Disable SSLv3 and enable prefer server ciphers

author: manuel <manuel@mausz.at> 2018-04-16 15:53:39 +0200
committer: manuel <manuel@mausz.at> 2018-04-16 15:53:39 +0200
commit: 3ddb39faf72f52fe4089e40cd9fe75cb11965fe1 (patch)
tree: 14df3967eae20cdfa487908264a58a9427bb4470 /qmail-smtpd.c
parent: 633250158229d6a161df8b037faeacb61f068471 (diff)
download: qmail-3ddb39faf72f52fe4089e40cd9fe75cb11965fe1.tar.gz
qmail-3ddb39faf72f52fe4089e40cd9fe75cb11965fe1.tar.bz2
qmail-3ddb39faf72f52fe4089e40cd9fe75cb11965fe1.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/qmail-smtpd.c b/qmail-smtpd.c
index 69b7dbb..18795bc 100644
--- a/qmail-smtpd.c
+++ b/qmail-smtpd.c
@@ -1482,7 +1482,8 @@ void tls_init()
  /* a new SSL context with the bare minimum of options */
  ctx = SSL_CTX_new(SSLv23_server_method());
  if (!ctx) { tls_err("unable to initialize ctx"); return; }
-  SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+  SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
+                           SSL_OP_CIPHER_SERVER_PREFERENCE);
  if (!SSL_CTX_use_certificate_chain_file(ctx, servercert))
    { SSL_CTX_free(ctx); tls_err("missing certificate"); return; }
author	manuel <manuel@mausz.at>	2018-04-16 15:53:39 +0200
committer	manuel <manuel@mausz.at>	2018-04-16 15:53:39 +0200
commit	3ddb39faf72f52fe4089e40cd9fe75cb11965fe1 (patch)
tree	14df3967eae20cdfa487908264a58a9427bb4470 /qmail-smtpd.c
parent	633250158229d6a161df8b037faeacb61f068471 (diff)
download	qmail-3ddb39faf72f52fe4089e40cd9fe75cb11965fe1.tar.gz qmail-3ddb39faf72f52fe4089e40cd9fe75cb11965fe1.tar.bz2 qmail-3ddb39faf72f52fe4089e40cd9fe75cb11965fe1.zip

diff --git a/qmail-smtpd.c b/qmail-smtpd.c index 69b7dbb..18795bc 100644 --- a/qmail-smtpd.c +++ b/qmail-smtpd.c
@@ -1482,7 +1482,8 @@ void tls_init()
1482	/* a new SSL context with the bare minimum of options */	1482	/* a new SSL context with the bare minimum of options */
1483	ctx = SSL_CTX_new(SSLv23_server_method());	1483	ctx = SSL_CTX_new(SSLv23_server_method());
1484	if (!ctx) { tls_err("unable to initialize ctx"); return; }	1484	if (!ctx) { tls_err("unable to initialize ctx"); return; }
1485	SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);	1485	SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 \| SSL_OP_NO_SSLv3 \|
		1486	SSL_OP_CIPHER_SERVER_PREFERENCE);
1486		1487
1487	if (!SSL_CTX_use_certificate_chain_file(ctx, servercert))	1488	if (!SSL_CTX_use_certificate_chain_file(ctx, servercert))
1488	{ SSL_CTX_free(ctx); tls_err("missing certificate"); return; }	1489	{ SSL_CTX_free(ctx); tls_err("missing certificate"); return; }