cyradm and TLS 1.2

John Wade jwade at oakton.edu
Tue Oct 15 19:37:47 EDT 2019


Thanks!  You have the more correct fix:

From: https://www.openssl.org/docs/man1.1.0/man3/TLSv1_client_method.html

"TLS_method(), TLS_server_method(), TLS_client_method()
These are the general-purpose version-flexible SSL/TLS methods. The 
actual protocol version used will be negotiated to the highest version 
mutually supported by the client and the server. The supported protocols 
are SSLv3, TLSv1, TLSv1.1 and TLSv1.2. Applications should use these 
methods, and avoid the version-specific methods described below."

Thanks,
John


On 10/15/2019 6:04 PM, ellie timoney wrote:
>
> **********************
> CAUTION: EXTERNAL MAIL
> **********************
>
> Thanks for reporting back.  For whatever its worth, the equivalent fix 
> on 2.5+ uses "TLS_client_method()", not "TLSv1_2_client_method()". 
>  I'm not sure what difference it makes, but maybe it requires a newer 
> OpenSSL than you have?
>
> Here's the commit to master, fyi: 
> https://github.com/cyrusimap/cyrus-imapd/commit/78f79ea53238c8596e2f8602b7b1e29a16863ae9
>
> On Tue, Oct 15, 2019, at 7:43 AM, John Widera wrote:
>>
>> Turns out imclient (at least in the latest RHEL7 pkg) is hardcoded to 
>> use TLSv1.  Since we're building binary RPMs from Source RPMs anyway 
>> we modified imclient.c, rebuilt the RPMs, reinstalled the 
>> cyrus-imapd-utils package:  Here's the patch we used:
>>
>> *----------------------------------------------------*
>>
>> *--- imclient.c.orig 2012-12-01 13:57:54.000000000 -0600*
>> *+++ imclient.c 2019-10-03 14:40:11.254566297 -0500*
>> *@@ -1695,7 +1695,7 @@*
>> *return -1;*
>> *}*
>> *- imclient->tls_ctx = SSL_CTX_new(TLSv1_client_method());*
>> *+ imclient->tls_ctx = SSL_CTX_new(TLSv1_2_client_method());*
>> *if (imclient->tls_ctx == NULL) {*
>> *return -1;*
>> *};*
>>
>> -------------------------------------------
>>
>> Maybe this helps someone else.
>>
>> Regards,
>>
>
>
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20191015/2174b1dc/attachment.html>


More information about the Info-cyrus mailing list