Bug#729028: perdition: ssl_outgoing_ciphers not applied to STARTTLS connections

[Daniel Kahn Gillmor]

Package: perdition
Version: 1.19~rc4-2
Control: found -1 1.19~rc5-1 
Control: found -1 2.0-1
Tags: patch security upstream
Forwarded: perdition-us...@vergenet.net

Perdition(8) says:

        --ssl_outgoing_ciphers STRING:

              Cipher list when making outgoing SSL or TLS connections as
              per ciphers(1). If empty ("") then openssl's default will
              be used.  (default "")

However, this is only the case for outgoing connections that do not use
STARTTLS (the perdition terminology is confusing here, since what it
calls "TLS" actually means "start as cleartext, negotiate to encrypted
via STARTTLS" and what it calls "SSL" actually means "start SSL or TLS
session, run service inside that").

Here's the fix:

diff -r 046a7b19cd5b perdition/perdition.c
--- a/perdition/perdition.c     Thu Nov 07 21:23:31 2013 -0500
+++ b/perdition/perdition.c     Thu Nov 07 21:49:39 2013 -0500
@@ -985,7 +985,7 @@
     else if((opt.ssl_mode & SSL_MODE_TLS_OUTGOING) &&
           (status & PROTOCOL_S_STARTTLS)) {
       server_io=perdition_ssl_client_connection(server_io, opt.ssl_ca_file, 
-                     opt.ssl_ca_path, opt.ssl_listen_ciphers, servername);
+                     opt.ssl_ca_path, opt.ssl_outgoing_ciphers, servername);
       if(!server_io) {
         VANESSA_LOGGER_DEBUG("perdition_ssl_connection outgoing");
         VANESSA_LOGGER_ERR("Fatal error establishing SSL connection");


This is a security concern because it means that perdition is not
obeying the specifications of the administrator, and may accept weaker
ciphersuites than instructed on its backhaul connections.

Consider the case where an administrator wants to offer relatively
promiscuous IMAP connections to their end users -- if the user's MUA
only has some weak cipher suite or cleartext IMAP, we want to accept the
weak ciphersuite as better than nothing.  However, the admin's backend
IMAP servers are all under her control, and she knows that they are
capable of stronger ciphersuites.  in this case, ssl_listen_ciphers will
allow weak ciphers, and ssl_outgoing_ciphers will be strict and require
high security, to at least protect the link between perdition and the
backend IMAP server.

However, if this outgoing connection happens to use IMAP+STARTTLS
instead of IMAPS, the bug described here will offer weak ciphersuites to
the backend IMAP server.

All versions of perdition in debian currently have this flaw.  I've
reported it to the upstream mailing list, but for whatever reason the
message hasn't cleared that mailing list yet.

Regards, 

         --dkg

pgp3dQwsU640e.pgp
Description: PGP signature