[Dovecot] disabling SSLv2 in dovecot 1.2.17

Steve Platt steve.platt at mrc-bsu.cam.ac.uk
Thu Mar 8 21:04:47 EET 2012


I've set up a list of ciphers that excludes SSLv2 ciphers (and other weak 
ones) in the hope of preventing SSLv2 connections:

 ssl_cipher_list = TLSv1+HIGH : !SSLv2 : RC4+MEDIUM : !aNULL : !eNULL : !3DES 
: @STRENGTH

However, this doesn't prevent the SSLv2 connection being allowed as our Nessus 
scans show and I'm tasked with trying to plug that "hole".

I see Dovecot2 had the following change a year or so ago, in file 
src/login-common/ssl-proxy-openssl.c:

-       SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL);
+       SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);

I tried making the same change to dovecot1's src tree on our test system and 
it seems to have the desired effect; however I am very hesitant  about putting 
this into our production system without seeking advice here first :-)

Have I missed anything that's obviously bad about doing this please?

Thanks again,
Steve Platt



More information about the dovecot mailing list