[Dovecot] disabling SSLv2 in dovecot 1.2.17
I've set up a list of ciphers that excludes SSLv2 ciphers (and other weak ones) in the hope of preventing SSLv2 connections:
ssl_cipher_list = TLSv1+HIGH : !SSLv2 : RC4+MEDIUM : !aNULL : !eNULL : !3DES : @STRENGTH
However, this doesn't prevent the SSLv2 connection being allowed as our Nessus scans show and I'm tasked with trying to plug that "hole".
I see Dovecot2 had the following change a year or so ago, in file src/login-common/ssl-proxy-openssl.c:
SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL);
SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
I tried making the same change to dovecot1's src tree on our test system and it seems to have the desired effect; however I am very hesitant about putting this into our production system without seeking advice here first :-)
Have I missed anything that's obviously bad about doing this please?
Thanks again, Steve Platt
On Thu, 08 Mar 2012 19:04:47 +0000, Steve Platt <steve.platt@mrc-bsu.cam.ac.uk> wrote:
I've set up a list of ciphers that excludes SSLv2 ciphers (and other weak ones) in the hope of preventing SSLv2 connections:
ssl_cipher_list = TLSv1+HIGH : !SSLv2 : RC4+MEDIUM : !aNULL : !eNULL : !3DES : @STRENGTH
I tried making the same change to dovecot1's src tree on our test system and it seems to have the desired effect;
No need to change sources. Try this and see if it serves your purpose:
ssl = required ssl_cipher_list = HIGH:!SSLv2:!aNULL:!MD5!DES:!3DES
M.
participants (2)
-
Mark Alan
-
Steve Platt