On 2022-05-13 5:02 pm, Greg Earle wrote:
Hello,
At work I'm running a Dovecot 2.3.15 server on a RHEL 7.9 system with OpenSSL 1.0.2k.
Our IT Security people are threatening to shut it down because of this:
We were notified of a possible TLS renegotiation vulnerability on [FQHN].
[Parent organization] ticket NNNNNNN is open to track efforts.
We conducted a manual test on the site for TLS Renegotiation on IMAP port 993.
We found that this was set to enabled.
In order to remediate we will need to either:
- Disable Renegotiation (preferred)
- Set a max aggregated renegotiation
Please remediate as soon as possible.
References:
https://support.f5.com/csp/article/K15278
https://nvd.nist.gov/vuln/detail/cve-2011-1473
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1473
I did some Googling and among the results, I found a few old posts from this mailing list among them, which to summarize basically seemed to say "Yeah, we could write some code ... " but that was about it.
The IT Security rep sent me a reference to an ancient Red Hat article
https://access.redhat.com/articles/23543
which is hysterical - ancient history, references NSS and Tomcat, suggests changes to an add-on product (Red Hat Certificate Server) that is EOL, etc.
Is there any way to mitigate this issue?
(The only thing I can think of is to upgrade the Dovecot server to RHEL 8 and restrict connections to only TLSv1.3, but that ain't gonna happen overnight.)
Thanks,
- Greg
Greg,
I believe this to be a configuration error, not a dovecot problem. The output of dovecot -n (as an attachment; look it over for any data you do not want publicized) would help to suggest changes to bring you back into compliance.
Regards, Elisamuel Resto