Dovecote 1.2.17 poodle

A. Schulze sca at andreasschulze.de
Sat Oct 25 21:14:15 UTC 2014


Marc Rantanen:

> Hi, how do I protect dovecot 1.2.17 against poodle?

<anything without warranty, totally untested ...>

I just looked into the sourcecode. looks like there was an option  
"ssl_protocols" in dovecot.conf.
( check: dovecot -a | grep ssl_protocols )

then you should be able to set "ssl_protocols = !SSLv2 !SSLv3"
restart and check:
   openssl s_client -connect $dovecot_host:imaps -tls1 should work while
   openssl s_client -connect $dovecot_host:imaps -ssl3 should not
(or use pop3s)

Also if you could recompile from source then you may test the following patch.
At a first glance it should only avoid dovecot connect to a next  
dovecot via SSLv3

Index: src/lib-ssl-iostream/iostream-openssl-context.c
===================================================================
--- src.orig/lib-ssl-iostream/iostream-openssl-context.c         
2014-10-25 22:59:28.000000000 +0200
+++ src/lib-ssl-iostream/iostream-openssl-context.c     2014-10-25  
23:00:12.000000000 +0200
@@ -358,7 +358,7 @@

         /* enable all SSL workarounds, except empty fragments as it
            makes SSL more vulnerable against attacks */
-       SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2 |
+       SSL_CTX_set_options(ctx->ssl_ctx, (SSL_OP_NO_SSLv2 |  
SSL_OP_NO_SSLv3) |
                             (SSL_OP_ALL &  
~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS));
         if (SSL_CTX_need_tmp_RSA(ctx->ssl_ctx))
                 SSL_CTX_set_tmp_rsa_callback(ctx->ssl_ctx, ssl_gen_rsa_key);
Index: src/login-common/ssl-proxy-openssl.c
===================================================================
--- src.orig/login-common/ssl-proxy-openssl.c   2014-10-25  
23:00:36.000000000 +0200
+++ src/login-common/ssl-proxy-openssl.c        2014-10-25  
23:02:19.000000000 +0200
@@ -973,8 +973,8 @@

         /* enable all SSL workarounds, except empty fragments as it
            makes SSL more vulnerable against attacks */
-       SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL &
-                           ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
+        SSL_CTX_set_options(ctx->ssl_ctx, (SSL_OP_NO_SSLv2 |  
SSL_OP_NO_SSLv3) |
+                            (SSL_OP_ALL &  
~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS));

  #ifdef SSL_MODE_RELEASE_BUFFERS
         SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);




More information about the dovecot mailing list