Qpopper and openssl on FreeBSD 11.x
Matthias Andree
matthias.andree at gmx.de
Sat Mar 24 09:42:19 UTC 2018
Am 23.03.2018 um 23:48 schrieb Doug Hardie:
>
>> Use SSLv23_server_method(), and use code to block out SSLv2 + SSLv3 on
>> those systems that still support them - which depends on the
>> OpenSSL/LibreSSL version, however:
>> Older OpenSSL and LibreSSL require SSL_OP_NO_SSLv3 and SSL_OP_NO_SSLv2
>> set through ..._set_options() on the SSL or CTX,
>> newer OpenSSL (1.1.0+) have ..._set_min_proto_version(..., TLS1_VERSION).
> The simple approach for 11 is to use SSLv23_server_method() as it handles everything and no extra calls are required. However, that doesn't work for 10.x Adding in all the checks you mention is a lot of development and testing effort. I don't have the resources or desire to do all that. I have not found a hardware system that will run 10.x. Everything I have runs 11 just fine...
Why does it not work for FreeBSD 10? SSLv23_server_method() has been in
OpenSSL for ages. It is however important to block out broken protocols
(SSL v2, v3) in the application if changing the method regardsless of
FreeBSD version. This would mean unsupporting clients that do not
support at least TLS v1.0, but well, unless you only want to pretend to
offer network security you will have to do that.
More information about the freebsd-ports
mailing list