Source: imapfilter
Version: 1:2.6.2-1
Severity: serious
Control: block 797926 by -1
Hi,
In imapfilter.c you set things up like this:
ssl3ctx = SSL_CTX_new(SSLv3_client_method());
ssl23ctx = SSL_CTX_new(SSLv23_client_method());
tls1ctx = SSL_CTX_new(TLSv1_client_method());
#if OPENSSL_VERSION_NUMBER >= 0x01000100fL
tls11ctx = SSL_CTX_new(TLSv1_1_client_method());
tls12ctx = SSL_CTX_new(TLSv1_2_client_method());
#endif
And then in socket.c you have things like:
if (!ssn->sslproto) {
ctx = ssl23ctx;
} else if (!strcasecmp(ssn->sslproto, "ssl3")) {
ctx = ssl3ctx;
} else if (!strcasecmp(ssn->sslproto, "tls1")) {
ctx = tls1ctx;
} else if (!strcasecmp(ssn->sslproto, "tls1.1")) {
#if OPENSSL_VERSION_NUMBER >= 0x01000100fL
ctx = tls11ctx;
#else
ctx = tls1ctx;
#endif
} else if (!strcasecmp(ssn->sslproto, "tls1.2")) {
#if OPENSSL_VERSION_NUMBER >= 0x01000100fL
ctx = tls12ctx;
#else
ctx = tls1ctx;
#endif
} else {
ctx = ssl23ctx;
}
I have just removed the SSLv3_* methods in unstable. You could
use OPENSSL_NO_SSL3 to remove the code making use of the SSLv3_*
methods. But I suggest you get rid of all of this and just use
the SSLv23_* method.
The SSLv23_* methods are the only ones that support multiple
versions. The plan is for all the others to go away because they
only support 1 version.
If you want to support selecting versions I suggest you use
SSL_set_options() with things like SSL_OP_NO_SSLv3.
Kurt
