Hi Geoff,
I am basically not trying to take any stand on this. I just think it is
time for the users to be able to disable the older protocols if they want
to - as the old protocols are really no longer necessary for the wide
majority of clients - and that is the main reasoning by my patches.
Notice that is also way I leave it false (changing nothing) by default in
the patch.
For reference, you can see this for Ubuntu, they recommend total disabling
SSLv3:
http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566
"Conclusion: disable SSLv3 for HTTPS now, disable SSLv3 for other services
in your next service window."
So, hope my patches get merged soon :)
/Kristian
On Thu, 16 Oct 2014 11:34:21 +0200, Geoff Winkless <cy...@geoff.dj> wrote:
Hi Kristian
Firstly, many thanks for your work :)
Can you share the source for those recommendations? While I fully agree
that using something that is shown to be >vulnerable is not ideal I'd be
interested to see how they think a similar attack to POODLE could be
implemented for >imap. As I posted to the info list, I've not seen
anything that would suggest that IMAPS/SSLv3 is any less secure than >it
was 10 years ago.
Thanks
On 16 October 2014 02:55, Kristian Kræmmer Nielsen <j...@jkkn.dk> wrote:
Hi,
Two patches for merging....
Thanks for the great work on cyrus imapd.
I have just read various recommendations that we now should disable
SSLv3 not just on HTTPS as POODLE-attack demonstrates but we should
>>expect to see exploits on other services as well like IMAPS and POPS.
I saw that disabling SSLv2 and SSLv3 in fact is already available in
the tls-code but not made available to the user so therefore I have
written the >>attached patch to do just that using a configuration
variable named "tls_tlsonly". It is still by default false, so the
patch should change nothing for >>users that still want to use the old
protocols and may stay that way until an actual imaps-attack is proven.
Also I am including a cleaned up version of Chris Panayis' old patch
for adding tls_ec for Perfect Forward Secrecy:
https://lists.andrew.cmu.edu/pipermail/cyrus-devel/2013-January/002729.html
Using PFS is also a security recommendation we should follow. The
default is set to prime256v1 just as sendmail and apache does this.
The patches are made against cyrus-imap-2.4.17 - but they also cleanly
patch against the tip of the git repository of cyrus-imapd if skipping
the >>patch of the man-page.
PFS: https://scotthelme.co.uk/perfect-forward-secrecy/
POODLE:
https://www.dfranke.us/posts/2014-10-14-how-poodle-happened.html and
https://www.openssl.org/~bodo/ssl-poodle.pdf
Regards
Kristian Kræmmer Nielsen,
Odense, Denmark
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
