cyrus-imap patching POODLE and another for adding perfect forward secrecy (PFS)
Kristian Kræmmer Nielsen
jkkn at jkkn.dk
Wed Oct 15 21:55:37 EDT 2014
Hi,
Two patches for merging....
Thanks for the great work on cyrus imapd.
I have just read various recommendations that we now should disable SSLv3
not just on HTTPS as POODLE-attack demonstrates but we should expect to
see exploits on other services as well like IMAPS and POPS.
I saw that disabling SSLv2 and SSLv3 in fact is already available in the
tls-code but not made available to the user so therefore I have written
the attached patch to do just that using a configuration variable named
"tls_tlsonly". It is still by default false, so the patch should change
nothing for users that still want to use the old protocols and may stay
that way until an actual imaps-attack is proven.
Also I am including a cleaned up version of Chris Panayis' old patch for
adding tls_ec for Perfect Forward Secrecy:
https://lists.andrew.cmu.edu/pipermail/cyrus-devel/2013-January/002729.html
Using PFS is also a security recommendation we should follow. The default
is set to prime256v1 just as sendmail and apache does this.
The patches are made against cyrus-imap-2.4.17 - but they also cleanly
patch against the tip of the git repository of cyrus-imapd if skipping the
patch of the man-page.
PFS: https://scotthelme.co.uk/perfect-forward-secrecy/
POODLE: https://www.dfranke.us/posts/2014-10-14-how-poodle-happened.html
and https://www.openssl.org/~bodo/ssl-poodle.pdf
Regards
Kristian Kræmmer Nielsen,
Odense, Denmark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch-tls_ec
Type: application/octet-stream
Size: 2599 bytes
Desc: not available
Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20141016/eddfb2d7/attachment.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch-tls_tls_only
Type: application/octet-stream
Size: 2728 bytes
Desc: not available
Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20141016/eddfb2d7/attachment-0001.obj
More information about the Info-cyrus
mailing list