How to prevent SSLv3/Poodle attack?
Sven Schwedas
sven.schwedas at tao.at
Wed Oct 15 10:24:45 EDT 2014
On 2014-10-15 16:11, lst_hoe02 at kwsoft.de wrote:
> Hello,
>
> as of today a new exploit against SSL has been revelead which is a
> protocol weakness of ancient SSLv3. The common advice is to disable
> SSLv3 so the question is how to do this with Cyrus without doing too
> much damage.
>
> The first idea is of course to do something like
>
> tls_cipher_list: ALL:-SSLv3:-SSLv2
As TLSv1.0, 1.1 and SSLv3 seem share their cipher suites, disabling
SSLv3 ciphers not only disables SSLv3, but also all TLS versions except
1.2, which sadly still breaks a lot of clients.
> in imapd.conf.
>
> But i wonder if this is the correct fix because our default from Ubuntu
> 12.04 looks like this:
>
> tls_cipher_list: TLSv1+HIGH:!aNull:@STRENGTH
This should be sufficient to disable SSLv3, have you tested your server?
(e.g. openssl s_client -ssl3 -starttls imap -connect host:143)
--
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas
Systemadministrator
TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
Mail/XMPP: sven.schwedas at tao.at | +43 (0)680 301 7167
http://software.tao.at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20141015/a91a0df8/attachment.bin
More information about the Info-cyrus
mailing list