<!DOCTYPE html><html><head>
<style type="text/css">body { font-family:'Times New Roman'; font-size:13px}</style>
</head>
<body><div>Hi Geoff,</div><div><br></div><div>I am basically not trying to take any stand on this. I just think it is time for the users to be able to disable the older protocols if they want to - as the old protocols are really no longer necessary for the wide majority of clients - and that is the main reasoning by my patches.</div><div><br></div><div>Notice that is also way I leave it false (changing nothing) by default in the patch.</div><div><br></div><div>For reference, you can see this for Ubuntu, they recommend total disabling SSLv3:</div><div>http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566</div><div>"<span style="color: rgb(51, 51, 51); font-family: UbuntuRegular, Ubuntu, 'Bitstream Vera Sans', 'DejaVu Sans', Tahoma, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 18.2000007629395px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none; background-color: rgb(255, 255, 255);">Conclusion: disable SSLv3 for HTTPS<span class="Apple-converted-space"> </span></span><strong style="margin: 0px; padding: 0px; border: 0px; font-size: 14px; vertical-align: baseline; font-weight: bold; color: rgb(51, 51, 51); font-family: UbuntuRegular, Ubuntu, 'Bitstream Vera Sans', 'DejaVu Sans', Tahoma, sans-serif; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: 18.2000007629395px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255);">now</strong><span style="color: rgb(51, 51, 51); font-family: UbuntuRegular, Ubuntu, 'Bitstream Vera Sans', 'DejaVu Sans', Tahoma, sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 18.2000007629395px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none; background-color: rgb(255, 255, 255);">, disable SSLv3 for other services in your next service window."</span>
</div><div><br></div><div>So, hope my patches get merged soon :)</div><div><br></div><div>/Kristian</div><div><br></div><div>On Thu, 16 Oct 2014 11:34:21 +0200, Geoff Winkless <cyrus@geoff.dj> wrote:<br></div><br><blockquote style="margin: 0 0 0.80ex; border-left: #0000FF 2px solid; padding-left: 1ex"><div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small">Hi Kristian</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small"><div class="gmail_default">Firstly, many thanks for your work :)</div><div><br></div></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small">Can you share the source for those recommendations? While I fully agree that using something that is shown to be vulnerable is not ideal I'd be interested to see how they think a similar attack to POODLE could be implemented for imap. As I posted to the info list, I've not seen anything that would suggest that IMAPS/SSLv3 is any less secure than it was 10 years ago.</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small">Thanks</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On 16 October 2014 02:55, Kristian Krĉmmer Nielsen <span dir="ltr"><<a href="mailto:jkkn@jkkn.dk" target="_blank">jkkn@jkkn.dk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
Two patches for merging....<br>
<br>
Thanks for the great work on cyrus imapd.<br>
<br>
I have just read various recommendations that we now should disable SSLv3 not just on HTTPS as POODLE-attack demonstrates but we should expect to see exploits on other services as well like IMAPS and POPS.<br>
<br>
I saw that disabling SSLv2 and SSLv3 in fact is already available in the tls-code but not made available to the user so therefore I have written the attached patch to do just that using a configuration variable named "tls_tlsonly". It is still by default false, so the patch should change nothing for users that still want to use the old protocols and may stay that way until an actual imaps-attack is proven.<br>
<br>
Also I am including a cleaned up version of Chris Panayis' old patch for adding tls_ec for Perfect Forward Secrecy:<br>
<a href="https://lists.andrew.cmu.edu/pipermail/cyrus-devel/2013-January/002729.html" target="_blank">https://lists.andrew.cmu.edu/pipermail/cyrus-devel/2013-January/002729.html</a><br>
<br>
Using PFS is also a security recommendation we should follow. The default is set to prime256v1 just as sendmail and apache does this.<br>
<br>
The patches are made against cyrus-imap-2.4.17 - but they also cleanly patch against the tip of the git repository of cyrus-imapd if skipping the patch of the man-page.<br>
<br>
PFS: <a href="https://scotthelme.co.uk/perfect-forward-secrecy/" target="_blank">https://scotthelme.co.uk/perfect-forward-secrecy/</a><br>
POODLE: <a href="https://www.dfranke.us/posts/2014-10-14-how-poodle-happened.html" target="_blank">https://www.dfranke.us/posts/2014-10-14-how-poodle-happened.html</a> and <a href="https://www.openssl.org/~bodo/ssl-poodle.pdf" target="_blank">https://www.openssl.org/~bodo/ssl-poodle.pdf</a><br>
<br>
Regards<span class="HOEnZb"><font color="#888888"><br>
Kristian Krĉmmer Nielsen,<br>
Odense, Denmark</font></span><br>----<br>
Cyrus Home Page: <a href="http://www.cyrusimap.org/" target="_blank">http://www.cyrusimap.org/</a><br>
List Archives/Info: <a href="http://lists.andrew.cmu.edu/pipermail/info-cyrus/" target="_blank">http://lists.andrew.cmu.edu/pipermail/info-cyrus/</a><br>
To Unsubscribe:<br>
<a href="https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus" target="_blank">https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus</a><br></blockquote></div><br></div></div>
</blockquote><br><br><br></body></html>