search for: ssl_op_no_sslv2

RedHat released sendmail-8.13.8-10.el5_11.src.rpm which includes sendmail-8.13.8-ssl-opts.patch which adds support for disabling SSLv3 and SSLv2 in sendmail.cf But as far as I can see there is no support in sendmail.mc - I can't see how to compile sendmail.mc to get the required line ServerSSLOptions in sendmail.cf Does anyone know how to do this ? -- Andrew Daviel, TRIUMF, Canada

...l-proxy-openssl.c 2010-12-30 10:42:54.000000000 +0100 --- src/login-common/ssl-proxy-openssl.c_1 2012-03-20 09:48:28.359508087 +0100 *************** *** 924,930 **** X509_STORE *store; STACK_OF(X509_NAME) *xnames = NULL; ! SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); if (*set->ssl_ca != '\0') { /* set trusted CA certs */ store = SSL_CTX_get_cert_store(ssl_ctx); --- 924,930 ---- X509_STORE *store; STACK_OF(X509_NAME) *xnames = NULL; ! SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_S...

Hi, how do I protect dovecot 1.2.17 against poodle? Br /Marc -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://dovecot.org/pipermail/dovecot/attachments/20141019/b4152487/attachment-0001.sig>

...support in sendmail.mc - I can't > see how to compile sendmail.mc to get the required line > ServerSSLOptions in sendmail.cf > > > Does anyone know how to do this ? At the end of sendmail.mc, after the MAILER macros, add a LOCAL_CONFIG, e.g,, LOCAL_CONFIG O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE -- Paul Heinlein heinlein at madboa.com 45?38' N, 122?6' W

Am 04.07.2015 um 15:34 schrieb Gregory P. Ennis <PoMec at PoMec.Net>: > On Sat, 2015-07-04 at 08:07 -0500, Gregory P. Ennis wrote: >> Everyone, >> >> Looks like the new version of oppenssl has broken my sendmail's use >> of >> tls. Has anyone else had this problem or seen a fix? >> >> Greg Ennis >>

...5d6befe200 src/login-common/ssl-proxy-openssl.c --- a/src/login-common/ssl-proxy-openssl.c Wed Oct 12 17:16:10 2011 +0300 +++ b/src/login-common/ssl-proxy-openssl.c Thu Oct 13 16:19:52 2011 -0300 @@ -925,6 +925,9 @@ STACK_OF(X509_NAME) *xnames = NULL; SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); +#ifdef SSL_MODE_RELEASE_BUFFERS + SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS); +#endif if (*set->ssl_ca != '\0') { /* set trusted CA certs */ store = SSL_CTX_get_cert_store(ssl_ctx);

...owed as our Nessus scans show and I'm tasked with trying to plug that "hole". I see Dovecot2 had the following change a year or so ago, in file src/login-common/ssl-proxy-openssl.c: - SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL); + SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); I tried making the same change to dovecot1's src tree on our test system and it seems to have the desired effect; however I am very hesitant about putting this into our production system without seeking advice here first :-) Have I missed anything that's obviously bad about doing thi...

Using OpenSSL, is there a preferred/recommended rate of rekeying an encrypted stream of data? Does OpenSSL handle this for developers behind the scenes? Does it even need to be rekeyed? Thanks in advance. -sc -- Sean Chittenden -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 202 bytes Desc: not available

Hi, I came up with the following patch while trying to figure out a good solution for the situation described in Debian bug #871987[1]. In short, OpenSSL in Debian unstable has disabled TLSv1.0 and TLSv1.1 *by default*. That means that unless an application requests otherwise, only TLSv1.2 is supported. In the world of e-mail this is seemingly an issue, as there are still way too many old clients