summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--doc/doc-docbook/spec.xfpt2
-rw-r--r--doc/doc-txt/ChangeLog2
-rw-r--r--doc/doc-txt/NewStuff4
-rw-r--r--doc/doc-txt/OptionLists.txt2
-rw-r--r--src/README.UPDATING11
-rw-r--r--src/src/tls-openssl.c11
6 files changed, 27 insertions, 5 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index f368608a0..ae1f7df03 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -14385,7 +14385,7 @@ harm. This option overrides the &%pipe_as_creator%& option of the &(pipe)&
transport driver.
-.option openssl_options main "string list" unset
+.option openssl_options main "string list" "+no_sslv2"
.cindex "OpenSSL "compatibility options"
This option allows an administrator to adjust the SSL options applied
by OpenSSL to connections. It is given as a space-separated list of items,
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 4f8154c7e..6c0554b5a 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -163,6 +163,8 @@ PP/38 Overhaul DH prime handling, supply RFC-specified DH primes as built
tls_dhparam take prime identifiers. Also unbreak combination of
OpenSSL+DH_params+TLSSNI.
+PP/39 Disable SSLv2 by default in OpenSSL support.
+
Exim version 4.77
-----------------
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 0c3fccb74..4b9142238 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -106,6 +106,10 @@ Version 4.80
Set to "historic" to get the old GnuTLS behaviour of auto-generated DH
primes.
+17. SSLv2 now disabled by default in OpenSSL. (Never supported by GnuTLS).
+ Use "openssl_options -no_sslv2" to re-enable support, if your OpenSSL
+ install was not built with OPENSSL_NO_SSL2 ("no-ssl2").
+
Version 4.77
------------
diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt
index a79182975..45b7997d1 100644
--- a/doc/doc-txt/OptionLists.txt
+++ b/doc/doc-txt/OptionLists.txt
@@ -373,7 +373,7 @@ once string* unset autoreply
once_file_size integer 0 autoreply 3.20
once_repeat time 0s autoreply 2.95
one_time boolean false redirect 4.00
-openssl_options string unset main 4.73 default to unset in 4.80
+openssl_options string +no_sslv2 main 4.73 default changed in 4.80
optional boolean false iplookup 4.00
oracle_servers string unset main 4.00
owners string list unset redirect 4.00
diff --git a/src/README.UPDATING b/src/README.UPDATING
index 6a820bc7c..d34dec1e1 100644
--- a/src/README.UPDATING
+++ b/src/README.UPDATING
@@ -43,6 +43,12 @@ Exim version 4.80
the message. No tool has been provided as we believe this is a rare
occurence.
+ * For OpenSSL, SSLv2 is now disabled by default. (GnuTLS does not support
+ SSLv2). RFC 6176 prohibits SSLv2 and some informal surveys suggest no
+ actual usage. You can re-enable with the "openssl_options" Exim option,
+ in the main configuration section. Note that supporting SSLv2 exposes
+ you to ciphersuite downgrade attacks.
+
* With OpenSSL 1.0.1+, Exim now supports TLS 1.1 and TLS 1.2. If built
against 1.0.1a then you will get a warning message and the
"openssl_options" value will not parse "no_tlsv1_1": the value changes
@@ -52,8 +58,9 @@ Exim version 4.80
"openssl_options" gains "no_tlsv1_1", "no_tlsv1_2" and "no_compression".
COMPATIBILITY WARNING: The default value of "openssl_options" is no longer
- "+dont_insert_empty_fragments". We default to unset. That old default was
- grandfathered in from before openssl_options became a configuration option.
+ "+dont_insert_empty_fragments". We default to "+no_sslv2".
+ That old default was grandfathered in from before openssl_options became a
+ configuration option.
Empty fragments are inserted by default through TLS1.0, to partially defend
against certain attacks; TLS1.1+ change the protocol so that this is not
needed. The DIEF SSL option was required for some old releases of mail
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 43b79634e..22c0730c3 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -744,7 +744,13 @@ list of available digests. */
EVP_add_digest(EVP_sha256());
#endif
-/* Create a context */
+/* Create a context.
+The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
+negotiation in the different methods; as far as I can tell, the only
+*_{server,client}_method which allows negotiation is SSLv23, which exists even
+when OpenSSL is built without SSLv2 support.
+By disabling with openssl_options, we can let admins re-enable with the
+existing knob. */
ctx = SSL_CTX_new((host == NULL)?
SSLv23_server_method() : SSLv23_client_method());
@@ -1872,6 +1878,9 @@ BOOL adding, item_parsed;
result = 0L;
/* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
* from default because it increases BEAST susceptibility. */
+#ifdef SSL_OP_NO_SSLv2
+result |= SSL_OP_NO_SSLv2;
+#endif
if (option_spec == NULL)
{