cyrus-imap patching POODLE and another for adding perfect forward secrecy (PFS)

Kristian Kræmmer Nielsen jkkn at
Wed Oct 15 21:55:37 EDT 2014


Two patches for merging....

Thanks for the great work on cyrus imapd.

I have just read various recommendations that we now should disable SSLv3  
not just on HTTPS as POODLE-attack demonstrates but we should expect to  
see exploits on other services as well like IMAPS and POPS.

I saw that disabling SSLv2 and SSLv3 in fact is already available in the  
tls-code but not made available to the user so therefore I have written  
the attached patch to do just that using a configuration variable named  
"tls_tlsonly". It is still by default false, so the patch should change  
nothing for users that still want to use the old protocols and may stay  
that way until an actual imaps-attack is proven.

Also I am including a cleaned up version of Chris Panayis' old patch for  
adding tls_ec for Perfect Forward Secrecy:

Using PFS is also a security recommendation we should follow. The default  
is set to prime256v1 just as sendmail and apache does this.

The patches are made against cyrus-imap-2.4.17 - but they also cleanly  
patch against the tip of the git repository of cyrus-imapd if skipping the  
patch of the man-page.


Kristian Kræmmer Nielsen,
Odense, Denmark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch-tls_ec
Type: application/octet-stream
Size: 2599 bytes
Desc: not available
Url : 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch-tls_tls_only
Type: application/octet-stream
Size: 2728 bytes
Desc: not available
Url : 

More information about the Info-cyrus mailing list