diff -Nru dovecot-2.0.19/debian/changelog dovecot-2.0.19/debian/changelog --- dovecot-2.0.19/debian/changelog 2014-05-14 17:19:29.000000000 +0000 +++ dovecot-2.0.19/debian/changelog 2014-10-27 19:43:45.000000000 +0000 @@ -1,3 +1,13 @@ +dovecot (1:2.0.19-0ubuntu2.2) precise; urgency=medium + + * Backport support for the ssl_protocols setting to easily allow + disabling SSLv3. (LP: #1381537) + - debian/patches/backport_ssl_protocols.patch: added new setting to + src/login-common/login-settings.c, src/login-common/login-settings.h, + src/login-common/ssl-proxy-openssl.c, src/config/all-settings.c. + + -- Marc Deslauriers Mon, 27 Oct 2014 12:46:22 -0400 + dovecot (1:2.0.19-0ubuntu2.1) precise-security; urgency=medium * SECURITY UPDATE: denial of service via SSL connection exhaustion diff -Nru dovecot-2.0.19/debian/patches/backport_ssl_protocols.patch dovecot-2.0.19/debian/patches/backport_ssl_protocols.patch --- dovecot-2.0.19/debian/patches/backport_ssl_protocols.patch 1970-01-01 00:00:00.000000000 +0000 +++ dovecot-2.0.19/debian/patches/backport_ssl_protocols.patch 2014-10-27 20:20:10.000000000 +0000 @@ -0,0 +1,195 @@ +Backport of: + +# HG changeset patch +# User Timo Sirainen +# Date 1317478140 -10800 +# Node ID 406a1d52390b2a5794cc6e47a734e73d6e9b8c01 +# Parent c126a88546f810c1b078230de81bf614b4839793 +Added ssl_protocols setting. + +#Index: dovecot-2.0.19/doc/example-config/conf.d/10-ssl.conf +#=================================================================== +#--- dovecot-2.0.19.orig/doc/example-config/conf.d/10-ssl.conf 2014-10-24 14:55:56.219385497 -0400 +#+++ dovecot-2.0.19/doc/example-config/conf.d/10-ssl.conf 2014-10-24 14:55:56.215385450 -0400 +#@@ -37,5 +37,8 @@ +# # entirely. +# #ssl_parameters_regenerate = 168 +# +#+# SSL protocols to use +#+#ssl_protocols = !SSLv2 +#+ +# # SSL ciphers to use +# #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL +Index: dovecot-2.0.19/src/login-common/login-settings.c +=================================================================== +--- dovecot-2.0.19.orig/src/login-common/login-settings.c 2014-10-27 15:43:27.071853587 -0400 ++++ dovecot-2.0.19/src/login-common/login-settings.c 2014-10-27 15:43:27.067853538 -0400 +@@ -31,6 +31,7 @@ + DEF(SET_STR, ssl_key), + DEF(SET_STR, ssl_key_password), + DEF(SET_STR, ssl_cipher_list), ++ DEF(SET_STR, ssl_protocols), + DEF(SET_STR, ssl_cert_username_field), + DEF(SET_STR, ssl_client_cert), + DEF(SET_STR, ssl_client_key), +@@ -62,6 +63,7 @@ + .ssl_key = "", + .ssl_key_password = "", + .ssl_cipher_list = "ALL:!LOW:!SSLv2:!EXP:!aNULL", ++ .ssl_protocols = "!SSLv2", + .ssl_cert_username_field = "commonName", + .ssl_client_cert = "", + .ssl_client_key = "", +Index: dovecot-2.0.19/src/login-common/login-settings.h +=================================================================== +--- dovecot-2.0.19.orig/src/login-common/login-settings.h 2014-10-27 15:43:27.071853587 -0400 ++++ dovecot-2.0.19/src/login-common/login-settings.h 2014-10-27 15:43:27.067853538 -0400 +@@ -13,6 +13,7 @@ + const char *ssl_key; + const char *ssl_key_password; + const char *ssl_cipher_list; ++ const char *ssl_protocols; + const char *ssl_cert_username_field; + const char *ssl_client_cert; + const char *ssl_client_key; +Index: dovecot-2.0.19/src/login-common/ssl-proxy-openssl.c +=================================================================== +--- dovecot-2.0.19.orig/src/login-common/ssl-proxy-openssl.c 2014-10-27 15:43:27.071853587 -0400 ++++ dovecot-2.0.19/src/login-common/ssl-proxy-openssl.c 2014-10-27 15:43:27.067853538 -0400 +@@ -88,6 +88,7 @@ + const char *key; + const char *ca; + const char *cipher_list; ++ const char *protocols; + bool verify_client_cert; + }; + +@@ -136,6 +137,8 @@ + return 1; + if (null_strcmp(ctx1->cipher_list, ctx2->cipher_list) != 0) + return 1; ++ if (null_strcmp(ctx1->protocols, ctx2->protocols) != 0) ++ return 1; + + return ctx1->verify_client_cert == ctx2->verify_client_cert ? 