Disabling SSLv3 protocol
tss at iki.fi
Tue Oct 14 23:28:46 UTC 2014
On 14 Oct 2014, at 12:25, Timo Sirainen <tss at iki.fi> wrote:
> Since people are now talking about the SSLv3 security hole and how to disable it, here's a thread where you can talk about that. In Dovecot v2.1+ you can disable SSLv3 by setting:
> ssl_protocols = !SSLv2 !SSLv3
> In older versions you'd have to patch the source code. Attached a patch against v2.0.
It might be possible in older versions to also modify ssl_cipher_list to disable the SSLv3 ciphers. But I'm not sure if that actually works (especially without breaking TLSv1 as well).
Anyway, reading https://www.openssl.org/~bodo/ssl-poodle.pdf it describes how to use the problem against web services using a similar attack as with BEAST. My understanding is that this kind of an attack is difficult or impossible to use against IMAP/POP3 protocols, because the clients always send the same pre-login data and there's nothing the attacker can do about that. Would be a good time anyway now to get rid of the SSLv3 protocol just in case there is a way to attack it.
More information about the dovecot