Re: [exim] Problem disabling SSLv3 ciphers on Exim 4.72 to d…

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Frank Elsner
CC: exim-users, TPCexim
Subject: Re: [exim] Problem disabling SSLv3 ciphers on Exim 4.72 to deal with Poodle vunerability (CVE-2014-3566)
On 2014-10-21 at 08:23 +0200, Frank Elsner wrote:
> Sorry, but I can't find 'openssl_options` in the doc for exim-4.72.
>                                                                 ^^
> NewStuff introduces this option for version 4.73.


I missed that in the Subject.

Then there is no way for you to disable SSLv3 usage in your ancient
Exim, without replacing the OpenSSL library with one which disables
SSLv3 for you or patching Exim yourself: instructions below.

4.73 was released over three years ago, on 2011-01-05. I added
`+no_sslv3` as a valid value in commit c0c7b2da on 2011-03-22 included
with Exim 4.76 released 2011-05-09, also over three years ago. You'll
also need OpenSSL 1.<something>, since the constant we use wasn't
exposed in OpenSSL 0.9.8n, which was the basis of the previous list of
available options. (Unless OpenSSL backported the option to 0.9.8.)

When asked "How do I do X with Exim?" and the Exim maintainers say
"Here's the feature where we provided that, years ago", then if you
don't want to take the release where we provided that feature, all I can
say is "You have the source code for your version and the source code
where we fixed it, go ahead and make the change yourself." This works
well for OS packagers who decide which fixes to take and which not to
take.

It's a little easier in this case: I fixed it in Exim by adding a
generic extensible option, `openssl_options`, which can be used to tune
Exim's tuning of OpenSSL. You don't need that. You need a one-line
code change.

>From commit `c0c7b2da` you get that the OpenSSL constant you need is

`SSL_OP_NO_SSLv3`. I added `openssl_options` in commit 77bb000f and
from that we see that you're looking for the bit in `tls-openssl.c`
which looks like this:

----------------------------8< cut here >8------------------------------
if (!(SSL_CTX_set_options(ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
return tls_error(US"SSL_CTX_set_option", host, NULL);
#endif
----------------------------8< cut here >8------------------------------

Change the call to be:

SSL_CTX_set_options(ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS|SSL_OP_NO_SSLv3)

That is: use the `|` vertical bar for a bit-wise OR operator and OR in
the flag which disables SSLv3.

Insert those 16 extra characters and recompile Exim.

If compilation fails with SSL_OP_NO_SSLv3 being unknown, then your
OpenSSL headers are too old and you can't disable SSLv3 without
replacing OpenSSL.

-Phil