New FREAK SSL Attack CVE-2015-0204
Emmanuel Dreyfus
manu at netbsd.org
Wed Mar 4 16:19:47 UTC 2015
On Wed, Mar 04, 2015 at 06:13:31PM +0200, Adrian Minta wrote:
> Hello,
> about the CVE-2015-0204, in apache the following config seems to disable
> this vulnerability:
> SSLProtocol All -SSLv2 -SSLv3
> SSLCipherSuite
> HIGH:MEDIUM:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4
>
> Is something similar possible with dovecot ?
I use this with some succes:
# dovecot has built-in protection against BEAST, therefore no need
# to remove -SSLv2-SHA1:-TLSv10-SHA1
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = ECDH at STRENGTH:DH at STRENGTH:HIGH:!RC4:!MD5:!DES:!aNULL:!eNULL
I only had a single report of an old client being locked out. Oddly it
was a recent Windows Phone that was perfectly capable of using
latest protocol and ciphers.
While there, I will self advertise my own paper on TLS hardening:
http://arxiv.org/abs/1407.2168
--
Emmanuel Dreyfus
manu at netbsd.org
More information about the dovecot
mailing list