diff options
| author | manuel <manuel@mausz.at> | 2025-01-22 14:12:55 +0100 |
|---|---|---|
| committer | manuel <manuel@mausz.at> | 2025-01-22 14:12:55 +0100 |
| commit | a77adb886ef7ed2efa8441dcd823d5f7e3f97183 (patch) | |
| tree | 1d5997ac846122780ffcb8feecb20b6e7efc20d7 | |
| parent | ec29722d8b6b90d1a0368542a5de991599e30adc (diff) | |
| download | qmail-a77adb886ef7ed2efa8441dcd823d5f7e3f97183.tar.gz qmail-a77adb886ef7ed2efa8441dcd823d5f7e3f97183.tar.bz2 qmail-a77adb886ef7ed2efa8441dcd823d5f7e3f97183.zip | |
Do not enable legacy TLS version any longer
| -rw-r--r-- | qmail-remote.c | 1 | ||||
| -rw-r--r-- | qmail-smtpd.c | 2 |
2 files changed, 0 insertions, 3 deletions
diff --git a/qmail-remote.c b/qmail-remote.c index a743e06..14114cf 100644 --- a/qmail-remote.c +++ b/qmail-remote.c | |||
| @@ -487,7 +487,6 @@ static int tls_init(struct ip_mx *current_mx) | |||
| 487 | smtptext.len = 0; | 487 | smtptext.len = 0; |
| 488 | tls_quit_error("ZTLS error initializing ctx"); | 488 | tls_quit_error("ZTLS error initializing ctx"); |
| 489 | } | 489 | } |
| 490 | SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); | ||
| 491 | /* TLS renegotiation is possible cpu resource attack */ | 490 | /* TLS renegotiation is possible cpu resource attack */ |
| 492 | SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION); | 491 | SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION); |
| 493 | /* SMTP does not suffer from truncation attacks due to its application framing */ | 492 | /* SMTP does not suffer from truncation attacks due to its application framing */ |
diff --git a/qmail-smtpd.c b/qmail-smtpd.c index 1c26031..de125b8 100644 --- a/qmail-smtpd.c +++ b/qmail-smtpd.c | |||
| @@ -1370,8 +1370,6 @@ void tls_init() | |||
| 1370 | /* a new SSL context with the bare minimum of options */ | 1370 | /* a new SSL context with the bare minimum of options */ |
| 1371 | ctx = SSL_CTX_new(TLS_server_method()); | 1371 | ctx = SSL_CTX_new(TLS_server_method()); |
| 1372 | if (!ctx) { tls_err("unable to initialize ctx"); return; } | 1372 | if (!ctx) { tls_err("unable to initialize ctx"); return; } |
| 1373 | SSL_CTX_set_min_proto_version(ctx, (*childargs) ? TLS1_2_VERSION : TLS1_VERSION); | ||
| 1374 | if (!*childargs) SSL_CTX_set_security_level(ctx, 0); | ||
| 1375 | SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE | | 1373 | SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE | |
| 1376 | SSL_OP_PRIORITIZE_CHACHA); | 1374 | SSL_OP_PRIORITIZE_CHACHA); |
| 1377 | /* TLS renegotiation is possible cpu resource attack */ | 1375 | /* TLS renegotiation is possible cpu resource attack */ |