[Dovecot] SSL renegotiation vulnerability (Was: dovecot evaluation on a 30 gb mailbox)

Timo Sirainen tss at iki.fi
Tue Oct 25 21:51:29 EEST 2011


On 25.10.2011, at 21.13, Timo Sirainen wrote:

>> Could the reason he hasn't found such a setting be that SSL renegotiate
>> isn't supported at all in dovecot...?
> 
> Looking at the OpenSSL code, I don't see any way to disable it. Or possibly with some undocumented kludgy way, but I don't really know enough about OpenSSL to implement it.

Actually, the attached patch works for v2.0. I'm not really sure yet if I should add a setting for it, force it always or just wait for SSL people to figure out something else. I think I'll do the last option for now.

In any case, I noticed there was some memory "leaking" when doing SSL renegotiation and that definitely needs to be fixed: http://hg.dovecot.org/dovecot-2.0/rev/ad2ebc237570

-------------- next part --------------
A non-text attachment was scrubbed...
Name: diff
Type: application/octet-stream
Size: 515 bytes
Desc: not available
URL: <http://dovecot.org/pipermail/dovecot/attachments/20111025/d5113daa/attachment.obj>


More information about the dovecot mailing list