[Dovecot] SSL renegotiation vulnerability (Was: dovecot evaluation on a 30 gb mailbox)

Timo Sirainen tss at iki.fi
Tue Oct 25 21:13:09 EEST 2011


On 25.10.2011, at 14.38, Steinar Bang wrote:

>>>>>> Timo Sirainen <tss at iki.fi>:
> 
>> Yes, SSL handshakes are extra. Although SSL supports some kind of
>> quick renegotiation too, but Dovecot doesn't support that yet. No
>> one's ever requested it..

Looks like it's not "renegotiation" but more like session resume/resumption/cache or something that I was thinking about.

> Hum... this article (in Norwegian)
> http://www.digi.no/881186/skrekkverktoy-slaar-ut-%ABsikre%BB-servere
> addresses the SSL renegotiation vulnerability, and how it can be used to
> DOS servers using SSL from a single machine with low bandwidth.
> 
> At the end the article is discussing how to configure off the SSL
> renegotiate in different servers, and that the author had been unable to
> find a setting for disabling SSL renegotiate in dovecot (and if anyone
> knows how, please inform him).
> 
> Could the reason he hasn't found such a setting be that SSL renegotiate
> isn't supported at all in dovecot...?

Looking at the OpenSSL code, I don't see any way to disable it. Or possibly with some undocumented kludgy way, but I don't really know enough about OpenSSL to implement it.

Anyway, I'd think fail2ban should mostly solve this problem.


More information about the dovecot mailing list