Marc Rantanen:
Hi, how do I protect dovecot 1.2.17 against poodle?
I just looked into the sourcecode. looks like there was an option
"ssl_protocols" in dovecot.conf.
( check: dovecot -a | grep ssl_protocols )
then you should be able to set "ssl_protocols = !SSLv2 !SSLv3"
restart and check:
openssl s_client -connect $dovecot_host:imaps -tls1 should work while
openssl s_client -connect $dovecot_host:imaps -ssl3 should not
(or use pop3s)
Also if you could recompile from source then you may test the following patch.
At a first glance it should only avoid dovecot connect to a next
dovecot via SSLv3
Index: src/lib-ssl-iostream/iostream-openssl-context.c
===================================================================
--- src.orig/lib-ssl-iostream/iostream-openssl-context.c
2014-10-25 22:59:28.000000000 +0200
+++ src/lib-ssl-iostream/iostream-openssl-context.c 2014-10-25
23:00:12.000000000 +0200
@@ -358,7 +358,7 @@
/* enable all SSL workarounds, except empty fragments as it
makes SSL more vulnerable against attacks */
- SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2 |
+ SSL_CTX_set_options(ctx->ssl_ctx, (SSL_OP_NO_SSLv2 |
SSL_OP_NO_SSLv3) |
(SSL_OP_ALL &
~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS));
if (SSL_CTX_need_tmp_RSA(ctx->ssl_ctx))
SSL_CTX_set_tmp_rsa_callback(ctx->ssl_ctx, ssl_gen_rsa_key);
Index: src/login-common/ssl-proxy-openssl.c
===================================================================
--- src.orig/login-common/ssl-proxy-openssl.c 2014-10-25
23:00:36.000000000 +0200
+++ src/login-common/ssl-proxy-openssl.c 2014-10-25
23:02:19.000000000 +0200
@@ -973,8 +973,8 @@
/* enable all SSL workarounds, except empty fragments as it
makes SSL more vulnerable against attacks */
- SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL &
- ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
+ SSL_CTX_set_options(ctx->ssl_ctx, (SSL_OP_NO_SSLv2 |
SSL_OP_NO_SSLv3) |
+ (SSL_OP_ALL &
~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS));
#ifdef SSL_MODE_RELEASE_BUFFERS
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);