Re: Client-initiated secure renegotiation
On 09/03/16 10:44, Florent B wrote:
Hi,
I don't see any SSL configuration option in Dovecot to disable "Client-initiated secure renegotiation".
It is advised to disable it as it can cause DDoS (CVE-2011-1473).
Is it possible to have this possibility through an SSL option or other ?
Thank you.
Florent ssl_protocols = !SSLv3 !SSLv2
Is that enough?
On 09-03-16 13:14, djk wrote:
On 09/03/16 10:44, Florent B wrote:
Hi,
I don't see any SSL configuration option in Dovecot to disable "Client-initiated secure renegotiation".
It is advised to disable it as it can cause DDoS (CVE-2011-1473).
Is it possible to have this possibility through an SSL option or other ?
Thank you.
Florent ssl_protocols = !SSLv3 !SSLv2
Is that enough?
I'm afraid not. I've got SSLv2 and SSLv3 disabled and with openssl s_client -connect $host:993 I still can successfully renegotiate by
passing a single 'R'.
On Thu, Mar 10, 2016 at 12:30 PM, Osiris dovecot@flut.demon.nl wrote:
On 09-03-16 13:14, djk wrote:
On 09/03/16 10:44, Florent B wrote:
Hi,
I don't see any SSL configuration option in Dovecot to disable "Client-initiated secure renegotiation".
It is advised to disable it as it can cause DDoS (CVE-2011-1473).
Is it possible to have this possibility through an SSL option or other ?
Thank you.
Florent ssl_protocols = !SSLv3 !SSLv2
Is that enough?
I'm afraid not. I've got SSLv2 and SSLv3 disabled and with
openssl s_client -connect $host:993I still can successfully renegotiate by passing a single 'R'.
Are you use good ssl_cipher_list (https://wiki.mozilla.org/Security/Server_Side_TLS)?
My config ## Service options # 10-ssl ssl = yes ssl_cert =
Work fine, but only testssl.sh scanner generate small warning "Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat"
openssl s_client -connect $host:993 -ssl2(3) and openssl s_client -connect $host:143 -starttls imap -showcerts -state -crlf -ssl2(3) break connection
On 10-03-16 11:21, Andrey Fesenko wrote:
On Thu, Mar 10, 2016 at 12:30 PM, Osiris dovecot@flut.demon.nl wrote:
On 09/03/16 10:44, Florent B wrote:
Hi,
I don't see any SSL configuration option in Dovecot to disable "Client-initiated secure renegotiation".
It is advised to disable it as it can cause DDoS (CVE-2011-1473).
Is it possible to have this possibility through an SSL option or other ?
Thank you.
Florent ssl_protocols = !SSLv3 !SSLv2
Is that enough? I'm afraid not. I've got SSLv2 and SSLv3 disabled and with
openssl s_client -connect $host:993I still can successfully renegotiate byOn 09-03-16 13:14, djk wrote: passing a single 'R'. Are you use good ssl_cipher_list (https://wiki.mozilla.org/Security/Server_Side_TLS)?
My config ## Service options # 10-ssl ssl = yes ssl_cert =
Work fine, but only testssl.sh scanner generate small warning "Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat"
openssl s_client -connect $host:993 -ssl2(3) and openssl s_client -connect $host:143 -starttls imap -showcerts -state -crlf -ssl2(3) break connection
That's just the question of Florent: how to disable Secure Client-Initiated Renegotiation.
On 10.03.2016 12:40, Osiris wrote:
<snip/>
That's just the question of Florent: how to disable Secure Client-Initiated Renegotiation.
Hi!
There is no way to disable this in OpenSSL, and the CVE you refer to has been disputed. Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-1473 and https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_options.html.
Without altering OpenSSL sources, secure renegotiations will take place.
Aki Tuomi Dovecot Oy
participants (4)
-
Aki Tuomi
-
Andrey Fesenko
-
djk
-
Osiris