Control: tags -1 + wontfix Control: severity -1 wishlist Hi,
On 22:04 Thu 03 Jan , pradeep nambiar wrote: > Package: dovecot-core > Version: 1:2.2.27-3+deb9u2 > Severity: normal > > Dear Maintainer, > > *** Reporter, please consider answering these questions, where appropriate *** > > * What led up to the situation? : Using Roundcube mail client. Unable to > login with SSLv2 disabled in dovecot conf file: 10-ssl.conf > This bug seems to be similar to this which says it has been fixed > earlier: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844347 > * What exactly did you do (or not do) that was effective (or > ineffective)? I had to re-enable SSLv2 > with setting > ssl_protocl = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 > did not work. > with setting > ssl_protocols = !SSLv3 !TLSv1 !TLSv1.1 > worked > > * What was the outcome of this action? Had to enable SSLv2. But SSLv2 has > known vulnerability. > * What outcome did you expect instead? Would like to disable SSLv2 in > 10-ssl.conf file Thanks for the report. Since Debian Stretch, SSLv2 is not supported by the OpenSSL library in Debian at all, so there is no need to disable it. In fact, this bug is due to OpenSSL not knowing how to disable a protocol it does not support at all. Regards, Apollon
