AW: Disable SSLv3 an select ciphers in amavis

[Grooz, Marc (regio iT)]

OK but is there a way to set this parameter in openssl or somewhere else?

Kind regards marc

-----Ursprüngliche Nachricht-----
Von: ich at markusbenning.de [mailto:ich at markusbenning.de] 
Gesendet: Dienstag, 17. März 2015 15:48
An: Grooz, Marc (regio iT)
Cc: amavis-users at amavis.org
Betreff: Re: Disable SSLv3 an select ciphers in amavis

Hello,

currently amavis does not configure this parameters.

In amavisd-new 2.10.1 the server side STARTTLS is done at amavisd line number 21939 in process_smtp_request():

    IO::Socket::SSL->start_SSL($sock,
      SSL_server => 1, SSL_session_cache => 2,
      SSL_error_trap => sub { my($sock,$msg)=@_;
			      do_log(-2,"Error on socket: %s",$msg) },
      SSL_passwd_cb => sub { 'example' },
      SSL_key_file  => $smtpd_tls_key_file,
      SSL_cert_file => $smtpd_tls_cert_file,
    ) or die "Error upgrading socket to SSL: ".
	     IO::Socket::SSL::errstr();

And client side in ssl_upgrade() at line number 8389:

  IO::Socket::SSL->start_SSL($sock, SSL_session_cache => $ssl_cache,
    SSL_error_trap =>
      sub { my($sock,$msg)=@_; do_log(-2,"Error on socket: %s",$msg) },
    %params,
  ) or die "Error upgrading socket to SSL: ".IO::Socket::SSL::errstr();

Both do not set SSL_version, SSL_cipher_list or SSL_honor_cipher_order.

regards,
Markus


On Tue, Mar 17, 2015 at 01:18:08PM +0000, Grooz, Marc (regio iT) wrote:
> Hi,
> is there a way to disable SSLv3 and control witch ciphers amavis use?
> Kind regards
> Marc

--
Markus Benning, https://markusbenning.de/