Date: Sat, 24 Mar 2018 10:42:09 +0100 From: Matthias Andree <matthias.andree@gmx.de> To: Doug Hardie <bc979@lafn.org> Cc: freebsd-ports@freebsd.org Subject: Re: Qpopper and openssl on FreeBSD 11.x Message-ID: <25472945-5f11-e75e-f69e-d339cf045d7c@gmx.de> In-Reply-To: <C4C7E0BD-08B8-48C4-8356-0A5A78231D51@mail.sermon-archive.info> References: <F2C790CE-CD5B-41A8-B3A5-826392D5B43E@mail.sermon-archive.info> <658796bc-2e39-85d3-77c2-b54fa5d7c736@gmx.de> <C4C7E0BD-08B8-48C4-8356-0A5A78231D51@mail.sermon-archive.info>
next in thread | previous in thread | raw e-mail | index | archive | help
Am 23.03.2018 um 23:48 schrieb Doug Hardie: > >> Use SSLv23_server_method(), and use code to block out SSLv2 + SSLv3 on >> those systems that still support them - which depends on the >> OpenSSL/LibreSSL version, however: >> Older OpenSSL and LibreSSL require SSL_OP_NO_SSLv3 and SSL_OP_NO_SSLv2 >> set through ..._set_options() on the SSL or CTX, >> newer OpenSSL (1.1.0+) have ..._set_min_proto_version(..., TLS1_VERSION). > The simple approach for 11 is to use SSLv23_server_method() as it handles everything and no extra calls are required. However, that doesn't work for 10.x Adding in all the checks you mention is a lot of development and testing effort. I don't have the resources or desire to do all that. I have not found a hardware system that will run 10.x. Everything I have runs 11 just fine... Why does it not work for FreeBSD 10? SSLv23_server_method() has been in OpenSSL for ages. It is however important to block out broken protocols (SSL v2, v3) in the application if changing the method regardsless of FreeBSD version. This would mean unsupporting clients that do not support at least TLS v1.0, but well, unless you only want to pretend to offer network security you will have to do that.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?25472945-5f11-e75e-f69e-d339cf045d7c>