Avoiding POODLE vulnerability
Hi all,
Ten years after the fact I learned about POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerabilities, which enable a poorly configured server to force my client to downgrade to vulnerable encryption.
My current conf.d/10-ssl.conf contains the following line:
ssl_cipher_list = ALL:!LOW:!SSLv3:!EXP:!aNULL
I've read that I should change the preceding line to the following:
ssl_protocols = !SSLv3 !SSLv2
Is this correct?
For some reason I have the same ssl_cipher_list in dovecot.conf. Should I make the change there too?
Is there anything else I need to change? The following is my current dovecot.conf:
=================================================
# 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf
# OS: Linux 5.10.12_1 x86_64
# Hostname: mydesk.domain.cxm
mail_location = maildir:~/mail/Maildir:INBOX=~/mail/Maildir/.INBOX
namespace inbox {
inbox = yes
location =
prefix =
}
passdb { driver = pam args = %s }
userdb { driver = passwd }
protocols = imap service imap-login { inet_listener imap { #port = 143 port = 0 } inet_listener imaps { port = 993 #port = 0 ssl = yes #ssl = no } } ssl = required #ssl = yes ssl_cert = </etc/ssl/dovecot_certs/certs/dovecot.pem ssl_cipher_list = ALL:!LOW:!SSLv3:!EXP:!aNULL ssl_key = </etc/ssl/dovecot_certs/private/dovecot.pem
By the way, does the preceding dovecot.conf even use the files in directories off conf.d ?
Thanks,
SteveT
Steve Litt
Autumn 2023 featured book: Rapid Learning for the 21st Century http://www.troubleshooters.com/rl21
Steve Litt said on Sat, 18 Nov 2023 16:42:42 -0500
Hi all,
Ten years after the fact I learned about POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerabilities, which enable a poorly configured server to force my client to downgrade to vulnerable encryption.
My current conf.d/10-ssl.conf contains the following line:
[snip]
I forgot to say: I'm using Dovecot 2.3.21 on an up to date 64 bit x86_64 Void Linux computer using runit for its init system. I populate Dovecot's Maildir via fetchmail and procmail.
Thanks,
SteveT
Steve Litt
Autumn 2023 featured book: Rapid Learning for the 21st Century http://www.troubleshooters.com/rl21
On Sat, 2023-11-18 at 16:54 -0500, Steve Litt wrote:
I forgot to say: I'm using Dovecot 2.3.21 on an up to date 64 bit x86_64 Void Linux computer using runit for its init system. I populate Dovecot's Maildir via fetchmail and procmail.
You probably don't have to do anything. SSLv2 and SSLv3 have been disabled by default in OpenSSL for a while, and my dovecot default is,
# doveconf -d | grep ssl_min_protocol ssl_min_protocol = TLSv1.2
Michael Orlitzky said on Sat, 18 Nov 2023 17:31:49 -0500
On Sat, 2023-11-18 at 16:54 -0500, Steve Litt wrote:
I forgot to say: I'm using Dovecot 2.3.21 on an up to date 64 bit x86_64 Void Linux computer using runit for its init system. I populate Dovecot's Maildir via fetchmail and procmail.
You probably don't have to do anything. SSLv2 and SSLv3 have been disabled by default in OpenSSL for a while, and my dovecot default is,
# doveconf -d | grep ssl_min_protocol ssl_min_protocol = TLSv1.2
Nice! I'll make that change tomorrow. Thanks!
SteveT
Steve Litt
Autumn 2023 featured book: Rapid Learning for the 21st Century http://www.troubleshooters.com/rl21
On Sun, 19 Nov 2023, Steve Litt wrote:
Michael Orlitzky said on Sat, 18 Nov 2023 17:31:49 -0500
On Sat, 2023-11-18 at 16:54 -0500, Steve Litt wrote:
I forgot to say: I'm using Dovecot 2.3.21 on an up to date 64 bit x86_64 Void Linux computer using runit for its init system. I populate Dovecot's Maildir via fetchmail and procmail.
You probably don't have to do anything. SSLv2 and SSLv3 have been disabled by default in OpenSSL for a while, and my dovecot default is,
# doveconf -d | grep ssl_min_protocol ssl_min_protocol = TLSv1.2
Nice! I'll make that change tomorrow. Thanks!
Note that the above is actually the *default*, at least in the debian 12 (bookworm) version, so you should not have do anything.
