Hi Geoff,
I am basically not trying to take any stand on this. I just think it is time for the users to be able to disable the older protocols if they want to - as the old protocols are really no longer necessary for the wide majority of clients - and that is the main reasoning by my patches.
Notice that is also way I leave it false (changing nothing) by default in the patch.
For reference, you can see this for Ubuntu, they recommend total disabling SSLv3:
http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566
"Conclusion: disable SSLv3 for HTTPS now, disable SSLv3 for other services in your next service window."
So, hope my patches get merged soon :)
/Kristian
On Thu, 16 Oct 2014 11:34:21 +0200, Geoff Winkless <cyrus@xxxxxxxx> wrote:
Hi KristianFirstly, many thanks for your work :)Can you share the source for those recommendations? While I fully agree that using something that is shown to be vulnerable is not ideal I'd be interested to see how they think a similar attack to POODLE could be implemented for imap. As I posted to the info list, I've not seen anything that would suggest that IMAPS/SSLv3 is any less secure than it was 10 years ago.ThanksOn 16 October 2014 02:55, Kristian Kræmmer Nielsen <jkkn@xxxxxxx> wrote:Hi,
Two patches for merging....
Thanks for the great work on cyrus imapd.
I have just read various recommendations that we now should disable SSLv3 not just on HTTPS as POODLE-attack demonstrates but we should expect to see exploits on other services as well like IMAPS and POPS.
I saw that disabling SSLv2 and SSLv3 in fact is already available in the tls-code but not made available to the user so therefore I have written the attached patch to do just that using a configuration variable named "tls_tlsonly". It is still by default false, so the patch should change nothing for users that still want to use the old protocols and may stay that way until an actual imaps-attack is proven.
Also I am including a cleaned up version of Chris Panayis' old patch for adding tls_ec for Perfect Forward Secrecy:
https://lists.andrew.cmu.edu/pipermail/cyrus-devel/2013-January/002729.html
Using PFS is also a security recommendation we should follow. The default is set to prime256v1 just as sendmail and apache does this.
The patches are made against cyrus-imap-2.4.17 - but they also cleanly patch against the tip of the git repository of cyrus-imapd if skipping the patch of the man-page.
PFS: https://scotthelme.co.uk/perfect-forward-secrecy/
POODLE: https://www.dfranke.us/posts/2014-10-14-how-poodle-happened.html and https://www.openssl.org/~bodo/ssl-poodle.pdf
Regards
Kristian Kræmmer Nielsen,
Odense, Denmark
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
