drown/SSL issue

Wolfgang Breyha wbreyha at gmx.net
Wed Mar 2 06:02:50 EST 2016


Tony Galecki via Info-cyrus wrote on 02/03/16 03:57:
> I’m trying to figure out how to make my Cyrus install to not be susceptible to
> the drown issue.
> I have tried limiting the ciphers to TLSv1.2 but haven’t had much success.

Limiting the cipher list does not deactive protocol support in OpenSSL.

I don't know which patches Fedora backported from 2.4.18, but it seems not
enough, because 2.4.18 disables SSLv2/v3 by default and you can set
tls_versions: ...
in your config. Setting these is the only way to get rid of the protocolls

On older cyrus versions you can set
tlsonly: 1
but this can/will limit your protocoll support to TLSv1, with disabled v1.1
and v1.2, because TLSv1_server_method() was used.

You do not need to rebuild OpenSSL. I would check the SPEC File of the CentOS
7 RPM which patches they included. If the TLS changes were not backported I
would try to build one of the newer 2.4.18 SRPMs for Fedora (eg. 23) on CentOS 7.

Greetings, Wolfgang
Wolfgang Breyha <wbreyha at gmx.net> | http://www.blafasel.at/
Vienna University Computer Center | Austria

More information about the Info-cyrus mailing list