On 2014-10-15 16:11, lst_hoe02@xxxxxxxxx wrote: > Hello, > > as of today a new exploit against SSL has been revelead which is a > protocol weakness of ancient SSLv3. The common advice is to disable > SSLv3 so the question is how to do this with Cyrus without doing too > much damage. > > The first idea is of course to do something like > > tls_cipher_list: ALL:-SSLv3:-SSLv2 As TLSv1.0, 1.1 and SSLv3 seem share their cipher suites, disabling SSLv3 ciphers not only disables SSLv3, but also all TLS versions except 1.2, which sadly still breaks a lot of clients. > in imapd.conf. > > But i wonder if this is the correct fix because our default from Ubuntu > 12.04 looks like this: > > tls_cipher_list: TLSv1+HIGH:!aNull:@STRENGTH This should be sufficient to disable SSLv3, have you tested your server? (e.g. openssl s_client -ssl3 -starttls imap -connect host:143) -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwedas@xxxxxx | +43 (0)680 301 7167 http://software.tao.at
Attachment:
signature.asc
Description: OpenPGP digital signature
---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
