[Dovecot] IMAP and POP3 per SSL

Robert Schetterer robert at schetterer.org
Tue Mar 20 13:34:58 EET 2012 

Am 20.03.2012 12:32, schrieb Robert Schetterer:
> Am 20.03.2012 12:16, schrieb Lamprecht, Andreas:
>> Hi!
>>  
>> I'm new to this list and i could not find a way to search through the already posted articles, so please forgive me if this subject has been discussed before.
>>  
>> Our security scanner stumbled over the IMAPs server i've set up recently using dovecot on a RedHat Enterprise 64bit Server.
>> The security scanner found an error regarding a new SSL security leak named "BEAST". The exact error number is CVE-2011-3389. Details can be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389
>>
>> "The internet" has some workarounds for this problem. For example, in Apache webserver, you need to set
>>
>>   SSLHonorCipherOrder On
>>
>> in apache config. This results in the following C-Code being executed:
>>
>>         SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
>>
>> This setting tells OpenSSL not to honor the Ciper Order sent from the client, but prefer it's own configured set of CipherSuites. According to Qualis SSL Labs ( https://www.ssllabs.com/ssldb/index.html ), a webserver configured with this setting is not affected by that BEAST security leak.
>>
>> Is there a way to implement such a setting into Dovecot, too?
>>
>> I have created a very quick and dirty solution to avoid being listed on our internal security problem's list.
>> This patch is for dovecot 2.0.9 which is included in Redhat Enterprise Linux 6.2:
>>
>> *** src/login-common/ssl-proxy-openssl.c        2010-12-30 10:42:54.000000000 +0100
>> --- src/login-common/ssl-proxy-openssl.c_1      2012-03-20 09:48:28.359508087 +0100
>> ***************
>> *** 924,930 ****
>>         X509_STORE *store;
>>         STACK_OF(X509_NAME) *xnames = NULL;
>>
>> !       SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
>>         if (*set->ssl_ca != '\0') {
>>                 /* set trusted CA certs */
>>                 store = SSL_CTX_get_cert_store(ssl_ctx);
>> --- 924,930 ----
>>         X509_STORE *store;
>>         STACK_OF(X509_NAME) *xnames = NULL;
>>
>> !       SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_CIPHER_SERVER_PREFERENCE );
>>         if (*set->ssl_ca != '\0') {
>>                 /* set trusted CA certs */
>>                 store = SSL_CTX_get_cert_store(ssl_ctx);
>>
>>
>> Of course there should be a way to switch this setting on or off, but my C programming skills are rather basic ...
>>
>> So, maybe you have the time to look over it and implement a final solution for the BEAST problem.
>>
>> Greetings
>> Andreas lamprecht
>>
> 
> perhaps look at
> 
> http://wiki2.dovecot.org/SSL/DovecotConfiguration
> 

and perhaps have a
look at
http://hg.dovecot.org/dovecot-2.0/rev/e3d46fd04105

and upgrade your dove version to dovecot 2.0.18

-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

More information about the dovecot mailing list