cyrus-imap patching POODLE and another for adding perfect forward secrecy (PFS)

Kristian Kræmmer Nielsen jkkn at jkkn.dk
Wed Oct 15 21:55:37 EDT 2014


Hi,

Two patches for merging....

Thanks for the great work on cyrus imapd.

I have just read various recommendations that we now should disable SSLv3  
not just on HTTPS as POODLE-attack demonstrates but we should expect to  
see exploits on other services as well like IMAPS and POPS.

I saw that disabling SSLv2 and SSLv3 in fact is already available in the  
tls-code but not made available to the user so therefore I have written  
the attached patch to do just that using a configuration variable named  
"tls_tlsonly". It is still by default false, so the patch should change  
nothing for users that still want to use the old protocols and may stay  
that way until an actual imaps-attack is proven.

Also I am including a cleaned up version of Chris Panayis' old patch for  
adding tls_ec for Perfect Forward Secrecy:
https://lists.andrew.cmu.edu/pipermail/cyrus-devel/2013-January/002729.html

Using PFS is also a security recommendation we should follow. The default  
is set to prime256v1 just as sendmail and apache does this.

The patches are made against cyrus-imap-2.4.17 - but they also cleanly  
patch against the tip of the git repository of cyrus-imapd if skipping the  
patch of the man-page.

PFS: https://scotthelme.co.uk/perfect-forward-secrecy/
POODLE: https://www.dfranke.us/posts/2014-10-14-how-poodle-happened.html  
and https://www.openssl.org/~bodo/ssl-poodle.pdf

Regards
Kristian Kræmmer Nielsen,
Odense, Denmark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch-tls_ec
Type: application/octet-stream
Size: 2599 bytes
Desc: not available
Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20141016/eddfb2d7/attachment.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch-tls_tls_only
Type: application/octet-stream
Size: 2728 bytes
Desc: not available
Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20141016/eddfb2d7/attachment-0001.obj 


More information about the Info-cyrus mailing list