TLS renegotiation issue (CVE-2011-1473) in Dovecot
Greg Earle
earle at isolar.DynDNS.ORG
Fri May 13 22:02:02 UTC 2022
Hello,
At work I'm running a Dovecot 2.3.15 server on a RHEL 7.9 system with
OpenSSL 1.0.2k.
Our IT Security people are threatening to shut it down because of this:
> We were notified of a possible TLS renegotiation vulnerability on
> [FQHN].
>
> [Parent organization] ticket NNNNNNN is open to track efforts.
>
> We conducted a manual test on the site for TLS Renegotiation on IMAP
> port 993.
>
> We found that this was set to enabled.
>
> In order to remediate we will need to either:
>
> 1. Disable Renegotiation (preferred)
> 2. Set a max aggregated renegotiation
>
> Please remediate as soon as possible.
>
> References:
>
> https://support.f5.com/csp/article/K15278
>
> https://nvd.nist.gov/vuln/detail/cve-2011-1473
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1473
I did some Googling and among the results, I found a few old posts from
this mailing list among them, which to summarize basically seemed to say
"Yeah, we could write some code ... " but that was about it.
The IT Security rep sent me a reference to an ancient Red Hat article
https://access.redhat.com/articles/23543
which is hysterical - ancient history, references NSS and Tomcat,
suggests changes to an add-on product (Red Hat Certificate Server) that
is EOL, etc.
Is there any way to mitigate this issue?
(The only thing I can think of is to upgrade the Dovecot server to RHEL
8 and restrict connections to only TLSv1.3, but that ain't gonna happen
overnight.)
Thanks,
- Greg
More information about the dovecot
mailing list