diff options
| author | Philip Guenthe <guenther@cvs.openbsd.org> | 2011-10-27 04:23:20 +0000 |
|---|---|---|
| committer | Philip Guenthe <guenther@cvs.openbsd.org> | 2011-10-27 04:23:20 +0000 |
| commit | 466edb6579b47a5bcb8b66fed24fbd70781bdfbd (patch) | |
| tree | d01310e64155d047ab338a24ad76156031ad528d /usr.sbin/smtpd | |
| parent | cb1ac8da087cd30d732c79671756af973e62b48f (diff) | |
Don't offer or negotiate SSLv2 and, since we don't do SSL session
caching, don't try to negotiate an RFC 4507-style session ticket,
as it would be useless and some (broken and non-compliant) servers
choke on TLS extension negotiation.
ok gilles@
Diffstat (limited to 'usr.sbin/smtpd')
| -rw-r--r-- | usr.sbin/smtpd/ssl.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/usr.sbin/smtpd/ssl.c b/usr.sbin/smtpd/ssl.c index 057173bb08e..02b233452ed 100644 --- a/usr.sbin/smtpd/ssl.c +++ b/usr.sbin/smtpd/ssl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.c,v 1.39 2011/10/23 10:44:20 chl Exp $ */ +/* $OpenBSD: ssl.c,v 1.40 2011/10/27 04:23:19 guenther Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -335,7 +335,8 @@ ssl_ctx_create(void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); SSL_CTX_set_timeout(ctx, SMTPD_SESSION_TIMEOUT); - SSL_CTX_set_options(ctx, SSL_OP_ALL); + SSL_CTX_set_options(ctx, + SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_TICKET); SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); |