It seems like the patch mentioned before does not directly apply in
the code at squeeze-update branch on git repository, so I modified it a
little.
Sadly, I cannot really make it work, it seems to be doing what is
needed, but if I try a:
openssl s_client -connect example.com:1234 -ssl3
It still connects correctly, so I guess something else is missing.
Best,
--
Marco Villegas
>From a415edd1a1e02ee991532e9a02a229da65ae83fc Mon Sep 17 00:00:00 2001
From: Marco Villegas <g...@marvil07.net>
Date: Thu, 16 Oct 2014 23:54:39 -0500
Subject: [PATCH] Disable SSLv3
A modified version of Timo Sirainen patch from
http://dovecot.org/list/dovecot/2014-October/098244.html
to let it apply.
---
debian/patches/0012-sslv3-disable.patch | 13 +++++++++++++
debian/patches/series | 1 +
2 files changed, 14 insertions(+), 0 deletions(-)
create mode 100644 debian/patches/0012-sslv3-disable.patch
diff --git a/debian/patches/0012-sslv3-disable.patch b/debian/patches/0012-sslv3-disable.patch
new file mode 100644
index 0000000..bd926c1
--- /dev/null
+++ b/debian/patches/0012-sslv3-disable.patch
@@ -0,0 +1,13 @@
+diff --git src/login-common/ssl-proxy-openssl.c src/login-common/ssl-proxy-openssl.c
+index 72fa0fa..9efe3b9 100644
+--- src/login-common/ssl-proxy-openssl.c
++++ src/login-common/ssl-proxy-openssl.c
+@@ -817,7 +817,7 @@ static void ssl_proxy_ctx_init(SSL_CTX *ssl_ctx)
+ {
+ const char *cafile;
+
+- SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL);
++ SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv3);
+
+ cafile = getenv("SSL_CA_FILE");
+ if (cafile != NULL) {
diff --git a/debian/patches/series b/debian/patches/series
index 29319ed..28f3703 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@
0009-dovecot-mboxlocking.patch
0010-sendmail-path.patch
0011-CVE-2011-1929.patch
+0012-sslv3-disable.patch
--
1.7.2.5
