wbreyha at gmx.net
Wed Mar 2 06:02:50 EST 2016
Tony Galecki via Info-cyrus wrote on 02/03/16 03:57:
> I’m trying to figure out how to make my Cyrus install to not be susceptible to
> the drown issue.
> I have tried limiting the ciphers to TLSv1.2 but haven’t had much success.
Limiting the cipher list does not deactive protocol support in OpenSSL.
I don't know which patches Fedora backported from 2.4.18, but it seems not
enough, because 2.4.18 disables SSLv2/v3 by default and you can set
in your config. Setting these is the only way to get rid of the protocolls
On older cyrus versions you can set
but this can/will limit your protocoll support to TLSv1, with disabled v1.1
and v1.2, because TLSv1_server_method() was used.
You do not need to rebuild OpenSSL. I would check the SPEC File of the CentOS
7 RPM which patches they included. If the TLS changes were not backported I
would try to build one of the newer 2.4.18 SRPMs for Fedora (eg. 23) on CentOS 7.
Wolfgang Breyha <wbreyha at gmx.net> | http://www.blafasel.at/
Vienna University Computer Center | Austria
More information about the Info-cyrus