From 3ddb39faf72f52fe4089e40cd9fe75cb11965fe1 Mon Sep 17 00:00:00 2001
From: manuel <manuel@mausz.at>
Date: Mon, 16 Apr 2018 15:53:39 +0200
Subject: Disable SSLv3 and enable prefer server ciphers

---
 qmail-remote.c | 2 +-
 qmail-smtpd.c  | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/qmail-remote.c b/qmail-remote.c
index adb7343..6c7fba0 100644
--- a/qmail-remote.c
+++ b/qmail-remote.c
@@ -483,7 +483,7 @@ int tls_init()
     smtptext.len = 0;
     tls_quit_error("ZTLS error initializing ctx");
   }
-  SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+  SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
 
   if (servercert) {
     if (!SSL_CTX_load_verify_locations(ctx, servercert, NULL)) {
diff --git a/qmail-smtpd.c b/qmail-smtpd.c
index 69b7dbb..18795bc 100644
--- a/qmail-smtpd.c
+++ b/qmail-smtpd.c
@@ -1482,7 +1482,8 @@ void tls_init()
   /* a new SSL context with the bare minimum of options */
   ctx = SSL_CTX_new(SSLv23_server_method());
   if (!ctx) { tls_err("unable to initialize ctx"); return; }
-  SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+  SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
+                           SSL_OP_CIPHER_SERVER_PREFERENCE);
 
   if (!SSL_CTX_use_certificate_chain_file(ctx, servercert))
     { SSL_CTX_free(ctx); tls_err("missing certificate"); return; }
-- 
cgit v1.2.3