Disable SSLv3 and enable prefer server ciphers

author: manuel <manuel@mausz.at> 2018-04-16 15:53:39 +0200
committer: manuel <manuel@mausz.at> 2018-04-16 15:53:39 +0200
commit: 3ddb39faf72f52fe4089e40cd9fe75cb11965fe1 (patch)
tree: 14df3967eae20cdfa487908264a58a9427bb4470
parent: 633250158229d6a161df8b037faeacb61f068471 (diff)
download: qmail-3ddb39faf72f52fe4089e40cd9fe75cb11965fe1.tar.gz
qmail-3ddb39faf72f52fe4089e40cd9fe75cb11965fe1.tar.bz2
qmail-3ddb39faf72f52fe4089e40cd9fe75cb11965fe1.zip
2 files changed, 3 insertions, 2 deletions
diff --git a/qmail-remote.c b/qmail-remote.c
index adb7343..6c7fba0 100644
--- a/qmail-remote.c
+++ b/qmail-remote.c
@@ -483,7 +483,7 @@ int tls_init()
    smtptext.len = 0;
    tls_quit_error("ZTLS error initializing ctx");
  }
-  SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+  SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
  if (servercert) {
    if (!SSL_CTX_load_verify_locations(ctx, servercert, NULL)) {
diff --git a/qmail-smtpd.c b/qmail-smtpd.c
index 69b7dbb..18795bc 100644
--- a/qmail-smtpd.c
+++ b/qmail-smtpd.c
@@ -1482,7 +1482,8 @@ void tls_init()
  /* a new SSL context with the bare minimum of options */
  ctx = SSL_CTX_new(SSLv23_server_method());
  if (!ctx) { tls_err("unable to initialize ctx"); return; }
-  SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+  SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
+                           SSL_OP_CIPHER_SERVER_PREFERENCE);
  if (!SSL_CTX_use_certificate_chain_file(ctx, servercert))
    { SSL_CTX_free(ctx); tls_err("missing certificate"); return; }
author	manuel <manuel@mausz.at>	2018-04-16 15:53:39 +0200
committer	manuel <manuel@mausz.at>	2018-04-16 15:53:39 +0200
commit	3ddb39faf72f52fe4089e40cd9fe75cb11965fe1 (patch)
tree	14df3967eae20cdfa487908264a58a9427bb4470
parent	633250158229d6a161df8b037faeacb61f068471 (diff)
download	qmail-3ddb39faf72f52fe4089e40cd9fe75cb11965fe1.tar.gz qmail-3ddb39faf72f52fe4089e40cd9fe75cb11965fe1.tar.bz2 qmail-3ddb39faf72f52fe4089e40cd9fe75cb11965fe1.zip