(and generally it is not recommended to deviate from defaults unless you really know what you're doing, otherwise you may end up actually worsening the security wrt the defaults).
Good luck.
Bernardo Reino said on Sun, 19 Nov 2023 09:04:15 +0100 (CET)
On Sun, 19 Nov 2023, Steve Litt wrote:
Michael Orlitzky said on Sat, 18 Nov 2023 17:31:49 -0500
On Sat, 2023-11-18 at 16:54 -0500, Steve Litt wrote:
I forgot to say: I'm using Dovecot 2.3.21 on an up to date 64 bit x86_64 Void Linux computer using runit for its init system. I populate Dovecot's Maildir via fetchmail and procmail.
You probably don't have to do anything. SSLv2 and SSLv3 have been disabled by default in OpenSSL for a while, and my dovecot default is,
# doveconf -d | grep ssl_min_protocol ssl_min_protocol = TLSv1.2
Nice! I'll make that change tomorrow. Thanks!
Note that the above is actually the *default*, at least in the debian 12 (bookworm) version, so you should not have do anything.
(and generally it is not recommended to deviate from defaults unless you really know what you're doing, otherwise you may end up actually worsening the security wrt the defaults).
Thanks Bernardo,
I use Void Linux, not Debian. Is there a command that tells me the defaults?
Thanks,
SteveT
Steve Litt
Autumn 2023 featured book: Rapid Learning for the 21st Century http://www.troubleshooters.com/rl21
On Sun, 2023-11-19 at 15:33 -0500, Steve Litt wrote:
Thanks Bernardo,
I use Void Linux, not Debian. Is there a command that tells me the defaults?
The one I typed :)
The doveconf command has a few flags that control what settings are displayed, and "-d" tells it to show the defaults as opposed to what is currently in use.
Bernardo Reino said on Sun, 19 Nov 2023 09:04:15 +0100 (CET)
On Sun, 19 Nov 2023, Steve Litt wrote:
Michael Orlitzky said on Sat, 18 Nov 2023 17:31:49 -0500
On Sat, 2023-11-18 at 16:54 -0500, Steve Litt wrote:
I forgot to say: I'm using Dovecot 2.3.21 on an up to date 64 bit x86_64 Void Linux computer using runit for its init system. I populate Dovecot's Maildir via fetchmail and procmail.
You probably don't have to do anything. SSLv2 and SSLv3 have been disabled by default in OpenSSL for a while, and my dovecot default is,
# doveconf -d | grep ssl_min_protocol ssl_min_protocol = TLSv1.2
Nice! I'll make that change tomorrow. Thanks!
Note that the above is actually the *default*, at least in the debian 12 (bookworm) version, so you should not have do anything.
(and generally it is not recommended to deviate from defaults unless you really know what you're doing, otherwise you may end up actually worsening the security wrt the defaults).
Good luck.
Thanks Bernardo,
doveconf -d shows that I have no such config key as ssl_protocols, my ssl_min_protocol is TLSv1.2, and the default ssl_cipher_list is the following huge string:
ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
Is the preceding the safest and most bug free, or should I modify it in dovecot.conf?
Thanks,
SteveT
Steve Litt
Autumn 2023 featured book: Rapid Learning for the 21st Century http://www.troubleshooters.com/rl21
On Sun, 2023-11-19 at 18:28 -0500, Steve Litt wrote:
doveconf -d shows that I have no such config key as ssl_protocols, my ssl_min_protocol is TLSv1.2, and the default ssl_cipher_list is the following huge string:
ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
Is the preceding the safest and most bug free, or should I modify it in dovecot.conf?
That's the dovecot default and it's reasonably safe. If you're the only user, you can play around with it and watch the logs to see if it changes the cipher that your mail client negotiates... but otherwise you're more likely to create obscure problems than you are to improve anything.
The string above is intended to enable all ciphers and then blacklist the weak ones. A few are excluded by name, but most are excluded via the LOW and EXPORT groups. (Newer versions of OpenSSL once again do this for you; man openssl-ciphers tells me that LOW, EXPORT, kDHd, and DES have all been removed as of openssl-1.1.0.)
You could try to improve this by excluding (say) the MEDIUM group, but you risk breaking clients. The list above ends with @STRENGTH to prefer stronger ciphers. That means that if you have any clients connecting with a MEDIUM strength cipher, it's because they can't use anything better -- disabling MEDIUM will cause problems.
participants (3)
-
Bernardo Reino
-
Michael Orlitzky
-
Steve Litt