Disable SSLv3 an select ciphers in amavis
Markus Benning
ich at markusbenning.de
Tue Mar 17 16:26:38 CET 2015
On Tue, Mar 17, 2015 at 03:04:43PM +0000, Grooz, Marc (regio iT) wrote:
> OK but is there a way to set this parameter in openssl or somewhere else?
The quick and dirty way is to set it in the amavisd source code. Try:
--- amavisd.orig 2015-03-17 16:17:09.000000000 +0100
+++ amavisd 2015-03-17 16:21:46.000000000 +0100
@@ -8389,6 +8389,8 @@
IO::Socket::SSL->start_SSL($sock, SSL_session_cache => $ssl_cache,
SSL_error_trap =>
sub { my($sock,$msg)=@_; do_log(-2,"Error on socket: %s",$msg) },
+ SSL_version => '!SSLv2,!SSLv3',
+ SSL_cipher_list => 'ALL:!LOW:!EXP:!aNULL:!eNULL',
%params,
) or die "Error upgrading socket to SSL: ".IO::Socket::SSL::errstr();
$self->{last_event} = 'ssl-upgrade';
@@ -21943,6 +21945,8 @@
SSL_passwd_cb => sub { 'example' },
SSL_key_file => $smtpd_tls_key_file,
SSL_cert_file => $smtpd_tls_cert_file,
+ SSL_version => '!SSLv2,!SSLv3',
+ SSL_cipher_list => 'ALL:!LOW:!EXP:!aNULL:!eNULL',
) or die "Error upgrading socket to SSL: ".
IO::Socket::SSL::errstr();
if ($self->{smtp_inpbuf} ne '') {
The better way would be to add configuration options for this parameters
to amavisd and submit a patch for inclusion.
regards,
Markus
--
Markus Benning, https://markusbenning.de/
More information about the amavis-users
mailing list