[Dovecot] disbale to responded to an unrequested SSL Certificate
Andre Hübner
andre.huebner at gmx.de
Mon Sep 29 15:04:33 EEST 2008
Hi dovecot-list,
just a easy question today ;)
Customer did on Server a PCI-Test to test security to fit worldpay requirements.
They found a critical risk at pop3s. (and some other things)
This is the Textmesage:
############
Family: Remote Shell Access Critical 993/tcp 11875
Description:
The remote host responded to an unrequested SSL Certificate. The remote SSL server should have
sent back an Error message. This may indicate that the server is vulnerable to a remote
flaw in the way that it handles unrequested certificates. You should manually inspect the
SSL Server's configuration
############
Background is that we use a wildcard-cert which is installed on ervery machine and fits to servername. So you have to use the accredited Hostname/Servername to make clean ssl connection pop3s/imaps without warnings etc.
Problem should be that server sends no error when requested with other hostname. This is significant part from dovecot.conf
protocols = imap imaps pop3 pop3s
ssl_disable = no
ssl_cert_file = "/path/to/*.myhost.com.crt"
ssl_key_file = "/path/to/*.myhost.com.key"
ssl_ca_file = "/path/to/*.myhost.com.bundle.crt"
Is there a Config-Option to send error when ssl-connect ist not established to in cert accredited Hostname/Servername ? Did not found something like this or did not really understand function of the options.
I do not know backgrounds to this issue. Cant decide if it would be a security risk or disproportionated wishes of securityexperts but i want to satisfy this costumer.
How to handle thos?
Thank you
Andre
More information about the dovecot
mailing list