Date: Fri, 23 Mar 2018 15:48:03 -0700 From: Doug Hardie <bc979@lafn.org> To: Matthias Andree <matthias.andree@gmx.de> Cc: freebsd-ports@freebsd.org Subject: Re: Qpopper and openssl on FreeBSD 11.x Message-ID: <C4C7E0BD-08B8-48C4-8356-0A5A78231D51@mail.sermon-archive.info> In-Reply-To: <658796bc-2e39-85d3-77c2-b54fa5d7c736@gmx.de> References: <F2C790CE-CD5B-41A8-B3A5-826392D5B43E@mail.sermon-archive.info> <658796bc-2e39-85d3-77c2-b54fa5d7c736@gmx.de>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 23 March 2018, at 02:40, Matthias Andree <matthias.andree@gmx.de> = wrote: >=20 > Am 17.02.2018 um 04:22 schrieb Doug Hardie: >> I have encountered an interesting situation while trying to resolve a = PR on qpopper. I am unable to build qpopper on 11.1 (and probably 11.0) = because the openssl function SSLv3_server_method has been removed. I = can see where the SSLv2 functions are disabled in ssl.h, but the SSLv3 = functions appear that they should be there. nm on libssl shows they are = there. Clang's linker can't link to them. One of the qpopper users' = indicates that the problem does not exist on 10.4. I believe the loss = of the SSLv3 methods is a bug and have filed Bug report. >=20 > It is a deliberate security measure to remove SSLv3 methods, and not a > bug. The protocol is broken. Granted those protocols are broken, but removing the calls to disable = them means that for systems that still support them, you have no real = option to disable them. Its like you are pretending they never existed. = However, they still do in 10.x which is still supported. >=20 >> Resolution of that PR will obviously take some time. The question at = hand is what to do in the meantime. I am guessing the packages must be = built on 10.x or there would be a report of the problem. I can easily = change the code, via a patch, to use SSLv23_server_method in all cases, = or the preferred TLSv1_server_method. That will eliminate the options = to restrict qpopper to SSLv2 or SSLv3. This does not appear to be an = issue for those running 11.x. However, it is for those using 10.x and = earlier. Given the security issues today, I can't imagine anyone = wanting to use those options, but it is possible someone is using them. = Switching to the TLSv1_server_method will remove that capability for = them. =20 >=20 > Use SSLv23_server_method(), and use code to block out SSLv2 + SSLv3 on > those systems that still support them - which depends on the > OpenSSL/LibreSSL version, however: > Older OpenSSL and LibreSSL require SSL_OP_NO_SSLv3 and SSL_OP_NO_SSLv2 > set through ..._set_options() on the SSL or CTX, > newer OpenSSL (1.1.0+) have ..._set_min_proto_version(..., = TLS1_VERSION). The simple approach for 11 is to use SSLv23_server_method() as it = handles everything and no extra calls are required. However, that = doesn't work for 10.x Adding in all the checks you mention is a lot of = development and testing effort. I don't have the resources or desire to = do all that. I have not found a hardware system that will run 10.x. = Everything I have runs 11 just fine... -- Doug
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C4C7E0BD-08B8-48C4-8356-0A5A78231D51>