TLS renegotiation issue (CVE-2011-1473) in Dovecot
Elisamuel Resto
sam at samresto.dev
Sat May 14 02:38:10 UTC 2022
On 2022-05-13 5:02 pm, Greg Earle wrote:
> Hello,
>
> At work I'm running a Dovecot 2.3.15 server on a RHEL 7.9 system with
> OpenSSL 1.0.2k.
>
> Our IT Security people are threatening to shut it down because of this:
>
>> We were notified of a possible TLS renegotiation vulnerability on
>> [FQHN].
>>
>> [Parent organization] ticket NNNNNNN is open to track efforts.
>>
>> We conducted a manual test on the site for TLS Renegotiation on IMAP
>> port 993.
>>
>> We found that this was set to enabled.
>>
>> In order to remediate we will need to either:
>>
>> 1. Disable Renegotiation (preferred)
>> 2. Set a max aggregated renegotiation
>>
>> Please remediate as soon as possible.
>>
>> References:
>>
>> https://support.f5.com/csp/article/K15278
>>
>> https://nvd.nist.gov/vuln/detail/cve-2011-1473
>>
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1473
>
> I did some Googling and among the results, I found a few old posts from
> this mailing list among them, which to summarize basically seemed to
> say "Yeah, we could write some code ... " but that was about it.
>
> The IT Security rep sent me a reference to an ancient Red Hat article
>
> https://access.redhat.com/articles/23543
>
> which is hysterical - ancient history, references NSS and Tomcat,
> suggests changes to an add-on product (Red Hat Certificate Server) that
> is EOL, etc.
>
> Is there any way to mitigate this issue?
>
> (The only thing I can think of is to upgrade the Dovecot server to RHEL
> 8 and restrict connections to only TLSv1.3, but that ain't gonna happen
> overnight.)
>
> Thanks,
>
> - Greg
Greg,
I believe this to be a configuration error, not a dovecot problem. The
output of dovecot -n (as an attachment; look it over for any data you do
not want publicized) would help to suggest changes to bring you back
into compliance.
Regards,
Elisamuel Resto
More information about the dovecot
mailing list