On 17/10/2014 12:50, Sam Varshavchik wrote:
Victor writes:
On Oct/17/14 2:10, Sam Varshavchik wrote:
> Oliver Mihatsch writes:
>
>> Behaviour when using the following variable (added !, added TLSv1_1):
>>
TLS_CIPHER_LIST="!SSLv3:TLSv1:TLSv1_1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH"
>>
>>
>> SSLv3 working, TLS 1.0 working, TLS 1.1 working, TLS 1.2 working (no
>> changes to before)
>>
>>
>> So results were not really what I was expecting. SSLv3 and TLS1/1.1
>> are somehow just an alias for each other.
>
> This weirdness is entirely OpenSSL's doing. This setting is passed
> directly to OpenSSL, with no further interpretation.
>
> Someone else already dug up the code change necessary to disable
> SSLv3. It appears that a small code change is required.
>
There was a patch released for OpenSSL recently which included
TLS_FALLBACK_SCSV support. Isn't upgrading enough in this case? Or is
there still a need to reconfigure imapd?
That depends on how it got implemented in OpenSSL. If it's a discrete
option that an application must set, it obviously needs to be a code
change.
Based on the original draft patch by Bodo Moeller, the
TLS_FALLBACK_SCSV protection is enabled by default for SSL/TLS
servers (such as imapd), but code changes are required for clients
(such as imap-proxy and outgoing SMTP connections from the courier
MTA). The patch includes the needed changes to the sample
applications and the "openssl s_client" command line tool, to show
how to do it. These samples may include debug options to turn off
TLS_FALLBACK_SCSV, which should not be used in production code
(such as courier).
If it's enabled by default, and there are no resulting ABI changes, no
recompilation is necessary.
If it's enabled by default, and there are ABI changes, just a
recompilation is needed.
For clients (see above), there are API (not just ABI) changes,
requiring SSL/TLS client codes to pass extra options to get the
TLS_FALLBACK_SCSV protection feature. At least that is how it was
in the original patch posted to the openssl mailing lists.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Courier-imap mailing list
Courier-imap@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
