b***@gmail.com
2019-10-26 15:09:49 UTC
I would like to allow TLS 1.0 and TLS 1.1 when I generate sendmail 8.16.0.41
together with openssl 1.1.1d
However, it appears that this will allow TLS 1.2 and 1.3 only.
From the openssl documentation we have:
SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2,
SSL_OP_NO_TLSv1_3, SSL_OP_NO_DTLSv1, SSL_OP_NO_DTLSv1_2
These options turn off the SSLv3, TLSv1, TLSv1.1, TLSv1.2 or TLSv1.3 protocol
versions with TLS or the DTLSv1, DTLSv1.2 versions with DTLS, respectively.
As of OpenSSL 1.1.0, these options are deprecated, use
SSL_CTX_set_min_proto_version(3)
and SSL_CTX_set_max_proto_version(3) instead.
For this reason I have added:
SSL_CTX_set_min_proto_version(*ctx, TLS1_VERSION); /* TLSv1 minimum */
to sendmail/tls.c after line 1345. This will solve my problem.
Is there a better way to include TLS 1.0 and 1.1 ??
together with openssl 1.1.1d
However, it appears that this will allow TLS 1.2 and 1.3 only.
From the openssl documentation we have:
SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2,
SSL_OP_NO_TLSv1_3, SSL_OP_NO_DTLSv1, SSL_OP_NO_DTLSv1_2
These options turn off the SSLv3, TLSv1, TLSv1.1, TLSv1.2 or TLSv1.3 protocol
versions with TLS or the DTLSv1, DTLSv1.2 versions with DTLS, respectively.
As of OpenSSL 1.1.0, these options are deprecated, use
SSL_CTX_set_min_proto_version(3)
and SSL_CTX_set_max_proto_version(3) instead.
For this reason I have added:
SSL_CTX_set_min_proto_version(*ctx, TLS1_VERSION); /* TLSv1 minimum */
to sendmail/tls.c after line 1345. This will solve my problem.
Is there a better way to include TLS 1.0 and 1.1 ??