enable all SSL workarounds, except empty fragments as it makes SSL more vulnerable against attacks */ SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL & @@ -1010,12 +981,10 @@ if (*set->ssl_ca != '\0') { /* set trusted CA certs */ - store = SSL_CTX_get_cert_store(ssl_ctx); - load_ca(store, set->ssl_ca, load_xnames ? &xnames : NULL); + load_ca(ssl_ctx, set->ssl_ca); } ssl_proxy_ctx_set_crypto_params(ssl_ctx,...