Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Disable SSLv3 an select ciphers in amavis
32 views
Skip to first unread message
Grooz, Marc (regio iT)
Mar 17, 2015, 9:27:56 AM3/17/15
to
Hi,
is there a way to disable SSLv3 and control witch ciphers amavis use?
Kind regards
Marc
Markus Benning
Mar 17, 2015, 10:59:14 AM3/17/15
to
Hello,
currently amavis does not configure this parameters.
In amavisd-new 2.10.1 the server side STARTTLS is done at amavisd
line number 21939 in process_smtp_request():
IO::Socket::SSL->start_SSL($sock,
SSL_server => 1, SSL_session_cache => 2,
SSL_error_trap => sub { my($sock,$msg)=@_;
do_log(-2,"Error on socket: %s",$msg) },
SSL_passwd_cb => sub { 'example' },
SSL_key_file => $smtpd_tls_key_file,
SSL_cert_file => $smtpd_tls_cert_file,
) or die "Error upgrading socket to SSL: ".
IO::Socket::SSL::errstr();
And client side in ssl_upgrade() at line number 8389:
IO::Socket::SSL->start_SSL($sock, SSL_session_cache => $ssl_cache,
SSL_error_trap =>
sub { my($sock,$msg)=@_; do_log(-2,"Error on socket: %s",$msg) },
%params,
) or die "Error upgrading socket to SSL: ".IO::Socket::SSL::errstr();
Both do not set SSL_version, SSL_cipher_list or SSL_honor_cipher_order.
regards,
Markus
--
Markus Benning, https://markusbenning.de/
currently amavis does not configure this parameters.
In amavisd-new 2.10.1 the server side STARTTLS is done at amavisd
line number 21939 in process_smtp_request():
IO::Socket::SSL->start_SSL($sock,
SSL_server => 1, SSL_session_cache => 2,
SSL_error_trap => sub { my($sock,$msg)=@_;
do_log(-2,"Error on socket: %s",$msg) },
SSL_passwd_cb => sub { 'example' },
SSL_key_file => $smtpd_tls_key_file,
SSL_cert_file => $smtpd_tls_cert_file,
) or die "Error upgrading socket to SSL: ".
IO::Socket::SSL::errstr();
And client side in ssl_upgrade() at line number 8389:
IO::Socket::SSL->start_SSL($sock, SSL_session_cache => $ssl_cache,
SSL_error_trap =>
sub { my($sock,$msg)=@_; do_log(-2,"Error on socket: %s",$msg) },
%params,
) or die "Error upgrading socket to SSL: ".IO::Socket::SSL::errstr();
Both do not set SSL_version, SSL_cipher_list or SSL_honor_cipher_order.
regards,
Markus
Markus Benning, https://markusbenning.de/
Grooz, Marc (regio iT)
Mar 17, 2015, 11:12:46 AM3/17/15
to
OK but is there a way to set this parameter in openssl or somewhere else?
Kind regards marc
-----Ursprüngliche Nachricht-----
Von: i...@markusbenning.de [mailto:i...@markusbenning.de]
Gesendet: Dienstag, 17. März 2015 15:48
An: Grooz, Marc (regio iT)
Cc: amavis...@amavis.org
Betreff: Re: Disable SSLv3 an select ciphers in amavis
Kind regards marc
-----Ursprüngliche Nachricht-----
Von: i...@markusbenning.de [mailto:i...@markusbenning.de]
Gesendet: Dienstag, 17. März 2015 15:48
An: Grooz, Marc (regio iT)
Cc: amavis...@amavis.org
Betreff: Re: Disable SSLv3 an select ciphers in amavis
Patrick Ben Koetter
Mar 17, 2015, 11:18:39 AM3/17/15
to
* Grooz, Marc (regio iT) <Marc....@regioit.de>:
http://search.cpan.org/~sullr/IO-Socket-SSL-2.012/lib/IO/Socket/SSL.pod.
p@rick
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
> OK but is there a way to set this parameter in openssl or somewhere else?
Try patching it using "SSL_version" as documented in
http://search.cpan.org/~sullr/IO-Socket-SSL-2.012/lib/IO/Socket/SSL.pod.
p@rick
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Markus Benning
Mar 17, 2015, 11:27:24 AM3/17/15
to
On Tue, Mar 17, 2015 at 03:04:43PM +0000, Grooz, Marc (regio iT) wrote:
> OK but is there a way to set this parameter in openssl or somewhere else?
The quick and dirty way is to set it in the amavisd source code. Try:
> OK but is there a way to set this parameter in openssl or somewhere else?
--- amavisd.orig 2015-03-17 16:17:09.000000000 +0100
+++ amavisd 2015-03-17 16:21:46.000000000 +0100
@@ -8389,6 +8389,8 @@
IO::Socket::SSL->start_SSL($sock, SSL_session_cache => $ssl_cache,
SSL_error_trap =>
sub { my($sock,$msg)=@_; do_log(-2,"Error on socket: %s",$msg) },
+ SSL_version => '!SSLv2,!SSLv3',
SSL_error_trap =>
sub { my($sock,$msg)=@_; do_log(-2,"Error on socket: %s",$msg) },
+ SSL_cipher_list => 'ALL:!LOW:!EXP:!aNULL:!eNULL',
%params,
) or die "Error upgrading socket to SSL: ".IO::Socket::SSL::errstr();
$self->{last_event} = 'ssl-upgrade';
) or die "Error upgrading socket to SSL: ".IO::Socket::SSL::errstr();
@@ -21943,6 +21945,8 @@
SSL_passwd_cb => sub { 'example' },
SSL_key_file => $smtpd_tls_key_file,
SSL_cert_file => $smtpd_tls_cert_file,
+ SSL_version => '!SSLv2,!SSLv3',
SSL_key_file => $smtpd_tls_key_file,
SSL_cert_file => $smtpd_tls_cert_file,
+ SSL_cipher_list => 'ALL:!LOW:!EXP:!aNULL:!eNULL',
) or die "Error upgrading socket to SSL: ".
IO::Socket::SSL::errstr();
if ($self->{smtp_inpbuf} ne '') {
IO::Socket::SSL::errstr();
The better way would be to add configuration options for this parameters
to amavisd and submit a patch for inclusion.
regards,
Markus
Markus Benning
Mar 17, 2015, 11:49:28 AM3/17/15
to
On Tue, Mar 17, 2015 at 04:26:38PM +0100, Markus Benning wrote:
> The better way would be to add configuration options for this parameters
> to amavisd and submit a patch for inclusion.
I just had a look at the code. The attached patch should add the
> The better way would be to add configuration options for this parameters
> to amavisd and submit a patch for inclusion.
configuration parameters:
$smtpd_tls_cipher_list
$smtpd_tls_version
$smtp_tls_cipher_list
$smtp_tls_version
0 new messages