New FREAK SSL Attack CVE-2015-0204
Adrian Minta
adrian.minta at gmail.com
Wed Mar 4 16:36:07 UTC 2015
On 04.03.2015 18:19, Emmanuel Dreyfus wrote:
> On Wed, Mar 04, 2015 at 06:13:31PM +0200, Adrian Minta wrote:
>> Hello,
>> about the CVE-2015-0204, in apache the following config seems to disable
>> this vulnerability:
>> SSLProtocol All -SSLv2 -SSLv3
>> SSLCipherSuite
>> HIGH:MEDIUM:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4
>>
>> Is something similar possible with dovecot ?
> I use this with some succes:
>
> # dovecot has built-in protection against BEAST, therefore no need
> # to remove -SSLv2-SHA1:-TLSv10-SHA1
> ssl_protocols = !SSLv2 !SSLv3
> ssl_cipher_list = ECDH at STRENGTH:DH at STRENGTH:HIGH:!RC4:!MD5:!DES:!aNULL:!eNULL
>
> I only had a single report of an old client being locked out. Oddly it
> was a recent Windows Phone that was perfectly capable of using
> latest protocol and ciphers.
>
> While there, I will self advertise my own paper on TLS hardening:
> http://arxiv.org/abs/1407.2168
>
Thank you for the answer.
The "!EXPORT" part is included in "ECDH at STRENGTH:DH at STRENGTH:HIGH", or
it must be added as well ?
--
Best regards,
Adrian Minta
More information about the dovecot
mailing list