[balsa] Disable SSLv3 (Albrecht Dreß)

From: Peter Bloomfield <peterb src gnome org>
To: commits-list gnome org
Cc:
Subject: [balsa] Disable SSLv3 (Albrecht Dreß)
Date: Mon, 16 Feb 2015 17:54:06 +0000 (UTC)

commit 163910d7f54add20a21c78fc745bcaf886dcd58f
Author: Peter Bloomfield <PeterBloomfield bellsouth net>
Date:   Mon Feb 16 12:53:20 2015 -0500

    Disable SSLv3 (Albrecht Dreß)
    
        * libbalsa/imap/imap-tls.c (imap_create_ssl): disable SSLv3,
        with an option in the code to override, and enable TLSv1.1 and 1.2

 ChangeLog                |    6 ++++++
 libbalsa/imap/imap-tls.c |   19 ++++++++++++++++---
 2 files changed, 22 insertions(+), 3 deletions(-)
---
diff --git a/ChangeLog b/ChangeLog
index 4f88375..2b388be 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-02-16  Albrecht Dreß
+
+       * libbalsa/imap/imap-tls.c (imap_create_ssl): disable SSLv3,
+       with an option in the code to override, and enable TLSv1.1 and 1.2
+
+
 2013-07-14  Peter Bloomfield
 
        Fix bgo #704159 (Igor Pashev)
diff --git a/libbalsa/imap/imap-tls.c b/libbalsa/imap/imap-tls.c
index c310444..de2ce52 100644
--- a/libbalsa/imap/imap-tls.c
+++ b/libbalsa/imap/imap-tls.c
@@ -53,6 +53,15 @@
 #include <pthread.h>
 #endif
 
+/* Support for SSLv3 should *not* be enabled as it is unsafe (see
+ * <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566> and
+ * <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8730>.
+ *
+ * Uncomment the following line if you *really* want to enable SSLv3 support.
+ * Otherwise, only the "safe" protocols TLS 1.0, TLS 1.1 and TLS 1.2 are used
+ * (note that TLS 1.1 and TLS 1.2 support depends upon the OpenSSL version) */
+/* #define ENABLE_SSL3 1 */
+
 #include "siobuf.h"
 #include "imap_private.h"
 
@@ -181,13 +190,17 @@ imap_create_ssl(void)
     imaptls_thread_setup();
     SSL_library_init();
     SSL_load_error_strings();
-#if 1
+#if 0
     global_ssl_context = SSL_CTX_new (TLSv1_client_method ());
 #else
-    /* we could also enable SSLv3 but it doe not work very well with 
-     * all servers. */
+    /* Note: SSLv23_client_method() actually enables *all* protocols, including
+     * SSLv(2|3) and TLSv1.(0|1|2), so we must switch all unsafe ones off */
     global_ssl_context = SSL_CTX_new (SSLv23_client_method ());
+#ifdef ENABLE_SSL3
     SSL_CTX_set_options(global_ssl_context, SSL_OP_ALL|SSL_OP_NO_SSLv2);
+#else
+    SSL_CTX_set_options(global_ssl_context, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
+#endif
 #endif
     /* no client certificate password support yet
      * SSL_CTX_set_default_passwd_cb (ctx, ctx_password_cb);

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]