drown/SSL issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I’m trying to figure out how to make my Cyrus install to not be susceptible to the drown issue.
I have tried limiting the ciphers to TLSv1.2 but haven’t had much success.

What should the tld_ciper_list be? Or is this an issue with SSL? (To fix this do I need to patch the SSL libraries and rebuild SSL and Cyrus?
From the imapd.conf file
tls_cipher_list: TLSv1.2:!NULL:!aNULL:!eNULL:!EXPORT:!SSLv2

Thank you!

Other info:
nmap tells me I should be just fine:
nmap --script ssl-enum-ciphers -p T:993 127.0.0.1
PORT    STATE SERVICE
993/tcp open  imaps
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       Key exchange parameters of lower strength than certificate key
|_  least strength: A

But the python scanner from https://drownattack.com/ says I still have an issue.

My version info:
name       : Cyrus IMAPD
version    : v2.4.17-Fedora-RPM-2.4.17-8.el7_1 d1df8aff 2012-12-01
vendor     : Project Cyrus
support-url: http://www.cyrusimap.org
os         : Linux
os-version : 3.10.0-327.10.1.el7.x86_64
environment: Built w/Cyrus SASL 2.1.26
             Running w/Cyrus SASL 2.1.26
             Built w/Berkeley DB 5.3.21: (May 11, 2012)
             Running w/Berkeley DB 5.3.21: (May 11, 2012)
             Built w/OpenSSL 1.0.1e-fips 11 Feb 2013
             Running w/OpenSSL 1.0.1e-fips 11 Feb 2013
             Built w/zlib 1.2.7
             Running w/zlib 1.2.7
             CMU Sieve 2.4
             TCP Wrappers
             NET-SNMP
             mmap = shared
             lock = fcntl
             nonblock = fcntl
             idle = idled
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux