[Dovecot] IMAP and POP3 per SSL

Robert Schetterer robert at schetterer.org
Tue Mar 20 13:32:04 EET 2012 

Am 20.03.2012 12:16, schrieb Lamprecht, Andreas:
> Hi!
>  
> I'm new to this list and i could not find a way to search through the already posted articles, so please forgive me if this subject has been discussed before.
>  
> Our security scanner stumbled over the IMAPs server i've set up recently using dovecot on a RedHat Enterprise 64bit Server.
> The security scanner found an error regarding a new SSL security leak named "BEAST". The exact error number is CVE-2011-3389. Details can be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389
> 
> "The internet" has some workarounds for this problem. For example, in Apache webserver, you need to set
> 
>   SSLHonorCipherOrder On
> 
> in apache config. This results in the following C-Code being executed:
> 
>         SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
> 
> This setting tells OpenSSL not to honor the Ciper Order sent from the client, but prefer it's own configured set of CipherSuites. According to Qualis SSL Labs ( https://www.ssllabs.com/ssldb/index.html ), a webserver configured with this setting is not affected by that BEAST security leak.
> 
> Is there a way to implement such a setting into Dovecot, too?
> 
> I have created a very quick and dirty solution to avoid being listed on our internal security problem's list.
> This patch is for dovecot 2.0.9 which is included in Redhat Enterprise Linux 6.2:
> 
> *** src/login-common/ssl-proxy-openssl.c        2010-12-30 10:42:54.000000000 +0100
> --- src/login-common/ssl-proxy-openssl.c_1      2012-03-20 09:48:28.359508087 +0100
> ***************
> *** 924,930 ****
>         X509_STORE *store;
>         STACK_OF(X509_NAME) *xnames = NULL;
> 
> !       SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
>         if (*set->ssl_ca != '\0') {
>                 /* set trusted CA certs */
>                 store = SSL_CTX_get_cert_store(ssl_ctx);
> --- 924,930 ----
>         X509_STORE *store;
>         STACK_OF(X509_NAME) *xnames = NULL;
> 
> !       SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_CIPHER_SERVER_PREFERENCE );
>         if (*set->ssl_ca != '\0') {
>                 /* set trusted CA certs */
>                 store = SSL_CTX_get_cert_store(ssl_ctx);
> 
> 
> Of course there should be a way to switch this setting on or off, but my C programming skills are rather basic ...
> 
> So, maybe you have the time to look over it and implement a final solution for the BEAST problem.
> 
> Greetings
> Andreas lamprecht
> 

perhaps look at

http://wiki2.dovecot.org/SSL/DovecotConfiguration

-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

More information about the dovecot mailing list