[Dovecot] PKI Compliance Dovecot Server
Timo Sirainen
tss at iki.fi
Tue Sep 30 18:00:07 EEST 2008
BTW. Dovecot v1.1 has by default:
ssl_cipher_list = ALL:!LOW:!SSLv2
I'd think that's enough to fix this too.
On Tue, 2008-09-30 at 10:23 -0400, John Gray wrote:
> I *think* you can fix this in your config.
>
> ssl_cipher_list = ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM
>
> Consider yourself lucky you're not using UW. I believe you need to
> recompile it.
>
> Nessus thinks I'm good with the setting above.
>
> John
>
> Amit Thakkar wrote:
> > Hello,
> >
> > I work for an organization that uses a Secure Dovecot server for messaging, and recently we've had to undergo some security screenings for PKI compliance (credit card industry standards). However, the screening returned to us a failure due to the following reason (attributed to our Dovecot server, which runs on port 993 and is the only "open" port on our firewall):
> >
> > Synopsis : The remote service encrypts traffic using a protocol with known
> > weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which
> > reportedly suffers fromseveral cryptographic flaws and has been
> > deprecated for several years. An attacker may be able to exploit these
> > issues to conduct man-in-the-middle attacks or decrypt communications
> > between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's documentation to disable SSL 2.0 and use SSL
> > 3.0 or TLS 1.0 instead. See http://support.microsoft.com/kb/216482 for instructions on IIS. See http://httpd.apache.org/docs/2.0/mod/mod _ssl.html for Apache. Risk Factor: Medium
> > / CVSS Base Score : 2
> > (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) [More]
> >
> > Is there a way that we can disable SSL 2.0 in Dovecot, or force it to use only TLS 1.0 ?
> >
> > Thank You
> >
> >
> >
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20080930/4ea19d30/attachment.bin
More information about the dovecot
mailing list