On 11/04/2019 23:28, sergio via dovecot wrote:
Hello.
I've just tested my system that runs dovecot 2.3.4.1 on debian buster with testssl.sh (https://testssl.sh/) and is says:
Secure Renegotiation (CVE-2009-3555) not vulnerable (OK) Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), potential DoS threat
Is this a configuration or a compilation issue and how to solve it?
This should be interpreted as meaning that client initiated renegotiation is enabled. The tool does not test whether the software mitigates the dos threat by limiting the number of negotiations to a configurable limit.
Having said that, I think that mitigating this in dovecot would require a code change. What I'm not sure about is whether the best route would be to turn off client side renegotiation or only limit it. A previous version of openssl turned it off but then it was re-introduced. That would require further investigation to understand the best solution.
John