0 : 1; + } +@@ -603,6 +606,7 @@ + lookup_ctx.key = set->ssl_key; + lookup_ctx.ca = set->ssl_ca; + lookup_ctx.cipher_list = set->ssl_cipher_list; ++ lookup_ctx.protocols = set->ssl_protocols; + lookup_ctx.verify_client_cert = set->ssl_verify_client_cert; + + ctx = hash_table_lookup(ssl_servers, &lookup_ctx); +@@ -1012,8 +1016,7 @@ + + /* enable all SSL workarounds, except empty fragments as it + makes SSL more vulnerable against attacks */ +- SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2 | +- (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)); ++ SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); + #ifdef SSL_MODE_RELEASE_BUFFERS + SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS); + #endif +@@ -1187,6 +1190,57 @@ + } + #endif + ++enum { ++ DOVECOT_SSL_PROTO_SSLv2 = 0x01, ++ DOVECOT_SSL_PROTO_SSLv3 = 0x02, ++ DOVECOT_SSL_PROTO_TLSv1 = 0x04, ++ DOVECOT_SSL_PROTO_ALL = 0x07 ++}; ++ ++static void ++ssl_proxy_ctx_set_protocols(struct ssl_server_context *ssl_ctx, ++ const char *protocols) ++{ ++ const char *const *tmp; ++ int proto, op = 0, include = 0, exclude = 0; ++ bool neg; ++ ++ tmp = t_strsplit_spaces(protocols, " "); ++ for (; *tmp != NULL; tmp++) { ++ const char *name = *tmp; ++ ++ if (*name != '!') ++ neg = FALSE; ++ else { ++ name++; ++ neg = TRUE; ++ } ++ if (strcasecmp(name, SSL_TXT_SSLV2) == 0) ++ proto = DOVECOT_SSL_PROTO_SSLv2; ++ else if (strcasecmp(name, SSL_TXT_SSLV3) == 0) ++ proto = DOVECOT_SSL_PROTO_SSLv3; ++ else if (strcasecmp(name, SSL_TXT_TLSV1) == 0) ++ proto = DOVECOT_SSL_PROTO_TLSv1; ++ else { ++ i_fatal("Invalid ssl_protocols setting: " ++ "Unknown protocol '%s'", name); ++ } ++ if (neg) ++ exclude |= proto; ++ else ++ include |= proto; ++ } ++ if (include != 0) { ++ /* exclude everything, except those that are included ++ (and let excludes still override those) */ ++ exclude |= DOVECOT_SSL_PROTO_ALL & ~include; ++ } ++ if ((exclude & DOVECOT_SSL_PROTO_SSLv2) != 0) op |= SSL_OP_NO_SSLv2; ++ if ((exclude & DOVECOT_SSL_PROTO_SSLv3) != 0) op |= SSL_OP_NO_SSLv3; ++ if ((exclude & DOVECOT_SSL_PROTO_TLSv1) != 0) op |= SSL_OP_NO_TLSv1; ++ SSL_CTX_set_options(ssl_ctx->ctx, op); ++} ++ + static struct ssl_server_context * + ssl_server_context_init(const struct login_settings *set) + { +@@ -1202,6 +1256,7 @@ + ctx->key = p_strdup(pool, set->ssl_key); + ctx->ca = p_strdup(pool, set->ssl_ca); + ctx->cipher_list = p_strdup(pool, set->ssl_cipher_list); ++ ctx->protocols = p_strdup(pool, set->ssl_protocols); + ctx->verify_client_cert = set->ssl_verify_client_cert; + + ctx->ctx = ssl_ctx = SSL_CTX_new(SSLv23_server_method()); +@@ -1213,6 +1268,7 @@ + i_fatal("Can't set cipher list to '%s': %s", + ctx->cipher_list, ssl_last_error()); + } ++ ssl_proxy_ctx_set_protocols(ctx, ctx->protocols); + + if (ssl_proxy_ctx_use_certificate_chain(ctx->ctx, ctx->cert) != 1) { + i_fatal("Can't load ssl_cert: %s", +Index: dovecot-2.0.19/src/config/all-settings.c +=================================================================== +--- dovecot-2.0.19.orig/src/config/all-settings.c 2014-10-27 15:43:27.071853587 -0400 ++++ dovecot-2.0.19/src/config/all-settings.c 2014-10-27 16:20:00.251752257 -0400 +@@ -831,6 +831,7 @@ + const char *ssl_key; + const char *ssl_key_password; + const char *ssl_cipher_list; ++ const char *ssl_protocols; + const char *ssl_cert_username_field; + const char *ssl_client_cert; + const char *ssl_client_key; +@@ -1880,6 +1881,7 @@ + DEF(SET_STR, ssl_key), + DEF(SET_STR, ssl_key_password), + DEF(SET_STR, ssl_cipher_list), ++ DEF(SET_STR, ssl_protocols), + DEF(SET_STR, ssl_cert_username_field), + DEF(SET_STR, ssl_client_cert), + DEF(SET_STR, ssl_client_key), +@@ -1910,6 +1912,7 @@ + .ssl_key = "", + .ssl_key_password = "", + .ssl_cipher_list = "ALL:!LOW:!SSLv2:!EXP:!aNULL", ++ .ssl_protocols = "!SSLv2", + .ssl_cert_username_field = "commonName", + .ssl_client_cert = "", + .ssl_client_key = "", diff -Nru dovecot-2.0.19/debian/patches/series dovecot-2.0.19/debian/patches/series --- dovecot-2.0.19/debian/patches/series 2014-05-14 17:18:39.000000000 +0000 +++ dovecot-2.0.19/debian/patches/series 2014-10-24 18:52:01.000000000 +0000 @@ -5,3 +5,4 @@ fix-racey-restarts.patch bug-1018579.patch CVE-2014-3430.patch +backport_ssl_protocols.patch