Client-initiated secure renegotiation
Osiris
dovecot at flut.demon.nl
Thu Mar 10 09:30:52 UTC 2016
On 09-03-16 13:14, djk wrote:
> On 09/03/16 10:44, Florent B wrote:
>> Hi,
>>
>> I don't see any SSL configuration option in Dovecot to disable
>> "Client-initiated secure renegotiation".
>>
>> It is advised to disable it as it can cause DDoS (CVE-2011-1473).
>>
>> Is it possible to have this possibility through an SSL option or other ?
>>
>> Thank you.
>>
>> Florent
> ssl_protocols = !SSLv3 !SSLv2
>
> Is that enough?
I'm afraid not. I've got SSLv2 and SSLv3 disabled and with `openssl
s_client -connect $host:993` I still can successfully renegotiate by
passing a single 'R'.
More information about the dovecot
mailing list