Here's a one-line patch to Qpopper 4.0.4 that should probably fix all
your problems:
* patch file begins on next line *
diff -c -r popper.old/pop_tls_openssl.c
popper/pop_tls_openssl.c *** popper.old/pop_tls_openssl.c Tue Sep 10
14:48:20 2002 --- popper/pop_tls_openssl.c Tue Sep 10 14:51:25 2002
*** *** 339,344 --- 339,347
log_openssl_err ( pPOP, HERE, Unable to allocate SSL_CTX );
goto Done;
}
+ /* Enable all of OpenSSL's bug fixes -- this lets the Eudora/Qpopper */
+ /* combination work with recent versions of OpenSSL. */
+ SSL_CTX_set_options (pTLS-m_OpenSSLctx, SSL_OP_ALL);
/*
* Establish the certificate for our server cert.
* patch file ends on previous line *
When your SSL/TLS-enabled server allocates a new SSL context (for
example in preparation for using it with a new connection), OpenSSL
has long made it possible to incorporate a bunch of workarounds for
bugs commonly found in clients you'll be talking to. You can enable
each workaround individually, or you can enable all of them at once by
calling SSL_CTX_set_options() with its options parameter set to
SSL_OP_ALL.
In principle this might make your server more vulnerable to attacks,
but it is common practice -- recent versions of the UW IMAP and Cyrus
servers both do so. For some reason Qpopper doesn't.
This doesn't cause trouble until you link Qpopper with OpenSSL version
0.9.6d or later.
That version of OpenSSL included a new countermeasure against a
vulnerability in CBC ciphersuites. Here's a quote from the OpenSSL
0.9.6d change log:
*) Implement a countermeasure against a vulnerability recently found
in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment
before application data chunks to avoid the use of known IVs
with data potentially chosen by the attacker.
[Bodo Moeller]
But Eudora (even the most recent versions) apparently has this
vulnerability. And linking against OpenSSL 0.9.6d caused servers
(notably UW IMAP and Cyrus) to stop working with Eudora as a client.
The OpenSSL authors noticed this, and included a new workaround in
0.9.6e, called SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS. This option was
(and is still) included in SSL_OP_ALL.
Linking against OpenSSL 0.9.6e (and later) fixed UW IMAP and Cyrus
-- which both set the SSL options to SSL_OP_ALL. But it didn't help
Qpopper (without my patch, that is).
I'm not an expert in encryption or in OpenSSL, so I can't really
evaluate the risk involved in applying my patch (that is in making
Qpopper use SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS and all of OpenSSL's
other workarounds). But I'm willing to trust the judgement of the
authors of OpenSSL, UW IMAP and Cyrus, all of whom seem to think the
risk is outweighed by the convenience of working with semi-broken
clients like Eudora.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
