Secure Client-Initiated Renegotiation

John Fawcett john at voipsupport.it
Fri Apr 12 09:20:46 EEST 2019


On 11/04/2019 23:28, sergio via dovecot wrote:
> Hello.
>
> I've just tested my system that runs dovecot 2.3.4.1 on debian buster
> with testssl.sh (https://testssl.sh/) and is says:
>
> Secure Renegotiation (CVE-2009-3555)    not vulnerable (OK)
> Secure Client-Initiated Renegotiation   VULNERABLE (NOT ok), potential
> DoS threat
>
> Is this a configuration or a compilation issue and how to solve it?
>
This should be interpreted as meaning that client initiated
renegotiation is enabled. The tool does not test whether the software
mitigates the dos threat by limiting the number of negotiations to a
configurable limit.

Having said that, I think that mitigating this in dovecot would require
a code change. What I'm not sure about is whether the best route would
be to turn off client side renegotiation or only limit it. A previous
version of openssl turned it off but then it was re-introduced. That
would require further investigation to understand the best solution.

John



More information about the dovecot mailing list