Hi, Two patches for merging.... Thanks for the great work on cyrus imapd.I have just read various recommendations that we now should disable SSLv3 not just on HTTPS as POODLE-attack demonstrates but we should expect to see exploits on other services as well like IMAPS and POPS.
I saw that disabling SSLv2 and SSLv3 in fact is already available in the tls-code but not made available to the user so therefore I have written the attached patch to do just that using a configuration variable named "tls_tlsonly". It is still by default false, so the patch should change nothing for users that still want to use the old protocols and may stay that way until an actual imaps-attack is proven.
Also I am including a cleaned up version of Chris Panayis' old patch for adding tls_ec for Perfect Forward Secrecy:
https://lists.andrew.cmu.edu/pipermail/cyrus-devel/2013-January/002729.htmlUsing PFS is also a security recommendation we should follow. The default is set to prime256v1 just as sendmail and apache does this.
The patches are made against cyrus-imap-2.4.17 - but they also cleanly patch against the tip of the git repository of cyrus-imapd if skipping the patch of the man-page.
PFS: https://scotthelme.co.uk/perfect-forward-secrecy/POODLE: https://www.dfranke.us/posts/2014-10-14-how-poodle-happened.html and https://www.openssl.org/~bodo/ssl-poodle.pdf
Regards Kristian Kræmmer Nielsen, Odense, Denmark
Attachment:
patch-tls_ec
Description: Binary data
Attachment:
patch-tls_tls_only
Description: Binary data
---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
