Qpopper and openssl on FreeBSD 11.x

Doug Hardie bc979 at lafn.org
Fri Mar 23 22:55:38 UTC 2018 

> On 23 March 2018, at 02:40, Matthias Andree <matthias.andree at gmx.de> wrote:
> 
> Am 17.02.2018 um 04:22 schrieb Doug Hardie:
>> I have encountered an interesting situation while trying to resolve a PR on qpopper.  I am unable to build qpopper on 11.1 (and probably 11.0) because the openssl function SSLv3_server_method has been removed.  I can see where the SSLv2 functions are disabled in ssl.h, but the SSLv3 functions appear that they should be there.  nm on libssl shows they are there.  Clang's linker can't link to them.  One of the qpopper users' indicates that the problem does not exist on 10.4.  I believe the loss of the SSLv3 methods is a bug and have filed Bug report.
> 
> It is a deliberate security measure to remove SSLv3 methods, and not a
> bug. The protocol is broken.

Granted those protocols are broken, but removing the calls to disable them means that for systems that still support them, you have no real option to disable them.  Its like you are pretending they never existed.  However, they still do in 10.x which is still supported.

> 
>> Resolution of that PR will obviously take some time.  The question at hand is what to do in the meantime. I am guessing the packages must be built on 10.x or there would be a report of the problem.  I can easily change the code, via a patch, to use SSLv23_server_method in all cases, or the preferred TLSv1_server_method.  That will eliminate the options to restrict qpopper to SSLv2 or SSLv3.  This does not appear to be an issue for those running 11.x.  However, it is for those using 10.x and earlier.  Given the security issues today, I can't imagine anyone wanting to use those options, but it is possible someone is using them.  Switching to the TLSv1_server_method will remove that capability for them.  
> 
> Use SSLv23_server_method(), and use code to block out SSLv2 + SSLv3 on
> those systems that still support them - which depends on the
> OpenSSL/LibreSSL version, however:
> Older OpenSSL and LibreSSL require SSL_OP_NO_SSLv3 and SSL_OP_NO_SSLv2
> set through ..._set_options() on the SSL or CTX,
> newer OpenSSL (1.1.0+) have ..._set_min_proto_version(..., TLS1_VERSION).

The simple approach for 11 is to use SSLv23_server_method() as it handles everything and no extra calls are required.  However, that doesn't work for 10.x  Adding in all the checks you mention is a lot of development and testing effort.  I don't have the resources or desire to do all that.  I have not found a hardware system that will run 10.x.  Everything I have runs 11 just fine...

-- Doug

More information about the freebsd-ports mailing list