Disabling SSLv3 protocol

Timo Sirainen tss at iki.fi
Wed Nov 12 05:20:43 UTC 2014


On 09 Nov 2014, at 08:22, Jelmer Vernooij <jelmer at debian.org> wrote:

> On Tue, Oct 14, 2014 at 12:25:32PM -0700, Timo Sirainen wrote:
>> Since people are now talking about the SSLv3 security hole and how to disable it, here's a thread where you can talk about that. In Dovecot v2.1+ you can disable SSLv3 by setting:
>> 
>> ssl_protocols = !SSLv2 !SSLv3
>> 
>> In older versions you'd have to patch the source code. Attached a patch against v2.0. 
> Do you have any plans to make this (SSLv3 disabled) the new default for
> ssl_protocols? I'm considering doing this in the Debian package.

Yeah, I'm planning to do it for Dovecot v2.3 at least. I'm not sure if I should change it to v2.2.x. I guess I could, because apparently there aren't any commonly used clients that support only SSLv3. But then again I don't think SSLv3 is especially exploitable with IMAP/POP3 protocols.



More information about the dovecot mailing list