Package: dovecot Version: 1:1.2.15-3 Severity: important Tags: security Hi,
After installing dovecot it comes with insecure SSL ciphers enabled by Luckily I saw that SSLv2 is now default disabled, but even with SSLv3 and TLSv1 dovecot enables 40 bit ciphers: EXP-EDH-RSA-DES-CBC-SHA 40 bits EXP-RC4-MD5 40 bits EXP-DES-CBC-SHA 40 bits EXP-RC2-CBC-MD5 40 bits 40 bits is easily crackable and such ciphers are a problem not only for users that have misconfigured clients and think they might be secure, but because the negotiation happens (obviously) before the SSL connection is established an attacker could influence it and manipulate it into a lower encryption. The following seems to be an acceptable set of ciphers while still allowing mainstream clients to connect: ssl_cipher_list = HIGH:MEDIUM:!ADH:+TLSv1:!SSLv2:+SSLv3 Cheers, Thijs -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core) Locale: LANG=nl_NL.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
