pool/dovecot23
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4aa711e725
dovecot23/dovecot-2.3.0-better_ssl_defaults.patch
Marcus Rueckert 4aa711e725 Accepting request 901209 from home:stroeder:network 
- update to 2.3.15 and pigeonhole to 0.5.15:
  * security fixes for CVE-2021-29157, CVE-2021-33515, and CVE-2020-28200

FWIW: It seems to work for me on Tumbleweed x64_64.

OBS-URL: https://build.opensuse.org/request/show/901209
OBS-URL: https://build.opensuse.org/package/show/server:mail/dovecot23?expand=0&rev=96
2021-06-21 17:08:49 +00:00

49 lines
2.4 KiB
Diff
Raw Blame History

diff -ur dovecot-2.3.15.orig/doc/example-config/conf.d/10-ssl.conf dovecot-2.3.15/doc/example-config/conf.d/10-ssl.conf
--- dovecot-2.3.15.orig/doc/example-config/conf.d/10-ssl.conf
+++ dovecot-2.3.15/doc/example-config/conf.d/10-ssl.conf
@@ -9,8 +9,8 @@
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
-ssl_cert = </etc/ssl/certs/dovecot.pem
-ssl_key = </etc/ssl/private/dovecot.pem
+#ssl_cert = </etc/ssl/private/dovecot.crt
+#ssl_key = </etc/ssl/private/dovecot.pem
# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
@@ -64,6 +64,7 @@
#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# To disable non-EC DH, use:
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
+ssl_cipher_list = ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# Colon separated list of elliptic curves to use. Empty value (the default)
# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
@@ -71,7 +72,7 @@
#ssl_curve_list =
# Prefer the server's order of ciphers over client's.
-#ssl_prefer_server_ciphers = no
+ssl_prefer_server_ciphers = yes
# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =
@@ -80,3 +81,4 @@
# compression - Enable compression.
# no_ticket - Disable SSL session tickets.
#ssl_options =
+ssl_options = no_compression
diff -ur dovecot-2.3.15.orig/src/lib-master/master-service-ssl-settings.c dovecot-2.3.15/src/lib-master/master-service-ssl-settings.c
--- dovecot-2.3.15.orig/src/lib-master/master-service-ssl-settings.c 2021-06-14 15:40:37.000000000 +0200
+++ dovecot-2.3.15/src/lib-master/master-service-ssl-settings.c 2021-06-21 14:09:29.663825041 +0200
@@ -62,7 +62,7 @@
.ssl_client_cert = "",
.ssl_client_key = "",
.ssl_dh = "",
- .ssl_cipher_list = "ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH",
+ .ssl_cipher_list = "ALL:!LOW:!SSLv2:!EXP:!aNULL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH",
.ssl_cipher_suites = "", /* Use TLS library provided value */
.ssl_curve_list = "",
.ssl_min_protocol = "TLSv1.2",
Reference in New Issue View Git Blame Copy Permalink