Re: cyradm and TLS 1.2

John Wade <jwade@xxxxxxxxxx> · Tue, 15 Oct 2019 18:37:47 -0500



    Thanks!  You have the more correct fix:

    
    From: 
    https://www.openssl.org/docs/man1.1.0/man3/TLSv1_client_method.html

    
    "TLS_method(), TLS_server_method(), TLS_client_method()

    These are the general-purpose version-flexible SSL/TLS methods. The
    actual protocol version used will be negotiated to the highest
    version mutually supported by the client and the server. The
    supported protocols are SSLv3, TLSv1, TLSv1.1 and TLSv1.2.
    Applications should use these methods, and avoid the
    version-specific methods described below."

    
    Thanks,

    John

    
    On 10/15/2019 6:04 PM, ellie timoney
      wrote:

    
      **********************

        CAUTION: EXTERNAL MAIL

        **********************
      
      
      Thanks for reporting back.  For whatever its worth, the
        equivalent fix on 2.5+ uses "TLS_client_method()", not
        "TLSv1_2_client_method()".  I'm not sure what difference it
        makes, but maybe it requires a newer OpenSSL than you have?

      
      Here's the commit to master, fyi: https://github.com/cyrusimap/cyrus-imapd/commit/78f79ea53238c8596e2f8602b7b1e29a16863ae9

      
      On Tue, Oct 15, 2019, at 7:43 AM, John Widera wrote:

      
        Turns out imclient (at least in the latest RHEL7 pkg) is
          hardcoded to use TLSv1.  Since we're building binary RPMs from
          Source RPMs anyway we modified imclient.c, rebuilt the RPMs,
          reinstalled the cyrus-imapd-utils package:  Here's the patch
          we used:

        
        ----------------------------------------------------

        
        ---
              imclient.c.orig 2012-12-01 13:57:54.000000000 -0600

        
        +++ imclient.c
              2019-10-03 14:40:11.254566297 -0500

        
        @@ -1695,7
              +1695,7 @@

        
        return -1;

        
        }

        
        -
              imclient->tls_ctx = SSL_CTX_new(TLSv1_client_method());

        
        +
              imclient->tls_ctx =
              SSL_CTX_new(TLSv1_2_client_method());

        
        if
              (imclient->tls_ctx == NULL) {

        
        return -1;

        
        };

        
        -------------------------------------------

        
        Maybe this helps someone else.

        
        Regards,

        
      ----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
    
    
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus