10 Mar
2016
10 Mar
'16
11:30 a.m.
On 09-03-16 13:14, djk wrote:
On 09/03/16 10:44, Florent B wrote:
Hi,
I don't see any SSL configuration option in Dovecot to disable "Client-initiated secure renegotiation".
It is advised to disable it as it can cause DDoS (CVE-2011-1473).
Is it possible to have this possibility through an SSL option or other ?
Thank you.
Florent ssl_protocols = !SSLv3 !SSLv2
Is that enough?
I'm afraid not. I've got SSLv2 and SSLv3 disabled and with openssl s_client -connect $host:993 I still can successfully renegotiate by
passing a single 'R'.