On October 19, 2014 5:25:01 PM Marc Rantanen <marc@eciceron.se> wrote:
Hi, how do I protect dovecot 1.2.17 against poodle?
http://en.m.wikipedia.org/wiki/Poodle
If its not that then sorry, tell more to get more help
I'm pretty sure he means http://en.m.wikipedia.org/wiki/POODLE
On 25 October 2014 10:45, Benny Pedersen <me@junc.eu> wrote:
On October 25, 2014 9:49:47 AM Muzaffer Tolga Ozses <tolga@ozses.net> wrote:
I'm pretty sure he means http://en.m.wikipedia.org/wiki/POODLE
Nice wiki, but is that sslv3 problem not better solved in openssl then screwup dovecot ?
Yes i am using 1.2.17 in gentoo, with latest openssl problem fixes, its never ending route to keep up with ssl fixes
Marc Rantanen:
Hi, how do I protect dovecot 1.2.17 against poodle?
<anything without warranty, totally untested ...> I just looked into the sourcecode. looks like there was an option "ssl_protocols" in dovecot.conf. ( check: dovecot -a | grep ssl_protocols ) then you should be able to set "ssl_protocols = !SSLv2 !SSLv3" restart and check: openssl s_client -connect $dovecot_host:imaps -tls1 should work while openssl s_client -connect $dovecot_host:imaps -ssl3 should not (or use pop3s) Also if you could recompile from source then you may test the following patch. At a first glance it should only avoid dovecot connect to a next dovecot via SSLv3 Index: src/lib-ssl-iostream/iostream-openssl-context.c =================================================================== --- src.orig/lib-ssl-iostream/iostream-openssl-context.c 2014-10-25 22:59:28.000000000 +0200 +++ src/lib-ssl-iostream/iostream-openssl-context.c 2014-10-25 23:00:12.000000000 +0200 @@ -358,7 +358,7 @@ /* enable all SSL workarounds, except empty fragments as it makes SSL more vulnerable against attacks */ - SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2 | + SSL_CTX_set_options(ctx->ssl_ctx, (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3) | (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)); if (SSL_CTX_need_tmp_RSA(ctx->ssl_ctx)) SSL_CTX_set_tmp_rsa_callback(ctx->ssl_ctx, ssl_gen_rsa_key); Index: src/login-common/ssl-proxy-openssl.c =================================================================== --- src.orig/login-common/ssl-proxy-openssl.c 2014-10-25 23:00:36.000000000 +0200 +++ src/login-common/ssl-proxy-openssl.c 2014-10-25 23:02:19.000000000 +0200 @@ -973,8 +973,8 @@ /* enable all SSL workarounds, except empty fragments as it makes SSL more vulnerable against attacks */ - SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL & - ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); + SSL_CTX_set_options(ctx->ssl_ctx, (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3) | + (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)); #ifdef SSL_MODE_RELEASE_BUFFERS SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
participants (5)
-
A. Schulze
-
Benny Pedersen
-
Marc Rantanen
-
Muzaffer Tolga Ozses
-
Reindl Harald