Am 20.03.2012 12:16, schrieb Lamprecht, Andreas: > Hi! > > I'm new to this list and i could not find a way to search through the already > posted articles, so please forgive me if this subject has been discussed > before. > > Our security scanner stumbled over the IMAPs server i've set up recently > using dovecot on a RedHat Enterprise 64bit Server. > The security scanner found an error regarding a new SSL security leak named > "BEAST". The exact error number is CVE-2011-3389. Details can be found here: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389 > > "The internet" has some workarounds for this problem. For example, in Apache > webserver, you need to set > > SSLHonorCipherOrder On > > in apache config. This results in the following C-Code being executed: > > SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); > > This setting tells OpenSSL not to honor the Ciper Order sent from the client, > but prefer it's own configured set of CipherSuites. According to Qualis SSL > Labs ( https://www.ssllabs.com/ssldb/index.html ), a webserver configured > with this setting is not affected by that BEAST security leak. > > Is there a way to implement such a setting into Dovecot, too? > > I have created a very quick and dirty solution to avoid being listed on our > internal security problem's list. > This patch is for dovecot 2.0.9 which is included in Redhat Enterprise Linux > 6.2: > > *** src/login-common/ssl-proxy-openssl.c 2010-12-30 10:42:54.000000000 > +0100 > --- src/login-common/ssl-proxy-openssl.c_1 2012-03-20 09:48:28.359508087 > +0100 > *************** > *** 924,930 **** > X509_STORE *store; > STACK_OF(X509_NAME) *xnames = NULL; > > ! SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); > if (*set->ssl_ca != '\0') { > /* set trusted CA certs */ > store = SSL_CTX_get_cert_store(ssl_ctx); > --- 924,930 ---- > X509_STORE *store; > STACK_OF(X509_NAME) *xnames = NULL; > > ! SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | > SSL_OP_CIPHER_SERVER_PREFERENCE ); > if (*set->ssl_ca != '\0') { > /* set trusted CA certs */ > store = SSL_CTX_get_cert_store(ssl_ctx); > > > Of course there should be a way to switch this setting on or off, but my C > programming skills are rather basic ... > > So, maybe you have the time to look over it and implement a final solution > for the BEAST problem. > > Greetings > Andreas lamprecht >
perhaps look at http://wiki2.dovecot.org/SSL/DovecotConfiguration -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
